Fraud has changed. It is faster, more automated and more organised than it used to be. Criminals use SIM swaps, social engineering, malware, mule accounts, fake links, compromised devices and stolen information to try to get around banking controls.
So our security has had to change too.
At Capitec, we do not rely on one control to protect a client’s money. We use layers. Some are visible, like biometric checks, app approvals and transaction limits. Others work behind the scenes, like device binding, transaction monitoring, graph analysis, malware detection, privileged access controls and pre-settlement fraud holds.
We are also building and improving internal tools that help our teams see risk earlier and respond faster. Pulse gives our teams a live view of important fraud and security signals across the environment. NEO helps investigators and engineers analyse complex information, review evidence and identify risks more consistently. These tools are not the whole story. They are part of a wider security approach built around prevention, detection, response and learning.
These are the questions clients often ask us. They deserve clear answers.
1. Why did Capitec get rid of OTPs, and what replaced them?
While SMS remains an important communication format for many South Africans, we have moved away from SMS OTPs as a primary way to confirm identity because SMS can be vulnerable to certain types of fraud, especially SIM swaps.
An OTP assumes that your phone number is still in your control. But a criminal may try to manipulate mobile network processes to move your number to a SIM they control. If a bank primarily relies on SMS, that creates risk.
For higher-risk actions, we use stronger checks. These can include biometric selfie verification, liveness detection and matching against trusted identity records. Liveness detection helps confirm that the person is real and present, not a photograph, replayed video or synthetic image.
The principle is simple: access should be based on stronger evidence than the ability to receive an SMS.
2. What about SIM swap fraud specifically?
SIM swap fraud is a real risk in South Africa, so our systems are designed with the assumption that a phone number can be compromised.
A SIM swap may give a criminal control of your number. It should not, on its own, give them control of your bank account. That is why we use device, identity, behavioural and risk-based controls together.
When a new device is linked to a Capitec profile, we do not treat SMS confirmation as enough. The process includes stronger checks to help confirm that the person trying to link the device is the real client.
Where credentials are reset, additional controls may apply, including waiting periods before certain high-risk actions are available. This helps reduce the risk of a criminal using newly compromised information to act immediately.
Clients can also use Capitec App tools such as Contact Lock to add more friction to account access. It is there for clients who want stronger protection around device linking and contact centre processes.
3. Can someone drain my account even if they get into my app?
Our security model does not depend on one lock on one door. It uses several layers of protection across the app, transaction systems and core banking platform.
Some controls are visible in the app. Others work behind the scenes. We look at whether the device is familiar, whether the beneficiary is new, whether the payment amount is unusual, whether the destination account shows suspicious behaviour and whether the overall pattern matches known fraud signals.
This is where transaction intelligence matters. We use in-memory graph analysis technology to understand relationships between accounts and transactions in real time. A single payment may look normal on its own. But if many clients suddenly start paying the same account, or if the receiving account behaves like a mule account, the wider pattern can trigger intervention.
Pulse helps our teams monitor important signals like these across fraud and security operations. It gives a clearer view of what is happening now, where risk is increasing and which cases need urgent attention.
Suspicious payments can be paused, reviewed or blocked before they clear. Payments to new beneficiaries receive additional scrutiny because that is where some fraud attempts appear.
Card transactions are also assessed using risk-based models. Where needed, a transaction can be stepped up for additional 3D Secure authentication in the app.
The aim is not to make banking difficult. It is to make fraud harder to perpetrate, even if one layer has already been attacked.
4. If I call the fraud line while transactions are happening, can you actually stop them in time?
Speed matters when fraud is in progress.
A transaction moves through different stages before it settles. The most important window is before settlement, because that is when an intervention has the best chance of stopping the money from leaving or limiting further loss.
Our consultants have tools that allow them to restrict an account quickly when fraud is reported. That action is designed to affect the authorisation layer, rather than sit in a queue while a ticket is processed.
We also use automated pre-settlement intercepts. That means certain transactions can be flagged and held by our fraud detection systems before a human review starts. The human investigation follows, but the first hold does not always need to wait for a person to manually trigger it.
Pulse supports this by giving teams visibility of active risk, alerts and operational pressure points. In a fraud event, seeing the right signal quickly can make a real difference.
We must be honest about the limits. Once money has settled into another institution, recovery becomes more difficult and may depend on the receiving bank or other parties. That is why clients should contact us immediately if something feels wrong.
5. How do you stop someone getting real-time intelligence about my account?
Real-time account information is sensitive. It needs to be protected from external attackers, misused internal access and unnecessary exposure through system integrations.
Capitec follows zero trust principles. In plain language, that means we do not automatically trust a user, device or system just because it is inside our environment. Access must still be verified, controlled and monitored.
We use technologies such as Zscaler for Zero Trust Network Access. This helps make sure that people and systems can only reach what they are authorised to reach. It reduces the idea of a broad internal network where access is assumed once someone is “inside”.
