In January, in the flurry of resolution that accompanies the new year, Dino Maloko (not his real name), 40, decided to bite the bullet and pay off his credit card. He was over R40 000 in the red, and he wanted to start the year off right. So he made a large payment into his bank credit card account and got his card debt back down to zero.
It should have been a good feeling. But shortly after making the payment, Maloko received his statement. He noticed that payments were still going off his account, even though he hadn’t been using the card. “I thought, ‘hey, what’s happening here?'” said Maloko. As he started to go through his statement in detail, he realised that it was littered with payments for things that he had not actually bought.
In time, credit began racking up again on his account. Eventually, there was R8 600 outstanding. Maloko called the fraud division at his bank.
“They looked into it and said there was something wrong with my credit card,” he said. “They cancelled the card. Last week they told me that my credit rating had been affected by my nonpayment and that my credit limit had been reduced,” he said. “I could not pay for something I did not owe!”
Eventually, he paid the R8 600 “just to avoid crap”, he said. He was in Angola at the time and had intended to remain there for several months. But now he plans to fly back to South Africa to visit one of the branches of his bank to get to the bottom of the problem. “How did the [fraudster] get the one-time Pin required to authorise those payments when I had the cellphone [that receives the Pins] with me?” he said.
Victims to cybercrime
Maloko is one of about 1,5m people around the world who fall victim to cybercrime every day. Cybercrime is broadly defined by technology company Symantec as any offence that is committed using a computer, network or hardware device. It is not a new phenomenon, but its scope is constantly changing.
According to Verine Etsebeth, a senior lecturer at the University of the Witwatersrand who specialises in information security and data protection, it is also constantly growing.
The global profit gleaned from cybercrime is about US$388bn/year, said Etsebeth, citing research by Symantec. “That is bigger than the global black market in marijuana, cocaine and heroin combined, which is $110bn,” she said. “There are twice as many cybercrime victims as newborn babies in the world.”
And emerging markets like South Africa are most often targeted. About 80% of adults in emerging markets have been victims, compared with 64% of adults in developed markets, the report said.
Although South Africa is feeling the effects of cybercrime, it is hard to say exactly how much. According to the South African Cyber Threat Barometer 2012-2013, a public-private partnership researched by Wolfpack Information Risk and commissioned by the British High Commission, the total loss in the country cannot be accurately pinpointed. But their estimate, based on interviews and known incidences, is that the government lost about R1,5bn to cybercrime between January 2011 and August 2012. Based on annualised figures, that amounts to about R900m last year.
According to Wolfpack MD Craig Rosewarne, this reflects only direct losses incurred through fraud using computers and the Internet. The figure was a conservative one, and is likely to be higher in reality.
The telecommunications sector, including fixed and mobile providers, lost R1bn last year, according to the barometer’s conservative estimate. This was mainly caused by Sim-card fraud and classic subscription fraud.
And, according to the South African Banking Risk Information Centre, South African consumers lost R90m last year in Internet banking fraud. It constitutes the second largest number of complaints to the banking ombud in South Africa, and made up 20% of all complaints last year. The number of cases logged to the ombud rose from 591 in 2011 to 810 in 2012, an increase of 37%.
“The numbers have definitely gone up,” South Africa’s banking ombud, Clive Pillay, told the Mail & Guardian.
Nevertheless, the amount of money being bled by cybercriminals in South Africa is comparatively small. Rosewarne said 75% of money stolen is eventually recovered through banks freezing accounts and refunding cash, or through the apprehension of perpetrators by the police. Taking that into account, the real loss incurred by the whole economy in fraud last year was about R663m, he said.
That’s 0,0002% of last year’s gross domestic product — a comparatively small amount. But, for individuals who fall victim to the crime, the inconvenience and cost is very real.
Cybercrime and the law
According to the barometer, less than 5% of cyber-related incidents are reported to the police. According to Etsebeth, there are several reasons for why the rate is so low. First, like Maloko, individuals often don’t even realise they have fallen victim to a crime.
Second, companies and banks that fall victim try to keep it quiet for fear of damage to their reputation. The M&G asked the four major banks how much they had lost to cybercrime in the past year. All of them refused to divulge the information, on the basis that it would potentially damage their brands.
The National Prosecuting Authority (NPA) successfully prosecuted 133 cases of cybercrime in the year ending March 2013, Business Day reported. According to NPA spokesperson Bulelwa Makeke, that represented a 98% success rate. But the NPA only sees the cases that are handed over by the South African Police Service. “The NPA is called unofficially for advice, but doesn’t receive that many cases for prosecution,” the report said.
After trying repeatedly through her bank to stop a fraudster from making debits on her account, Thobeka Magcai, 29, became one of the few to log her case with the police. She opened a docket at the Fish Hoek police station in Cape Town.
“At first the police seemed a bit confused,” she said. “They did not know where to investigate it and where to put the scene of the crime. It happened in cyberspace. Where do you say the crime happened? The crime documents need to be changed possibly to accommodate that.”
Magcai also tweeted the South African Police Service about the incident. “They responded immediately, advising the specific department to forward my details to,” she said.
The investigation is pending. According to South African Banking Risk Information Centre (Sabric) spokesperson Bongani Diako, of the 35 arrests related to cybercrime made since 2011, all are still pending.
And complexities in the system mean the conviction rate is likely to stay low, said Etsebeth. Lawyers, magistrates and judges often lack the technical understanding to deal with cases of cybercrime, she said. And they face other unique difficulties.
“When the cyber perpetrator is from another country, it raises questions such as in which country will the case be heard? Which country’s laws will apply? How will you ensure that the defendant is present at the hearing? If sentenced, how will you ensure he complies?'” she said.
The Electronic Communications and Transactions Act — a law governing cybercrime — was put into place in 2002. But it has been criticised for carrying sanctions that are too light. “Depending on the offence, imprisonment cannot exceed five years,” said Etsebeth. “It is not going to act as a deterrent.”
Government is taking steps to address the problem. South Africa has signed — but not ratified — the Budapest Convention of Cybercrime, an international best practice framework for dealing with the problem. And on Tuesday, Sabric launched an interbank e-crime awareness campaign.
“Ultimately, for cybercrime, I don’t believe the sky is falling,” said Haroon Meer, founder of tech research company Thinkst Applied Research. “Billions of dollars are successfully transacted online daily. We have work to do for sure, but I’m fairly convinced we will get there.” — (c) 2013 Mail & Guardian