1
00:00:00,360 --> 00:00:04,359
Speaker 1: Seven or two interview.

2
00:00:05,280 --> 00:00:07,640
Speaker 2: But onto this now. It's a story that I think

3
00:00:07,640 --> 00:00:12,160
Speaker 2: has been debated much in recent weeks. But what happens

4
00:00:12,280 --> 00:00:16,160
Speaker 2: when something goes wrong in your bank account? Your funds

5
00:00:16,200 --> 00:00:19,599
Speaker 2: are depleted in an instant. The assumption is that it

6
00:00:19,680 --> 00:00:21,840
Speaker 2: must have been your fault. You did something wrong, you

7
00:00:21,840 --> 00:00:23,799
Speaker 2: clicked the wrong link, you shed the wrong code, you

8
00:00:23,880 --> 00:00:26,840
Speaker 2: made a mistake, you give access to somebody you shouldn't have.

9
00:00:27,520 --> 00:00:31,280
Speaker 2: But what if that isn't necessarily the full story? The

10
00:00:31,360 --> 00:00:35,720
Speaker 2: Daily Mavericks Rebecca Davis has been doing an investigation challenging

11
00:00:35,840 --> 00:00:39,839
Speaker 2: narratives about the South African banking system, the idea that

12
00:00:39,960 --> 00:00:43,960
Speaker 2: digital fraud is almost always the customer's fault. She's drawn

13
00:00:44,040 --> 00:00:48,640
Speaker 2: on court records, internal processes and cases from ordinary South

14
00:00:48,680 --> 00:00:52,760
Speaker 2: Africans banking with all the major banking groups, and it

15
00:00:52,880 --> 00:00:58,000
Speaker 2: raises questions about transparency, accountability and where there could be

16
00:00:58,080 --> 00:01:01,560
Speaker 2: vulnerabilities inside this system. Rebecca Davis, A pleasure to have

17
00:01:01,600 --> 00:01:03,680
Speaker 2: you on our show. Thank you for your time. All right,

18
00:01:03,760 --> 00:01:06,800
Speaker 2: so talk to me. What prompted this investigation on your part?

19
00:01:07,120 --> 00:01:10,280
Speaker 1: The fact that we were going through the latest crime statistics,

20
00:01:10,319 --> 00:01:15,080
Speaker 1: which obviously are released every four months, and the work

21
00:01:15,120 --> 00:01:17,440
Speaker 1: that the police are doing is definitely paying off, because

22
00:01:17,480 --> 00:01:20,600
Speaker 1: we do see these tentative improvements in practically every major

23
00:01:20,680 --> 00:01:24,679
Speaker 1: crime area except for two. One is kidnapping, which as

24
00:01:24,680 --> 00:01:27,800
Speaker 1: you'll know, is on the rise in a truly alarming way.

25
00:01:28,120 --> 00:01:32,399
Speaker 1: But the second is commercial crime, a very vaguely defined

26
00:01:32,440 --> 00:01:36,320
Speaker 1: crime category which nonetheless has doubled according to Daily Mavericks

27
00:01:36,319 --> 00:01:39,520
Speaker 1: analysis over the past ten years. And we wanted to

28
00:01:39,560 --> 00:01:43,600
Speaker 1: know what is that crime and what are the drivers

29
00:01:43,600 --> 00:01:46,959
Speaker 1: causing it to explode in this manner contrary to the

30
00:01:46,959 --> 00:01:49,320
Speaker 1: trajectory of the rest of the crime situation.

31
00:01:49,760 --> 00:01:52,720
Speaker 2: You've got a three part series, and I was interested

32
00:01:52,760 --> 00:01:55,160
Speaker 2: in how you've framed it. The first one you've called

33
00:01:55,520 --> 00:01:59,240
Speaker 2: the Invisible highst and of course the idea that this

34
00:01:59,400 --> 00:02:02,920
Speaker 2: kind of fraud is happening increasingly in South Africa and

35
00:02:02,960 --> 00:02:03,840
Speaker 2: often it's digital.

36
00:02:03,920 --> 00:02:07,840
Speaker 1: The only area of commercial crime for which we have

37
00:02:08,160 --> 00:02:11,560
Speaker 1: some numbers ban Gani is digital bank fraud.

38
00:02:12,040 --> 00:02:13,160
Speaker 3: For everything else.

