How to commit Credit Card Fraud in South Africa.

First and foremost, this is not a smear, this is not throwing rocks. This is me trying to resolve a serious matter, urgently. I have friends at most of these companies, and this is not aimed at any of you. It is also, quite interesting from a Cyber/Risk Perspective.

This article talks through how someone managed to commit credit card fraud, how interesting it is, and also the challenges we are facing to get R40k returned. We have tried all the usual channels, and been beyond patient. We need answers now though.

On the 17th of Sept, my mother, who works overseas received a notification from her Absa Group App that a sim swap had been detected and her app had been frozen. She asked me to look into it. This is a great response and awesome that sim swaps are scanned and detected.

Later that afternoon she received an sms notification that her Credit Card had been swiped at Makro Business Germiston. For a total of R60000 (3 Transactions of R20000). When seeing this she notified my sister Maryke Taljaard and I . We immediately contacted Absa Group to shut down her cards.

I contacted a Manager at Makro Business with the possibility that the assailant might still be there. It was later reported back to me that a individual had swiped for "Services" to the amount of R20k, twice. On the 3rd attempt their fraud check flagged it. The assailant was then asked to fill in some paperwork. He then said he has to fetch something in his car, they let him, and he left the scene. Makro mentioned there had recently been a similar incident and one of their Risk people would contact me. They did not. My concern is they do not save their 4k Footage of the assailant, and it expires, rendering it innefective.

Absa Group put a freeze on the card. The first 2 transactions were still in limbo, and the 3rd had been stopped. Thankfully we caught this. Unfortunately despite getting police report, affidavits and all...ABSA still released the money. We investigated the statements and found something strange. ?????? ???????????? ???????? ???????????? ????????'?? ?????????? ???? ?????????????? ????????. We later found out that the assailant had managed to double her Credit Limit.

I then recalled that there had been a Sim Swap. I called Vodacom...well, I called 12 times and got passed around until I spoke to someone in the Fraud Dept of sort. They stated that they could only "Soft Lock" the sim (Meaning assailant could still receive SMS and calls). My mother had to come inton a branch to hard lock. What we also learned was the Sim Swap occurred late August and was done via the ???? ???????? ??????, ????????. Vodacom initiated a Fraud Investigation and advised 7-14 days to completion. This was 34 days ago roughly. I was informed that if my mother can go into a branch, they can share all the info with her, this was not true. She went to a Vodacom branch twice to get a new sim, number and a contract but no info could be shared, only that the swap happened on the TOBI Chat bot.

On the same day of all this happening my mother checked her emails and saw a CCD Couriers email about a Credit Card that had been shipped to her, only, it was not her address, but a School in Randfontein, GP.

How to create a case with SAPS, or not

Being the military man that I am, I realised I needed some boots on the ground. I asked my good friend Nuno to look into this. He went to MAKRO Germiston, got more info then was told Makro need a police case number in order to release the footage.

Seeing as the fraud had happened at Makro Germiston, Nuno went to SAPS Germiston. When attempting to open a case on our behalf, with a signed-off sworn statement and power of attorney, Germiston SAPS said that Makro Germiston was outside their jurisdiction. They referred him to Bedfordview SAPS. They also said they can't do anything as the victim needs to come forward with a case. Despite advising them of the special circumstances they refused.

In the end, this did not sit well, so I went to my local SAPS, in my small farmer's town and managed to open a case. This was then forwarded to Germiston SAPS and under investigation.

Do I suspect foul play or a bigger syndicate, yes, to some extent. Alternatively, maybe they just did not want to do the paperwork. It's frustrating cause they had a case on a silver platter, ID scan, High Def CCTV footage, etc.

What's the Challenge?

• ABSA need a report from Vodacom to return the money, R40k in total.
• Vodacom is unresponsive and is yet to conclude their investigation.
• ABSA won't contact Vodacom
• CCD Couriers can't release the Waybill and ID scan of the card delivery, saying that ABSA are meant to request this.
• My mother is R40k out of pocket.
• Id like all this info, so I can collate it, and give it to SAPS. Lord knows they have not got time to do investigation leg work.

Interestingly, here is what I believe is the kill chain

Now, once the initial trauma of this was dealt with, the Hacker in me thought, "Damn, this is interesting, how on earth did they do this? Well, this is how it went down.

Someone conducted a fraudulent Sim Swap with Vodacom in late August. This was done via their customer service Chat Bot. Bear in mind, how much of a pain it is to get a Sim Activated with FICA/RICA. Somehow this person did it with none of this info?

Between that time and 17 Septemeber this person managed to;

1. Order a new, 100% Legit Credit Card in my Mothers name (Notification on the 14th, delivered on the 17th)
2. They managed to increase her overdraft limit, most likely with Social Engineering (Done on the 17th)
3. They received the new Credit Card through CCD Couriers delivery. They MUST have had a valid ID on them, somehow to my mothers likeness. This was shipped to the back of a School in Randfontein

The person then went to Makro Business in Germinston, swipped the card;

1. Once, succesfully for R20000 for "Services"
2. Second time, succesfully for R20000, for "Services"
3. The third attempt failed, instigating a fraud check

Sadly this great fraud check let the man in question flee the scene.

ABSA were notified of the Fraud, put a hold on everything and 3-4 days later still released the money to the fraudulent assailant.

What do I need?

1. I need Vodacom Fraud to give me the report I need, to send to Absa Group , who can then refund this money, so that we can shut all the accounts linked to ABSA and go elsewhere. At the same time, ABSA need to contact CCD Couriers to get the Waybill and ID scan
2. Secondly if we would like the transcript of the TOBI chat from Vodacom . We want to see what the ID was and how this actually happened.
3. Id like all this info, so I can do OSINT, get all this info collated and share it with the SAPS investigator, making their life easier.

Wins... or Partial Wins

• Makro instigated a Fraud Check, which ultimately failed, but it was a good start. Made the difference of R20k in loss
• ABSA detected a Sim Swap, a little late. Perhaps in the notification some helpful prompt would be useful, something more PR shaped of 'Burn everything with fire thats linked to that sim"
• Vodacom informed us that due to this sim being prepaid, this was all somehow much easier. Having a contract makes this harder, so my mother has gotten a new contract.

Lessons learned

1. If you get a notification of a Sim Swap....burn EVERYTHING that authenticates with this. Banking, OTP's etc. Contact your bank, your service provider and shut it all down.
2. Shut down the SIM ASAP
3. Do a password cycle
4. Set up 2FA and ensure you get email notifications about this sort of stuff.
5. Set up a filter to mark important, any email from your bank.