Professional Documents
Culture Documents
Sim Swapping, Mobile Phone Fraud and RICA 70 of 2002
Sim Swapping, Mobile Phone Fraud and RICA 70 of 2002
Sim Swapping, Mobile Phone Fraud and RICA 70 of 2002
Citations:
-- Your use of this HeinOnline PDF indicates your acceptance of HeinOnline's Terms and
Conditions of the license agreement available at
https://heinonline.org/HOL/License
-- The search text of this PDF is generated from uncorrected OCR text.
-- To obtain permission to use this article beyond the scope of your license, please use:
Copyright Information
SIM-Card Swapping, Mobile Phone Banking
Fraud and RICA 70 of 2002
CHARNELLE VAN DER BIJL*
University of South Africa
1 Introduction
SIM ('Subscriber Identity Module')-card swapping and mobile phone
banking fraud are forms of fraud encountered in the use of mobile banking
services.' Mobile banking is a form of wireless electronic banking that does
not require a client to bank within traditional banking premises. Electronic
banking is a generic term that denotes banking services provided through
different access devices.2 Electronic banking incorporates the use of ATMs,
telephone or mobile phone transactions and the Internet. 3 Wireless banking in
the form of mobile phone banking may be seen as the next step after Internet
banking on a fixed telephone line, and it allows a client to access his accounts
via a cellular phone after the mobile banking menu is downloaded onto the
SIM-card. 4 Mobile phone banking entails that an application will be loaded
onto the SIM-card so that the client can access certain banking services.5 The
* BLC LLB LLD (UP). Associate Professor, Department of Criminal and Procedural Law, College of
Law, University of South Africa.
See s 1 of the Regulation of Interception of Communications and Provision of Communication-
Related Information Act 70 of 2002. Fraud is the unlawful and intentional making of a
misrepresentation that causes actual or potential prejudice to another (CR Snyman Criminal Law 5 ed
(2008) at 531; Jonathan Burchell Principlesof CriminalLaw 3 ed (2005, revised 2008) at 833).
2 Mark Howard & Roger Masefield (eds) Butterworths Banking Law Guide (2006) at 566.
3 The terms 'mobile phone' and 'cellular phone' will be used interchangeably.
4 See Clarissa Muir ABSA 's Implementation of Mobile Banking as a Value-Added Mobile Business
Offering (unpublished LLM dissertation, University of Johannesburg (2008)) at 144 and 199, available
at http://ujdigispace.uj.ac.za:8080/dspacehandle/1021O/622. Internet banking refers to the provision of
banking services by means of the Internet. It is a remote delivery channel, utilising a fixed line or
wireless technology as in the case of cellular phones, for banking or financial services that enables the
bank's customers to open and access accounts, to transfer funds between accounts, to access general
information on banking services and products, to apply for loans and credit for business or consumer
purposes, and to do online brokerage and securities trading as well as facilitating electronic bill
presentment and payment. Mobile phone banking is easier and more accessible than Internet banking on
a PC, for instance, because most banking customers usually have a cellular phone. See AB Munir
Internet Banking: Law and Practice (2004) at 1-2; Howard & Masefield op cit note 2 at 567; Denise
Mhlanga 'Forget the Internet; Cellphone Banking Is the Way to Go' Moneyweb's PersonalFinanceJuly
2008 at 12-3.
5 'Banking on your SIM Card' FIN24Com Aug 10 2005, available at http://www.fin24.com (visited
on 1 October 2008). See Muir op cit note 4 at 137-9 for a detailed explanation of how these systems
work. WIG (Wireless Internet Gateway) opens up a channel to the Internet on the SIM-card and enables
the use of an application language (WML) that implements SIM application Toolkit based services.