39
00:02:13,000 --> 00:02:17,399
Speaker 1: It's impossible basically to get disaggregated data on what commercial

40
00:02:17,440 --> 00:02:21,040
Speaker 1: crime actually looks like, but we do know that digital

41
00:02:21,080 --> 00:02:24,640
Speaker 1: bank fraud is exploding. In fact, the numbers collected by

42
00:02:24,639 --> 00:02:28,200
Speaker 1: the South African Banking Risk Information Center for twenty twenty

43
00:02:28,240 --> 00:02:31,720
Speaker 1: four alone, we double those of twenty twenty three. So

44
00:02:31,760 --> 00:02:36,720
Speaker 1: it's not just increasing, it's increasing exponentially year on year.

45
00:02:37,160 --> 00:02:39,400
Speaker 1: And one of the obvious reasons why we've seen the

46
00:02:39,440 --> 00:02:44,720
Speaker 1: sudden acceleration is the advent of AI right because previously,

47
00:02:44,760 --> 00:02:47,799
Speaker 1: in order, for instance, to carry out certain types of scams,

48
00:02:48,120 --> 00:02:50,400
Speaker 1: you would at least have to be able to draft

49
00:02:50,480 --> 00:02:53,480
Speaker 1: a sort of official sounding letter from the bank or

50
00:02:53,520 --> 00:02:58,680
Speaker 1: an SMS, etc. Yourself in reasonable English, perhaps up to

51
00:02:58,680 --> 00:03:02,960
Speaker 1: a certain standard. Now llms can automate a lot of

52
00:03:03,000 --> 00:03:06,840
Speaker 1: this process, and there are also llms available on the

53
00:03:06,960 --> 00:03:10,160
Speaker 1: dark web which take away all the normal protections of

54
00:03:10,200 --> 00:03:12,919
Speaker 1: the AIS we tend to use every day at work

55
00:03:13,040 --> 00:03:16,080
Speaker 1: or whatever, which allow you to plan and execute a

56
00:03:16,120 --> 00:03:17,840
Speaker 1: scam from beginning to end.

57
00:03:18,320 --> 00:03:22,640
Speaker 2: Gosh, and I suppose the prevalence issue is relevant because

58
00:03:23,000 --> 00:03:26,560
Speaker 2: often you know when it happens to you as a victim,

59
00:03:26,760 --> 00:03:31,560
Speaker 2: you are confused. Obviously the impact financially is substantial, but

60
00:03:31,639 --> 00:03:33,560
Speaker 2: you think it's only happened to you.

61
00:03:33,919 --> 00:03:36,040
Speaker 1: And one of the reasons for that is that we

62
00:03:36,160 --> 00:03:37,800
Speaker 1: have so little data on this.

63
00:03:38,240 --> 00:03:39,320
Speaker 3: So the banks do not.

64
00:03:39,320 --> 00:03:43,480
Speaker 1: Release individual figures for the fraud they've experienced or their

65
00:03:43,480 --> 00:03:47,080
Speaker 1: customers have experienced rather in a year. They don't say

66
00:03:47,080 --> 00:03:51,880
Speaker 1: their losses. There's just the general industry data that we

67
00:03:52,000 --> 00:03:54,880
Speaker 1: can we can draw from to see just how often

68
00:03:55,000 --> 00:03:57,800
Speaker 1: this is happening. But one of the reasons why it's

69
00:03:57,840 --> 00:04:00,320
Speaker 1: incredibly difficult for the media and the public to get

70
00:04:00,360 --> 00:04:03,440
Speaker 1: a firm sense of the scale of the issue is

71
00:04:03,480 --> 00:04:05,800
Speaker 1: that a lot of the time, when the banks offered

72
00:04:05,840 --> 00:04:07,920
Speaker 1: to pay you back at least some of your money,

73
00:04:07,960 --> 00:04:11,920
Speaker 1: it comes with a confidentiality agreement. I discovered, So the

74
00:04:11,960 --> 00:04:16,960
Speaker 1: banks pair particularly large settlements, if they're reimbursing you from

75
00:04:17,000 --> 00:04:19,880
Speaker 1: millions lost from your account, they will generally pair it

76
00:04:19,920 --> 00:04:22,640
Speaker 1: with a non disclosure agreement, which means that you're just

77
00:04:22,800 --> 00:04:25,040
Speaker 1: happy to have your money back, but the rest of

78
00:04:25,120 --> 00:04:27,760
Speaker 1: us never find out exactly what happened or why.

