HI-TECH FRAUD
Banking scam — international crime syndicate targets South Africans using smartphones
According to Statista, between 20 million and 22 million South Africans were using smartphones by January this year. As the use of smartphones with near-field communication has increased, so too have related fraudulent incidents.
The banking ombud, Reana Steyn, has sounded an alert after her office recently received about 124 near-field communication (NFC) fraud-related complaints. She said that the losses suffered are in the millions, with customers’ accounts fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France and Spain while the legitimate cardholders were in South Africa.
“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights,” Steyn warns.
She says one of the major banks in South Africa has confirmed with her office that it received more than 6,000 NFC fraud-related complaints in the 18 months between January last year and the beginning of June this year. The bank’s stats show that in the first six months of last year, about 553 customers fell victim to this fraud with their losses amounting to about R430,000. This year the number of victims jumped to more than 5,450 with combined monetary losses exceeding R6.5-million.
“These are highly concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which in some instances may be impossible to recover from,” Steyn says, adding that victims were targeted across various ages and segments.
Although banks have developed fraud detection and prevention systems, such as SIM swap detection, transaction monitoring, two-factor authentication (2FA) and other customer identification methods, criminals are constantly devising new ways to bypass these systems.
As Steyn’s office so accurately observes, while technology has resulted in improved convenience and efficiency, it cannot be disputed that it has also brought new fraud challenges that require banks and consumers to work together to do all they can to close these loopholes and vulnerabilities that are continually exploited by criminals.
How the NFC scam works
The scam involves fraudsters using stolen bank card information, such as your card number, expiry date and the CVV number (the three-digit security number on the back of the card), to make fraudulent purchases via a digital wallet.
“Unlike with the normal card-not-present fraud where the fraudsters would use the stolen card information to make online purchases, prompting an OTP to be sent to the registered cellphone number of the legitimate cardholder, NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction,” Steyn explains.
The stolen card information is used by the fraudsters to link their smart devices (smartphones and smartwatches) on payment platforms such as Samsung Pay, Apple Pay, Garmin Pay and Google Pay, and then they use their smart device to make fraudulent purchases using your account details, with no OTPs sent to you to validate the transactions.
However, Steyn points out that for criminals to link their devices to your stolen bank card information, an OTP or a “Smart inContact notification” would be required to complete the linkage process and this would be sent to your registered number or your banking app.
Once this authorisation is granted, the criminal’s device is linked to your bank card, leaving them free to tap their device at point-of-sale with no further verification required. So, why would you grant permission for someone else’s device to be linked to your bank account?
An analysis of complaints received by Steyn’s office reveals that many consumers received emails or communications from fraudulent websites purporting to be legitimate businesses such as the South African Post Office, courier service companies, or VodaBucks, asking consumers to enter OTPs to redeem credits. Through these fake website links and email addresses, the fraudsters are able to obtain all the details they require to approve the linking of their devices to the payment platforms.
Many of the complainants had received messages containing their bank card number and/or OTP requesting them to complete an authentication process which they never initiated.
“If you receive such a message in instances where you never initiated any transaction with your bank card, you should ignore it and immediately report the incident to your bank,” Steyn says.
Urgent messages with hyperlinks
In March this year, Daily Maverick approached three of the major banks after receiving reader complaints related to digital wallet fraud. Nedbank gave us a generic response reiterating bank safety steps for consumers, while Standard Bank asked for a reference number rather than providing a response at all. FNB was the only bank that gave us a considered response.
Trish Ramdhani, the head of card fraud at FNB, says criminals continue to evolve their modus operandi, often using techniques known as phishing and smishing, where they send SMS and email messages containing a hyperlink.
“These messages are designed to cause panic, suggesting that your banking profile will be blocked or that your parcel will be returned. Customers inadvertently click on the hyperlinks, which lead to an unauthorised website that captures their personal and banking information,” she says.