WIG also brings WAP to terminals via SMS. The 'Internet' means the interconnected system of
networks that connects computers around the world using the TCP/IP and includes future versions
thereof. WAP is a security enabler that provides connectivity between a WAP-based handheld device
and a web server. 'WAP' is defined in s I of the Electronic Communications and Transactions Act 25 of
2002 ('the ECT Act') as meaning 'Wireless Application Protocol, an open international standard
2 SIM-Card Swapping
'Swapping' occurs where the fraudster gains access to sensitive information
that is sent either via SMS ('Short Messaging Service') to a cellular phone, or
to a banking client's e-mail address. The fraudster then poses as the client and
has a new card illegally assigned to the same cellular phone number as the
original SIM-card, via a SIM-card 'swap'." The one SIM-card is therefore
developed by the Wireless Application Protocol Forum Limited, a company incorporated in terms of the
laws of the United Kingdom, for applications that use wireless communication and includes Internet
access from a mobile phone'.
6 See Muir op cit note 4 at 137, 139, 213.
'ABSA Cell Phone Banking', available at http://www.absa.co.za (visited on 3 February 2009). My
present article will refer to mobile phone banking, which should be read as including both forms of
wireless electronic banking conducted by way of a mobile phone.
See Muir op cit note 4 at 211. See cl 4.1 of ABSA's terms and conditions.
See also Muir op cit note 4 at 198.
"o Mhlanga op cit note 4 at 12-3.
See, eg, 'Security Alert', available at http://www. Nedbank.co.za/terms; 'Absa Warns Internet and
Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at http://www.absa.co.za;
'Protect Yourself From Fraud', available at http://standardbanklco.za/Fraud prevention; 'Frequently
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 161
'swapped' for another SIM-card, and the cell phone service provider will then
t2
transfer the SIM-card identity of that particular client to that of the fraudster.
The previous SIM-card is then cancelled. Consequently, the legitimate owner
of the original SIM-card no longer receives any notification SMSs and is
therefore oblivious to the fraud being perpetrated against him. As the fraudster
is allocated the cellular phone number and the replacement card, the SMS
authorisation facility provided by banks to their clients is intercepted,
allowing the fraudster to receive security messages, SMS authorisation
reference numbers and the one-time password. 3 The fraudster can then
transfer money, create beneficiaries and make payments at will.
SIM-card fraud is also made possible by way of phishing e-mails. Phishing
entails that unsolicited e-mails, purportedly from the bank, are sent to clients
requesting them to update and verify details such as their PIN ('Personal
Identification Number'), password, cellular phone number and address. 14 The
client will then be requested to click on a link and update his personal details.
Once the link is clicked on, the client is diverted to a fraudulent website. The
fraudsters then gain access to the client's personal details and cellular phone
number when the client responds to such phishing e-mails.
Banks will usually not try to obtain personal information via computer
e-mails, and they usually post warning messages and newsletters to this effect
on their websites in order to curb fraud.' 5 The unauthorised use of the original
mobile phone number as a result of SIM-card swapping could therefore stem
from a combination of phishing and a lack of proper identity verification by
the mobile cellular electronic communications service provider when an
account is opened, or when a SIM-card is swapped at such provider. The next
portion of my article explores the relationship between the bank, the mobile
cellular electronic communications service provider and their client in order
to establish who should bear the loss in cases of mobile banking and SIM-card
fraud.
Asked Questions - Cell Phone Banking', available at http://www.fib.co.za; Hilda Fourie 'SIM Card
Scamsters Net Thousands', available at http://www.F1N24.Coin (all visited on 1 September 2008).
11SIM-card swapping must be distinguished from SIM-card cloning, which consists of the original
SIM-card being duplicated with another SIM-card so that calls or other services will be charged to that
account.
11A number of banks are alerting clients to this form of fraud in security alert bulletins, notices and
newsletters. See, eg, 'Security Alert', available at http://www.Nedbankco.zaterms; 'Absa Warns
Intemet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at
http://www.absa.co.za; 'Protect Yourself from Fraud', available at http://standardbanklco.zalFraud
prevention; 'Frequently Asked Questions - Cell Phone Banking', available at http://www.fnb.co.za (all
visited on I September 2008).