79
00:04:28,120 --> 00:04:33,120
Speaker 2: All right, I'll reframe that old addage. I mean, is

80
00:04:33,160 --> 00:04:35,880
Speaker 2: the customer always right in this case?

81
00:04:36,000 --> 00:04:38,479
Speaker 1: So what I realized is that there's this guss between

82
00:04:38,520 --> 00:04:42,400
Speaker 1: the perception that ordinary South Africans have, which is almost

83
00:04:42,440 --> 00:04:46,240
Speaker 1: always you'll find that they believe the fraud that happened

84
00:04:46,279 --> 00:04:48,800
Speaker 1: on their account could not have taken place without at

85
00:04:48,920 --> 00:04:52,080
Speaker 1: least the facilitation in some way of a bank employee,

86
00:04:52,120 --> 00:04:56,280
Speaker 1: even if they weren't acting alone. The bank's position is,

87
00:04:56,560 --> 00:05:00,360
Speaker 1: by default the opposite. They say, this never happens. It's posible.

88
00:05:00,680 --> 00:05:03,680
Speaker 1: Bank employees don't have the necessary access to accounts to

89
00:05:03,720 --> 00:05:07,039
Speaker 1: do things like add beneficiaries to your account or eraise

90
00:05:07,160 --> 00:05:11,599
Speaker 1: account limits, etc. So there's this gulf between what people

91
00:05:11,600 --> 00:05:14,320
Speaker 1: think is happening and what the banks insist is happening.

92
00:05:14,480 --> 00:05:18,400
Speaker 1: And the reality, I think is that neither of those

93
00:05:18,480 --> 00:05:23,080
Speaker 1: pictures is one hundred percent correct because we filtered through

94
00:05:23,160 --> 00:05:26,240
Speaker 1: scores and scores of accounts people sent us about the

95
00:05:26,279 --> 00:05:29,720
Speaker 1: frauds that happened on their accounts, and in a lot

96
00:05:29,720 --> 00:05:32,640
Speaker 1: of cases, unfortunately, it is easy to see that even

97
00:05:32,680 --> 00:05:35,960
Speaker 1: though the victims themselves didn't realize that they had compromised

98
00:05:36,000 --> 00:05:39,000
Speaker 1: the security of their account, normally in a way they

99
00:05:39,080 --> 00:05:41,800
Speaker 1: were completely unaware of. You know, you click on a link,

100
00:05:42,160 --> 00:05:47,279
Speaker 1: you gave some details to someone in some confusing manner

101
00:05:47,360 --> 00:05:51,880
Speaker 1: months before, and unfortunately that is how your account got compromised.

102
00:05:52,160 --> 00:05:54,599
Speaker 1: But there were cases we looked at where it was

103
00:05:54,720 --> 00:05:59,760
Speaker 1: really hard to see how this customer could be responsible

104
00:06:00,080 --> 00:06:02,360
Speaker 1: for the fraud that happened on their account, and those

105
00:06:02,400 --> 00:06:05,039
Speaker 1: are the cases in particular that banks aren't that keen

106
00:06:05,080 --> 00:06:05,760
Speaker 1: to talk about.

107
00:06:06,000 --> 00:06:08,359
Speaker 2: What are some of the worst horror stories you're encountered.

108
00:06:08,440 --> 00:06:08,840
Speaker 3: I'm gunni.

109
00:06:08,920 --> 00:06:10,520
Speaker 1: I can't tell you how depressing it's beIN I mean,

110
00:06:10,560 --> 00:06:13,320
Speaker 1: I'm just getting cases and cases sent to my email

111
00:06:13,360 --> 00:06:15,440
Speaker 1: address every day because the problem is also people are

112
00:06:15,520 --> 00:06:19,039
Speaker 1: absolutely desperate. I think you hear commercial crime and you

113
00:06:19,080 --> 00:06:22,480
Speaker 1: think this is a problem mainly affecting corporates. I think

114
00:06:22,520 --> 00:06:25,760
Speaker 1: the scale is that this is actually catastrophic. We're having

115
00:06:25,880 --> 00:06:29,160
Speaker 1: people every day who are having tens of thousands, sometimes

116
00:06:29,160 --> 00:06:32,800
Speaker 1: millions of rands transferred out of their accounts. Whether they

117
00:06:32,839 --> 00:06:35,479
Speaker 1: are responsible and I'm using that word in air quotes

118
00:06:35,720 --> 00:06:38,640
Speaker 1: or not, that the point is that the money has

119
00:06:38,720 --> 00:06:42,280
Speaker 1: gone from their accounts and they're not getting it back necessarily.

