Ultradata is aware of several reported fraud incidents resulting in substantial losses where customers have had their online banking user names and passwords compromised i.e. stolen by fraudsters either through malware or social engineering attacks.
The theft of online passwords has in some cases been accompanied by the porting of mobile phone numbers to the defrauder, which is designed to thwart the effectiveness of commonly used SMS One Time Password security.
Once a fraudster has the user name and password, along with the compromised mobile phone numbers, they then have access to the full services of a customer.
We have seen compromised customers having multiple accounts opened online - either sub-accounts, new account types or joint accounts (if your organisation chooses to allow this functionality) with funds moved internally to these accounts (internal transfers between accounts are not normally subject to limits).
There is a risk for substantial loss as each account created has a separate daily transaction limit, the fraudster then has access to these funds in the account up to the daily limit for each account!
Ultradata advises that the risk of losses in this manner can be mitigated. Please contact your Client Engagement Specialist to find out how.
We are also running an online session for all Ultradata Clients covering the general controls that can be used and relevant Fraud Interceptor rules on the 29th May at 1.30pm.
To attend the online session, please register with your Client Engagement Specialist. Or speak to our Sales team on how you can join.