"4 'Absa Warns Internet and Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007,
available at http://www.absa.co.za; 'Protect Yourself from Fraud', available at http://
standardbanklco.za/Fraudprevention (visited on 1 September 2008); Mark T Gillett, Obrea 0
Poindexter & M Sean Ruff 'Developments in Cyberbanking' (2004-2005) 60 Business Lawyer 757 at
770-3; Lauren L Sullins '"Phishing" for a Solution: Domestic and international Approaches to
Decreasing Online Identity Theft' (2006) 20 Emory InternationalLR 397 at 400 ff.
"S See, eg, 'Security Alert', available at http:/./vww.Nedbankco.za/terms; 'Absa Warns Internet and
Cell Phone Banking Clients of Fraudulent Activity' 9 October 2007, available at http:/.,vww.absa.co.za;
'Protect Yourself from Fraud', available at hup://standardbankco.za/Fraudprevention; 'Frequently
Asked Questions - Cell Phone Banking', available at http://www.fnb.co.za (all visited on I September
2008).
162 (2009) 21 SA Merc U
16JC Stassen 'Die Regsaard van die Verhouding tussen Bank en Klint' (1980) 2 Modern Business
Law 77 at 79; Standard Bank of SA Ltd v Oneanate Investments (Pty) Ltd 1995 (4) SA 510 (C) at 530;
FR Malan & .T Pretorius Malan on Bills of Exchange, Cheques and Promissory Notes in South African
Law (2009) in pars 208-9.
"7 Ross Cranston Principles of Banking Law (2002) at 144.
'8 Howard & Masefield op cit note 2 at 572.
'9 Ibid.
10 T Pretorius & Chamelle Van der BijI 'A New Mode of Forgery: The Rise of Cloned and Washed
Cheques' (2006) 18 SA Merc LU 196 at 200, 202. The cloning of a cheque entails that a cheque is
intercepted and the original cheque is used to manufacture a duplicate fraudulent cheque.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 163
risk of the loss would lie with the bank for not complying with its mandate in
21
terms of the banker-customer relationship.
In a further article dealing with cloned credit card fraud it was submitted
that a different set of principles will apply to credit cards because the Bills of
Exchange Act 34 of 1964 does not apply to credit cards and credit cards are
not negotiable instruments. 22 As regards cloned credit cards it was suggested
that payment made on a cloned credit card is not made with the authorisation
of the cardholder (the consumer) and is not conducted on behalf of or at the
direction of the consumer, and so it does not accord with the terms and
conditions of use and the instructions of the client. 23 Consequently, if payment
is made on a separate substitute credit card that purports to be the original
card, the issuer should bear the risk because the mandate has not been
24
complied with.
Can a bank be held liable where it pays on an unauthorised transaction
in the case of SIM-card or cellular phone fraud because payment is neither in
accordance with the terms of conditions of use nor on the instructions of the
client? The bank is required to make payments on behalf of the correct person,
ie, the banking client in the case of the contractual relationships pertaining to
the terms and conditions of the mobile phone banking contract. The orders
of the client would be carried out as a consequence of the use of the PIN and
mobile phone number. Where a new SIM-card is obtained, payment is still
possible with the use of the same cellular phone number. What is clear is that
the terms and conditions of use are not complied with because payment does
not accord with the client's instructions. Usually the approaches that may be
adopted by banks in relation to liability due to fraud in Internet banking are
25
regulated by contract and could include:
" the use of terms closely related to those based on card transactions; 26
" the exercise of a choice by the bank to bear the entire liability unless it can
be proved that the customer acted fraudulently;
" the exclusion of all liability by the bank until the bank is notified.
The contractual terms and conditions regarding the allocation of risk may
also be influenced by statutes such as FICA, the ECT Act, and RICA.