120
00:06:42,800 --> 00:06:46,800
Speaker 1: And we've looked at cases where people lost their life savings,

121
00:06:46,920 --> 00:06:51,720
Speaker 1: where grandmothers lost their entire pensions, you know, where people

122
00:06:51,760 --> 00:06:55,359
Speaker 1: who are already on the breadline had credit cards debt

123
00:06:55,560 --> 00:06:57,960
Speaker 1: run up for them, so now they're paying back money

124
00:06:58,000 --> 00:07:03,200
Speaker 1: they at no point spent and it's accruing interest every month.

125
00:07:03,279 --> 00:07:05,839
Speaker 1: Those cases, to me, I think are particularly cruel.

126
00:07:06,160 --> 00:07:08,480
Speaker 2: How much of this I mean of course, the banks

127
00:07:08,520 --> 00:07:11,920
Speaker 2: will say whatever may go wrong, even within their system.

128
00:07:12,040 --> 00:07:15,000
Speaker 2: This is obviously not official policy. They don't benefit from

129
00:07:15,080 --> 00:07:19,000
Speaker 2: this necessarily. So how much does all of this involve

130
00:07:19,160 --> 00:07:23,400
Speaker 2: internal vulnerabilities or inside jobs, as it were.

131
00:07:23,560 --> 00:07:26,360
Speaker 1: That's the question we can't answer, And certainly the fraud

132
00:07:26,360 --> 00:07:28,840
Speaker 1: experts I spoke to you said, in the vast, vast,

133
00:07:28,880 --> 00:07:33,280
Speaker 1: vast majority of cases they will not involve bank insiders.

134
00:07:33,400 --> 00:07:35,840
Speaker 1: It just seems to the rest of us, who are

135
00:07:36,160 --> 00:07:40,080
Speaker 1: pretty ignorant about taking safety stuff, often that it couldn't

136
00:07:40,080 --> 00:07:43,120
Speaker 1: have happened without a hack of the branches, I mean,

137
00:07:43,160 --> 00:07:46,280
Speaker 1: the bank's internal systems, when what's actually happened is a

138
00:07:46,320 --> 00:07:49,600
Speaker 1: hack of the customer system in some way. So, for instance,

139
00:07:50,160 --> 00:07:53,640
Speaker 1: many people don't realize that the one time pins that

140
00:07:53,720 --> 00:07:57,080
Speaker 1: get sent to your cell number sometimes on your bank settings,

141
00:07:57,120 --> 00:07:59,520
Speaker 1: you will have a default option which is to send

142
00:07:59,560 --> 00:08:04,160
Speaker 1: those two email. If a hacker is able to change

143
00:08:04,480 --> 00:08:07,679
Speaker 1: to take control of your email address, then they're able

144
00:08:07,720 --> 00:08:11,480
Speaker 1: to redirect or approve the adding of beneficiaries and so on.

145
00:08:11,760 --> 00:08:13,560
Speaker 1: And this is something that the public I think often

146
00:08:13,600 --> 00:08:17,640
Speaker 1: doesn't realize is possible. At the same time, nobody would

147
00:08:17,640 --> 00:08:20,560
Speaker 1: deny the fact that in particular, there are syndicates which

148
00:08:20,600 --> 00:08:23,680
Speaker 1: send people into the banks and which target bank employees

149
00:08:23,800 --> 00:08:27,200
Speaker 1: as collaborators, so that you'll have a situation where someone

150
00:08:27,520 --> 00:08:30,320
Speaker 1: on the inside of the bank might indeed be working,

151
00:08:30,520 --> 00:08:33,199
Speaker 1: but with someone on the outside who's doing the sort

152
00:08:33,240 --> 00:08:34,559
Speaker 1: of actual scamming.