We also apply data minimisation. A system should receive only the information it needs to perform its function. For example, a notification service may need to know that a notification must be sent. It does not always need unnecessary detail beyond that.
The goal is clear: sensitive client information should only be available where there is a valid, controlled reason.
6. How do you stop someone inside Capitec abusing their access?
Protecting clients also means protecting them from the risk of insider misuse.
Role-based access is necessary, but it is not enough on its own. Capitec uses privileged access management, often called PAM, to control elevated access to sensitive systems. We are also moving towards zero standing privilege, which means elevated access is not something an employee permanently carries.
Instead, access can be granted for a specific task, for a specific period, then removed when that task is complete. In plain language: nobody should have the keys to everything, all the time.
Sensitive activity is logged, monitored and reviewed. We also look for unusual behaviour. If someone accesses information that does not match their role, task or normal pattern, that can trigger investigation.
These controls help make sure client information is accessed only for valid business reasons and that misuse can be detected and acted on.
7. How does Capitec protect the app itself from being tampered with?
The Capitec app is built to communicate securely with our systems.
One of the controls we use is mutual Transport Layer Security, or mTLS. Normal TLS helps your device verify that it is talking to the right server. Mutual TLS goes further by helping both sides verify each other. The app verifies Capitec and Capitec verifies the app or device context before sensitive communication takes place.
This helps protect against man-in-the-middle attacks, where a criminal tries to sit between your phone and the bank to intercept or manipulate information.
We also use nonces in transaction flows. A nonce is a unique value that can be used only once. If a criminal captures a transaction request and tries to replay it, the reused request should be rejected because the nonce has already been consumed.
In plain language: the app is designed to help stop criminals from pretending to be Capitec, pretending to be you or reusing an old instruction to move money again.
8. What about malware on my device?
Malware on a client’s device is one of the hardest threats in mobile banking. It can sit on the same phone you use to authenticate, which makes it especially dangerous.
Capitec uses malware detection capabilities to help identify suspicious activity. We also continue to develop in-house detection because threats change quickly and banks need to respond at the speed of the threat.
But clients still play an important role.
Keep your phone’s operating system updated. Only install apps from official app stores. Be careful with apps that ask for accessibility permissions, especially if they were downloaded from outside trusted sources.
Accessibility permissions can be abused by criminals. They may allow a malicious app to place fake screens over your banking app, read information or interfere with what you are trying to do.
Also be cautious of anyone who pressures you to install software, move money, share information or “secure” your account in a hurry. Fraudsters create panic because rushed decisions are easier to manipulate.
9. If something goes wrong, how do I know the evidence is trustworthy?
When a transaction is disputed, the quality of the evidence matters.
Capitec keeps detailed logs of account activity, system events, device signals, verification records and audit trails. These records help us understand what happened, when it happened and which controls were triggered.
We use measures that help protect the integrity of those records. Some logs are immutable, cryptographically hashed or both. Immutable means a record cannot simply be changed after it is written. Cryptographic hashing makes interference detectable because even a small change creates a different hash value.
This is one of the areas where NEO supports our teams.
NEO is an internal agentic analysis tool that helps bring together information from different systems. In a disputed transaction or security event, relevant evidence may sit across device telemetry, security logs, verification events, banking records and audit trails. NEO helps investigators review that information more consistently by connecting signals, building timelines and highlighting what needs attention.
It is not there to replace a human investigator. It is there to reduce manual effort, improve consistency and help people see the full picture faster.
That distinction matters. Technology can help us read more and connect more. Human judgement still matters when evidence needs to be understood fairly and in context.
10. How do you find security problems before attackers do?
Security cannot only be reactive. By the time an exploit is visible, damage may already be happening. We need to find weaknesses before criminals can use them.
That means continuously reviewing systems, monitoring patterns, testing controls and improving defences as threats change.
NEO also supports proactive security work. It can help analyse code and engineering changes for security vulnerabilities, code quality issues, performance risks and scale concerns. It can run on demand and as part of the deployment process, helping teams identify issues before code reaches production.
Pulse supports the operational side by giving teams visibility of live signals, alerts and emerging risk patterns. Together, tools like these help teams move from isolated checks to a more connected view of security and fraud risk.
We also analyse APIs, including the way different endpoints may interact. Some attacks do not come from one obviously vulnerable endpoint. They come from chaining several actions together in a way the system was never meant to allow. Finding those patterns requires looking at combinations, not only individual parts.
Fraud and cybercrime are becoming more automated. Our defence has to be proactive, adaptive and faster than the threat.
A final note
Fraud is personal. It affects people’s money, confidence and peace of mind.
That is why we keep investing in stronger authentication, better detection, safer app architecture, tighter internal access, real-time operational visibility and more advanced forensic tools.
Technology matters, but the goal is simple: help keep clients and their money safer.
We will keep improving as fraud changes. We will keep building better tools. And we will keep explaining this work in plain language, because trust is built when people understand what is being done to protect them.
If something feels wrong, act quickly. Use the Capitec app to secure your account or contact us immediately.