One would need to examine the role of the SIM-card itself to try to find
21 See Tai Hing Cotton Mill Ltd v Liu Chong Hing Bank Ltd & Others [1986] AC 80 at 106B-D. See
further Pretorius & Van der BijI op cit note 20 at 201-2; Malan & Pretorius op cit note 16 at 356.
22 Charnelle van der Bijl 'The Cloning of Credit Cards: The Dolly of the Electronic Era' (2007) 18
Stellenbosch LR 331 at 341.
23 Ibid. See the National Credit Act 34 of 2005. A consumer includes the party to whom credit is
granted under a credit facility (s 1).
24 Van der BijI op cit note 22 at 342. See further Steve Cornelius 'The Legal Nature of Payment by
Credit Card' (2003) 15 SA Merc L 153 at 168.
25 Munir op cit note 4 at 229.
26 With regard to the unauthorised use of an original credit card and alleged unfair contractual terms,
the cases of Diners Club SA (Piy) Ltd v Singh & Another 2004 (3) SA 630 (D) and Sasfin (Pty) Ltd v
Beukes 1989 (1) SA 1 (A) would normally apply. See my discussion in Van der BijI op cit note 22 at 338
ff.
164 (2009) 21 SA Merc U
clarity on who should bear the loss in the case of SIM-card fraud. A SIM-card
is defined by RICA as the:
'Subscriber Identity Module which is an independent, electronically activated device designed
for use in conjunction with a cellular phone to enable the user of the cellular phone to transmit
and receive indirect communications by providing access to telecommunication systems and
enabling such telecommunication systems 27 to identify the particular Subscriber Identity
Module and its installed information.'
The new SIM-card that enables the cellular phone number to be used in the
fraudulent transactions is not the client's but one purporting to be the client's.
However, the SIM-card is not issued by the bank. The fraud could take place
as a result of a combination of the client's reacting to the phishing e-mail
and the mobile cellular electronic communications service provider's
providing the SIM-card without proper verification, which thus allows the
SIM-card swap to take place.
The Financial Intelligence Centre Act provides that an accountable
institution, such as a bank, may not establish a business relationship or
28
conclude a single transaction without establishing the identity of the client.
Banks therefore have a duty to keep records of accounts and personal
particulars of clients. Should an unauthorised banking transaction occur as a
result of SIM-card fraud, the fraudster's account should be traceable and the
identity of the fraudster established. Should the identity not be established,
where, eg, false details were provided, it could be asked whether the risk lies
with the bank in such circumstances because it has not complied with FICA.
In this regard it could be argued that FICA is clear: its s 21 states that the
accountable institution must not only establish the identity of the client, but
29
also verify such details.
The Financial Intelligence Centre Act is aimed at preventing unlawful
activities that would include fraud, because the definition of unlawful activity
in FICA is read together with, and defined, in the Prevention of Organised
30
Crime Act 121 of 1998 as follows:
' "unlawful activity" means conduct which constitutes a crime or which contravenes any law
whether such conduct occurred before or after the commencement of this Act and whether
such conduct occurred in the Republic or elsewhere.'
The Electronic Communications and Transactions Act also provides strict
guidelines relating to the electronic collecting of personal information. It
states that the data controller must have the express written permission of a
data subject for the collection of such information, no information may be
electronically requested unless it is necessary for a lawful purpose (which
specific purpose must be disclosed), and the information may not be disclosed
to a third party unless required by law. 3' Furthermore, s 25 attributes
27 Section 1.
25 Section 21.
" Failure to identify persons is made an offence in terms of s 46 of FICA. The penalty is
imprisonment not exceeding 15 years or to a fine not exceeding RIO 000 000 in terms of s 68.
3o Section I of the definitions.
3' Section 51.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 165
negligence or internal fraud. 38 Other terms may provide that liability for loss
or damage is at the client's own risk and that the secrecy of the PIN lies with
39
the main user.
