Deputy Minister for Sport Tinoda Machakaire, reportedly lost just under US$44 000 or R600 000 to hackers who hijacked his sim card. It’s things like this that remind me just how much power a tiny piece of plastic and metal has. Sim cards have gone from just being a communications gateway to now having access to bank accounts and are now a method of identification.
So what happened?
According to a report by The Herald, criminals took control over his mobile phone line and sent instructions to his company in South Africa, Tinmac Motors, to make transfers amounting to US$44 000 to accounts at varying intervals.
“Yes, I indeed lost R600 000 to criminals after they hacked my mobile line and used it to send instructions to my company instructing them to make payments to companies and accounts in South Africa.”
Deputy Minister Machakaire speaking to ZTN
On top of that the sim hijackers then reportedly instructed drivers from his commercial fleet to make deliveries at various locations across the country.
How sim card hijacks work
So basically the only way you can hijack someone’s line to this degree is to do a sim replacement. This is something we talked about in the EcoCash US$100 million WhatsApp scam. Criminals in that case were most probably going to Econet outlets or franchise shops and ordering sim replacements.
The thing is, you need identification documents to do this among others which include a police report saying you did indeed lose your line. What’s concerning here is if the standard procedure was followed and these scammers had all the requisite documents to replace Deputy Minister Machakaire’s line it begs the question. Why didn’t it raise a red flag with the authorities?
Surely even if the police had granted the clearance they at the very least should have done some background on the name and double confirmed. However, on the other hand, this might not have gone through the proper channels because of the profile of the person. If that is the case then there is a very big problem because hackers can somehow bypass verification methods that are meant to protect us.
Now, this is all speculation, but either case is extremely concerning because our mobile phone lines are interlinked with a number of services like email, WhatsApp, bank accounts and more. If sim replacements are indeed the cause of this then MNOs need to sure up the process because as I said earlier, they are linked to most of the services we use daily.
Verification at the individual and business level
The EcoCash US$100 million sim hijack racket taught us all one important lesson. If someone is giving you instructions that involve money or high-value assets it’s probably best to double confirm with that person by calling them. This at the very least gives you some unassailable proof of the person’s identity. Being the paranoid cynic I am, I would much prefer to meet in person or do a video call because you can’t be too sure these days.
Visual or auditory identification I think should now be a prerequisite if large sums of money are involved more so when your company is in another country. It might seem like a burdensome process but at the very least it’s an extra layer of security.
You can even add to it by way of certain keywords or phrases to make sure that the person you are talking to is indeed who they say they are. These phrases or words can also be useful if the person is under duress or being extorted. There could be subtle variations of the terms that could alert someone on the other end to quietly alert the police.
I know this might sound like I have watched too many spy thrillers but save for getting software that can do this for you. It best to use what is at your immediate disposal.
You should also read:
3 comments
Akamama uyo
Too many short cuts when the majority are suffering.
Hie Valentine
In the case of the minister there was no sim swap involved. My analysis as the investigating officer is this, the minister provided a six digit pin for whatsapp that came through sms to a caller who identified himself as Enock. The caller then installed whatsapp on his own phone and the instruction for a transfer were sent via whatsapp. When the minister tried to access whatsapp on his phone, whatsapp was saying too many attempts has been made you have to wait for 11 hours. During the period that whatsapp was disabled is the period that all damage was done. No sIm swap was done in this CASE. You can verify this
This sounds like a partial inside job. The scammers knew the right numbers to send the instructions to in order to effect the transfers and deliveries.