153
00:08:35,480 --> 00:08:39,800
Speaker 2: So banks, predictably, I suppose, would be reluctant to fully

154
00:08:39,840 --> 00:08:46,320
Speaker 2: disclose information around their internal processes. I'd imagine that compounds

155
00:08:46,600 --> 00:08:48,120
Speaker 2: some of the difficulties for victims.

156
00:08:49,960 --> 00:08:53,080
Speaker 1: Yes, it does. The issue is that if the bank

157
00:08:53,160 --> 00:08:56,720
Speaker 1: investigates your case and tells you we've determined that your

158
00:08:56,760 --> 00:09:01,080
Speaker 1: login details were used, your login, your password we used

159
00:09:01,160 --> 00:09:05,680
Speaker 1: to facilitate this fraud, then basically there's very little you

160
00:09:05,720 --> 00:09:06,000
Speaker 1: can do.

161
00:09:06,920 --> 00:09:10,280
Speaker 3: You can argue that you know you never use those credentials,

162
00:09:10,320 --> 00:09:13,800
Speaker 3: that the authorizations didn't come for your devices. It's very

163
00:09:13,880 --> 00:09:17,959
Speaker 3: unusual that the bank will actually inspect your devices because

164
00:09:17,960 --> 00:09:19,920
Speaker 3: obviously this would take time, and there are so many

165
00:09:19,960 --> 00:09:24,080
Speaker 3: fraudulent transactions happening every day, so that's unlikely to happen.

166
00:09:24,120 --> 00:09:26,520
Speaker 3: What is most likely to happen is that the bank

167
00:09:26,520 --> 00:09:29,280
Speaker 3: will simply tell you their own investigation has concluded that

168
00:09:29,320 --> 00:09:32,160
Speaker 3: there was no liability on the bank's part and that's

169
00:09:32,200 --> 00:09:32,800
Speaker 3: the end of it.

170
00:09:33,000 --> 00:09:35,120
Speaker 1: And then you might say, well, I don't know, I'm

171
00:09:35,120 --> 00:09:38,160
Speaker 1: not happy with that. Can I please see the evidence

172
00:09:38,160 --> 00:09:39,960
Speaker 1: that you use to come to that conclusion? What is

173
00:09:40,000 --> 00:09:42,360
Speaker 1: the movement on my account? And you will be told

174
00:09:42,760 --> 00:09:46,000
Speaker 1: that you cannot access the bank's internal forensic reports because

175
00:09:46,000 --> 00:09:50,200
Speaker 1: it's the bank's proprietary information and author that it contains

176
00:09:50,800 --> 00:09:53,800
Speaker 1: personal details. And you might well protest, but it's my

177
00:09:53,920 --> 00:09:56,599
Speaker 1: personal details. It doesn't make a difference. And this is

178
00:09:56,640 --> 00:09:59,719
Speaker 1: something I brought to the Information Regulator. Is it acceptable

179
00:09:59,760 --> 00:10:03,640
Speaker 1: for the banks to be refusing to submit information about

180
00:10:03,640 --> 00:10:08,240
Speaker 1: your own account to the client? The Information Regulator wasn't convinced.

181
00:10:08,600 --> 00:10:12,040
Speaker 1: They said that their legal opinion was that the banks

182
00:10:12,040 --> 00:10:15,720
Speaker 1: should be redacting any sensitive information but still giving the

183
00:10:15,800 --> 00:10:18,560
Speaker 1: necessary information for you in order for you to be

184
00:10:18,640 --> 00:10:23,280
Speaker 1: able to access or protect your own rights. But in practice,

185
00:10:23,280 --> 00:10:25,280
Speaker 1: at the moment, it's not happening, and that's really a

186
00:10:25,320 --> 00:10:26,560
Speaker 1: dead end for a lot of people.

187
00:10:26,760 --> 00:10:29,480
Speaker 2: Sorry for you, I mean, simply, that's what they say.

188
00:10:29,520 --> 00:10:32,080
Speaker 2: Rebecca Davis, You can never be too careful. Appreciate your time.

189
00:10:32,160 --> 00:10:37,240
Speaker 2: Senior Daily Maverick journalist with a series on commercial crimes,

190
00:10:37,280 --> 00:10:42,120
Speaker 2: particularly When it comes to digital banking fraud, you really

191
00:10:42,200 --> 00:10:43,319
Speaker 2: can never be too careful.