The Code of Banking Practice also contains provisions regarding the risk
allocation pertaining to unauthorised transactions. Under the Code, the client
should be reimbursed if the client informs the bank that the PIN or password
is compromised and unauthorised transactions take place thereafter.4° Before
the client informs the bank, the risk of unauthorised loss will usually lie
with the client.
Ironically, the situation may worsen through the remedies employed
(aegrescit medendo), since the same security measures designed to curb fraud
in fact enable cellular phone SIM-card swapping to take place! Mobile phone
banking contracts may provide clauses to address the question of PIN security
4
and allocation of risk to the effect that: '
" a bank will not act unless the client's identity has been established in
terms of the PIN;
" the client must take reasonable care to protect the password and PIN
numbers; or
" should anyone obtain the MOPIN and cell phone handset with the
registered cell phone number, it will be assumed that such person is
the client whose transactions are deemed authorised, and the client will be
liable for any transactions processed until the service is blocked or
suspended.
What has problematic implications for a client is the insertion of a clause to
the effect that only transactions requested from the registered cellular phone
number will be deemed legitimate and acted upon. 42 This means that the same
cellular phone number is used, but not the original SIM-card. When
SIM-cards are swapped, the client will also not receive SMSs after the
original SIM-card has been deactivated and so the client will inevitably bear
the risk of unauthorised use in such cases. A further clause that may place the
liability upon the client is a clause that the client will be liable for any
unauthorised transaction unless it is due to the bank's negligence or fraud, and
31 See cl 7 of the 'ABSA Terms and Conditions Applicable to Electronic Channel Banking Individual
Application', available at http://www.absa.co.za (visited on I September 2008).
39 See cll 7, 8.4 and 9 of the 'ABSA Terms and Conditions Applicable to Electronic Channel Banking
Individual Application', available at http://www.absa.co.za (visited on 1 September 2008).
40 Clause 5.9.
41 See, eg, cll 1.6 and 1.7 of the 'FNB Specific Terms and Conditions for Cell Phone Banking', also
available at hutps://www.fnb.co.za; cl 6 of the 'ABSA Terms and Conditions', available at http://
wwwabsa.co.za; cli 8, 11 and 25 of the Standard Bank 'Electronic Banking Agreement', available under
self-service agreements on https://wwwl.encryp.standardbank.co.zaADWeb/customer/terms; see also
cli 3, 4, 7-8 on Nedbank's 'Electronic Banking Services General Terms and Conditions', available at
http://www.nedbank.co.za/termslnedbankterms2.htm (visited on 1 September 2008).
42 See s D cl 1.1 of the FNB 'Specific Terms and Conditions for Cell Phone Banking', also available
on https://www.fnb.co.za (visited on I September 2008).
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 167
that the bank will be indemnified against any loss arising from the use of the
43
cell phone banking service.
43 See s F cll 1.1. 1 and 1.3 of the 'FN-B Specific Terms and Conditions for Cell Phone Banking', also
available on https://www.fnb.co.za (visited on 1 September 2008).
" The fraudster will obviously be criminally liable for fraud and theft but can also be held liable, in
terms of the ECT Act, for additional offences (see ss 86-8). Section 86(1) provides that a person who
intentionally accesses or intercepts any data without authority or permission to do so is guilty of an
offence, and 'access' is defined in s 85 as including the actions of a person who, after taking note of any
data, becomes aware of the fact that he or she is not authorised to access that data and still continues to
access that data.
41 For the definition of fraud, see footnote I supra.
46 Snyman op cit note I at 484 and also 503 ff. Although theft is a continuing crime, and the bank
indirectly takes possession of the 'money' when the 'money' is deposited into the fraudster's account,
the bank will not be guilty of theft because there is no intention unlawfully to appropriate the money (at
509).
11Munir op cit note 4 at 76.
Is 2000/46/EC (OJ L 275 of 27 October 2000).
