The telecom companies’ lack of security is to blame for the SMS spoofing bank scams that have been circulating lately, Bank of Valletta Head of Operational Risk Antoine Aquilina said.
Aquilina insisted that, although the messages were coming from the BOV number, there was no security breach. “The banks can’t stop it from happening because we’re not in control of the technology being used.”
“The real issue with security is with the telecom companies, bluntly,” he said.
“We live in an industry where there is a lack of legislation to enforce security controls on telecom companies. We’ve been in contact with the Malta Bankers Association (MBA), the Malta Communications Authority (MCA) and the telecom companies. Bluntly, without legislation, telecom companies don’t have the initiative to enforce or implement security controls.”
“Abiding by legislation will cost telecom companies money, yes undoubtedly, but we live in an age where messaging and phone calls are used on a daily basis.”
The SMS spoofing BOV scam is when a client receives an SMS from the BOV number, which would usually have an alarming message asking people to click on a link.
“The victims are sent an SMS, they are given an alarming or a warning message which prompts an alert or an immediate response from them, which draws the innocent minded, the naïve person, or the person who is not educated enough to actually click on the link,” Aquilina said in an interview with The Malta Independent on Sunday.
Links in SMSs are a “red flag”
Aquilina said that not only BOV was subject to these scams; other banks were victims too.
“These attacks are not on the bank; these attacks are being made on the general public in Malta who have bank accounts with local institutions.”
“It’s not the same for everyone, it’s different and these scams are evolving.”
He said that first clients used to receive an SMS from an unknown number asking the person to click on the link; however, now the scams have evolved and they are using the bank’s own number.
“That will then lead to a website which will most likely impersonate some features of a bank. There have been very elaborate ones which completely clone the look and feel of the bank’s website.”
Aquilina highlighted the biggest issue as being the SMS and caller ID spoofing. This is when the scammer gets in contact with customers but they do it by impersonating the bank’s number.
Asked about any red flags that the public need to watch out for, Aquilina said that links in SMSs are always a red flag, as the bank will normally not ask you to access your internet banking through an SMS link.
He also said that the bank will never ask you to authenticate your card through the website.
“If you have any questions at all contact your bank. I know that customer service centres are very busy. It is better to not click the link, and wait to get in contact with your bank, to confirm if it is truly from your bank.”
However, he also pinned this problem on the lack of education and awareness there is for the general public. “We’re educating our children but we’re not educating the general public. There is not enough investment to put out cyber awareness to the general public, and that’s a sad thing.”
Later on in the interview, he said: “Links can be very misleading; links can use the name of your bank within the link. These are fake. All banks are trying to bring down these fraudulent websites as soon as they are aware that they exist.”
“If it looks suspicious don’t trust it… If it looks too good to be true, it is too good to be true, it is fake. If you really believe it’s true, contact your bank.”
Asked how many scams had been reported, he said that this was not his area; however, he knows that there has been a “great deal” that customer service has had to address.
The retrieval of funds is difficult and not guaranteed
When pressed and asked why the bank could not just block these suspicious transactions, Aquilina said that BOV is fully compliant with secure customer authentication under the second version of the Payment Services Directive (PSD2)
Therefore, if the client has gone through all the steps to actually authorise the transaction, then the bank will not interfere as the transaction has been authorised.
He then pointed out how the bank informs its clients not to give their card details out to anybody. “The bank is never going to ask you for your CVV2. Do not provide it!… It’s in the terms and conditions as well, do not share this information.”
“You have a secure login ID, you use it once to get in you use it a second time to authorise the transaction, so effectively clients or the general public who are falling for SMS phishing which is based on Internet banking are actually providing the fraudster with their codes not once but twice.”
That being said, he highlighted how “there is a shift in liability from the bank to the client.”
Furthermore, he said that it is hard for the banks to recover the funds as usually funds are transferred overseas.
He said that, in most cases, to request the funds back, a police case would need to be filed with the authorities. However, to receive the funds back they would completely rely on the cooperation of the foreign bank and authorities.
“Sometimes the staff communication is difficult and once again, we are at their mercy because our client supplied the fraudster with both codes, and secure customer authentication took place.”
Asked if they have had any success in retrieving funds he said that they have managed but not 100%.
Asked whether people are refunded if the bank is not successful in pulling back their funds, he said “for the most part” no.
“Banks are spending a lot of human capacity to try and assist all clients in the retrieval of their funds. It’s difficult and it’s something that is very time-consuming but we are doing it as are other banks.”
He clarified that banks still cannot do everything possible for their clients as SMS and called ID spoofing is out of their control.
Aquilina had said that since the victim inputted their secure login ID and their one-time password (OTP) this authenticated the transaction and therefore, “for the most part,” clients will not get a refund.
On the Malta Financial Services Authority (MFSA) website it says that the bank can choose to reject a refund if “it can prove you had actually authorised the transaction. However, your bank cannot simply say that use of your password, card or PIN conclusively proves you authorised a payment.” When Aquilina was asked why BOV’s terms and conditions do not recognise what the MFSA is saying, he disagreed and said that it does.
“It’s not just one password, it’s not just one pin that is being used. To register on Internet bank you have to register your mobile phone. So you have multi-factor authentication, you have your phone, you have your pin code, and you have also the secret number which is your user ID.”
“We know that the fraudsters managed to extract from clients their user IDs and their OTPs not once but multiple times. (The bank) is completely in line with regulations, for secure customer authentication for the execution of financial transactions.”
He added that BOV is constantly working, even with the MBA, “to bring down any malicious sites.”
“No breach of security,” it is not the real BOV app
A Times of Malta article, highlighting an experience of a victim who had thousands stolen from them, describes the scam like this: “The message included a link to a fraudulent website where customers are instructed to verify their identity by logging into their BOV mobile app and carrying out a test transfer.”
A separate victim informed The Malta Independent on Sunday that they had experienced the same scam.
Considering both victims’ claim that they used their BOV mobile app to input their details, Aquilina was asked whether this shows that there has been a security breach with BOV.
Aquilina responded and insisted that “there has been no breach of security at BOV.”
He clarified that this would not be the BOV mobile app, but it would be a website impersonating a bank website.
“I don’t have the website or the proof of the messages, I would need the SMSs message, I would need to inspect it and I would need to see the link. The links would most likely lead to a website which impersonates BOV’s website or mobile app, not the actual app, or website.”