49 Norbert Hom (ed) Legal Issues in Electronic Banking (2002) at 191-2, 201, 205-7. One view is that
electronic money is digital cash, and another that it is a sight deposit (at 193) or even similar to a
traveller's cheque (at 194). See also Munir op cit note 4 at 76-80. As regards the discharge of the debt,
the position will depend on whether the payment is considered analogous to cash; then the discharge
will occur when the electronic money is transferred. If it is regarded as a traveller's cheque that contains
stored obligations, then acceptance by a merchant's terminal will constitute a final discharge.
50 See Munir op cit note 4 at 82. The position is unsettled, and it is envisaged that much of the legal
relationship between the parties will be regulated by contract (see Hom op cit note 49 at 203). See also
Malan & Pretorius op cit note 16 in par 40.
"' Hom op cit note 49 at 203.
52 Ibid. The issuer will usually regulate the terms and conditions relating to the creation of electronic
money in a contract. Such terms and conditions will usually also contain a clause relating to the user's
liability for unauthorised transfers.
(2009) 21 SA Merc U
transfer; and its discharge and settlement. The problem of SIM-card fraud will
usually present itself in the transfer stage. Who should bear the risk during
this stage in the case of an unauthorised transaction concerning electronic
53
money? As Schulze states:
'The issuers of payment cards and e-money (in South Africa, limited to banks) unilaterally
determine the rules and procedures in terms of which cards and e-money are to be used
including who bears the risk in the case of loss arising from the use of such products. Suffice it
to say that the card or purse holder bears the largest part of the risk of loss resulting from the
use of the card or electronic purse.'
It has been suggested that the risk of stolen electronic money should be
treated in the same manner as stolen credit cards whereby the liability of the
user is limited once the issuer is notified of the loss. 54 As far as the loss related
to counterfeit electronic money, it has been suggested that the loss should fall
on the issuer who is responsible for the design and underlying security of the
system. 55 One would perhaps have to consider whether the issuer could
disable the electronic money and if not, then the risk should be placed on the
56
user.
SWG Schulze 'Smart Cards and E-money: New Developments Bring New Problems' (2004) 16 SA
Merc LI 703 at 715.
4 Horn op cit note 49 at 204.
11Ibid.
6 Ibid.
11Howard & Masefield op cit note 2 at 572.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 19
5s This Act has been amended by the Regulation of Interception of Communications and Provision of
Communication-Related Information Amendment Act 48 of 2008. See also Jean van Rensburg 'Cell
Phones: Use Them, but Don't Lose or Abuse Them' (2003) 11 Juta' Business Law 148.
59 Section 51(3A). The electronic conmunications service provider also has to ensure that the
particulars furnished by customers are secure because a failure to do so could also incur this same
penalty (s 40(4)(a)).
o Sections 40(8) and 51(3C).
SI Sections 40(5) and 51(3B).
62 Sections 62C and 51(3D).
170 (2009) 21 SA Merc U
63 Section 42(l)(a)-(d).
64Section 52 read with s 51(1)(b)(ii).
65 Section 53(1) read with s 51(l)(b)(ii).
66 Section 54(l)(a) and (b) read with s 51(1)(b)(i).
67 The penalty in such case is a fine not exceeding R2 000 000 or imprisonment for a period not
exceeding 10 years (s 51(1)(b)(i)). See also ss 2-9, which also regulate interceptions of communication.
SIM-CARD SWAPPING, MOBILE PHONE BANKING FRAUD AND RICA 70 OF 2002 1/1
4 Conclusion
There are inherent risks in the use of banking services. Self-regulation and
a number of regulatory measures are aimed at attempting to curb mobile
banking and SIM-card fraud. In allocating liability for the loss caused by
unauthorised mobile banking transactions and SIM-card fraud, such loss
could possibly be apportioned between the parties. 68 In the case of ATMs, the
banks will usually manage the system, but in Internet banking (as would be
the case with mobile phone banking) the customer and bank are both
subscribers of a telecommunications or mobile cellular electronic communi-
69 70
cations service provider company. As Munir states:
'Like the customer, the bank is simply a user of the telecommunications service and the
technical aspects of the system may be beyond the bank's control .... Fairness requires
the apportionment of liabilities among all parties involved ... depending on the relative
degree of fault.'
Munir's suggested approach could perhaps be used to allocate the risk of
loss between the various parties. In resolving which of the parties should bear
the risk of unauthorised transactions, such determination could depend on
whether the unauthorised transaction occurred within or outside a specific
party's control, the degree of fault displayed by the parties, or whether an
offence has been committed in terms of legislation by a specific party or not.
Statutory intervention is possibly the best solution to regulate this position by
providing for apportionment or distribution of liability in such cases to the
extent that the acts or omissions of the various parties have contributed to
71
such loss.
In Pakistan a regulatory framework provides a guideline that deals with
privacy protection, network security and complaint redressal. 72 In regulating
instances of SIM-card fraud, one could also possibly have regard to the
Financial Services Authority (FSA) approach to consumer protection
followed in the United Kingdom, which concentrates on the different degrees
6' See discussion by Munir op cit note 4 at 232-5 (UK), 252-5 (Australia), 295-6 (Malaysia).
69 Idem at 233.
70 Ibid. See also Gita Radhakrishna 'Liability Issues in Intemet Banking in Malaysia' (2009) 7
Communications of the IBIMA at 2, available at http://www.ibima.org (visited on 3 August 2009).
7' Munir op cit note 4 at 233. The same or similar principles of apportionment used in the law of
delict could be used for guidance. See my discussion in Van der BijI op cit note 22 at 342-4 in this
regard. It could conceivably be argued that the risk of fraud is reasonably foreseeable when mobile
banking services are used and that reasonable steps need to be taken to prevent such loss. A standard of
reasonableness should be expected from a client, mobile cellular electronic communications service
provider or bank. See further Krugerv Coetzee 1966 (2) SA 428 (A) at 430E-F; Mkhatswa v Ministerof
Defence 2000 (1) SA 1104 (SCA) at 1111-4; Mukheiber v Raath & Another 1999 (3) SA 1065 (SCA);
Sea Harvest Corporation(Pry) Ltd & Another v Duncan Dock Cold Storage (Pty) Ltd & Another 2000
(1) SA 827 (SCA); J Neethling, JM Potgieter & PJ Visser Law of Delict 5 ed (2006) at 126-33; Michelle
Kelly 'The Apportionment of Damages between a Negligent Collecting Bank and a Thief of Cheques:
Does the Apportionment of Damages Act Apply?' (2001) 13 SA Merc LI 509 at 510.
72 See Banking Policy & Regulations Department State Bank of Pakistan 'Draft: Policy Paper on
Regulatory Framework for Mobile Banking in Pakistan' at 6, available at http:/Avww.Sbp.Org.Pk/Bprd/
2007/PolicyPaper_RfMobile anking07-Jun-07 (visited on 28 January 2009). This draft policy is
useful because it examines regulatory issues pertaining to mobile banking related to consumer
protection, suggested models of banking, the effect of m-banking on stability of banking and payment
systems, e-money regulations and the legal definition of deposit.
172 (2009) 21 SA Merc U
The use of Public Key Infrastructure used for smart phones that consists
of two keys (a public and a private key) that are used to authenticate the
user and encrypt the data.
To limit the risk further, unique information relating to the handset could be
used as an authentication mechanism, or voice biometrics (instead of the use
of a PIN or password) might well provide a potential solution for secure
79
authentication of banking and payment transactions.
79 ATMIA (ATM Industry Association) 'Best Practices for Device Banking Security: International
Minimum Security Guidelines for Device Banking Applications' at 22, 24, and 33, available at
http://www.atmia.com (visited on 3 October 2008).