In 2021, FNB introduced Money Protect, a free insurance benefit for certain fraud-related losses when using digital interfaces, but each claim is evaluated on its own merits. FNB told Daily Maverick that on credit card and Fusion accounts, card swipes account for less than 1% while contactless payments account for more than 60% of all transactions. DM
Interesting that despite most fraud being through contactless transactions, banks, especially FNB, are trying to promote their “virtual” card. Surely a physical card offers better protection? And, on-line purchases can be limited to recognised systems, like Paypal, or Paygate, or such. Banks could limit their transactions to third party portals they trust – and online sites would soon fall in line for the sake of sales.
Banks are too interested in making their commission on card transactions than trying to stamp out fraud. And, of course, profiting from obscene interest rates charged on credit cards and overdrafts.
Also have you ever tried to contact a bank to report phishing sites? One could spend an entire day attempting to converse with robot. When I have been successful in getting an email address to which I can report an incident, not once have I received acknowledgement.
Banks could control losses by blacklisting vendors where most fraud is prevalent. But, they shan’t, because the losses are not theirs, but their customers.
Banks see this as a potential for an additional revenue stream by selling insurance against fraud. Come clean banks – what are you doing to limit fraud? It would be very easy to prevent your cards being uploaded to Apple, or Google, or Samsung.
Agree. No one to talk to. Computer says no!
Wrong, because the CVV code on a physical card is fixed while it constantly changes on a virtual card.
I want to know why VBV is not mandated by Visa as a requirement for online purchase vendors.
It is incredibly stressful when a site on which one is purchasing doesn’t bounce out to VBV for bank authentication, and as the purchaser on a site you have absolutely no way of knowing until you have clicked “Pay”
I am not surprised that Nedbank did not respond. Having been a victim of one of these scams, I can confirm this attitude of theirs. In fact, it was quite shocking.
The fraudulent transactions on my card were made while I was on an over night flight to Europe. during that time 15 transactions went through, with notices from Nedbank, which I only received the next afternoon. My card was never lost or stolen, I did not share information with anybody or make similar online transactions previously. I did not confirm the transactions nor did I receive any request to do so at any time.
After waiting for 6 weeks for their fraud department to look into the matter, I was told that, because my card was registered on Apple Pay they could not be held responsible for any losses.
The fact that they accepted the transactions, allowed them to go through and sent the messages informing me of of these, was apparently of no consequence. Nor is there any truth in the information on their Website advising you to use Apple Pay for safety and convenience – ” You can now add your Nedbank Private Wealth card to Apple Pay, a safer, contactless way to make payments.”
If the banks want to embrace digitalisation in private banking, as they currently do, they should sharpen their pencils and get it right – the onus is surely on them to make these “services”, clients pay for, safe and secure. It cannot only be a marketing tool for the banks, whilst being a free for all for fraudsters.
I received communication from ABSA about the great convenience Apple, Samsung and Google eWallet and pay services would be. When I ran into trouble, their call centre representative had never even heard about the eWallet services. She was hopeless and I was stranded with nobody at ABSA to turn to. After numerous attempts I eventually found a representative who knew what I was talking about and assisted me.
When FNB initially introduced the Virtual Card, it required a pin number complete the payment. Thus preventing NFC fraud.
They have since dropped this requirement- why?
I’ve been a victim of Fraud on my FNB account this morning. I’ve reported it to FNB, even visited the branch to get answers, yet here I am not knowing if I’ll see my money again. Here’s my short-story:
This morning I noticed 5 transactions “Uber*Eats” on my Debit card. One was about R449, the other four were exactly the same amount: R673.55. All this happened between 7:20am and 7:30 am. So I blocked my card around 7:32am and the transactions stopped.
On the line with FNB Fraud, the lady says: “it seems if someone from overseas intercepted a transaction”. So, I ask, how? I don’t use my Debit card for online transactions! I use an FNB Virtual Card. The last time I swiped my debit card was almost a week ago at our local Spur! Surely, this is an inside job at either FNB or SPUR?
So, this lady proceeds and says: “I see a failed transaction at Amazon… yesterday”. I ask her why didn’t I get notifications? She doesn’t know. She doesn’t know anything! That’s why I went to my local branch where they too know nothing! Anyway, the lady tells me: “you’ll have to wait up to 7 days for the report, depending on how busy our fraud department is”. So, once again, the customer is screwed. I don’t have any hope. I don’t have any answers. I fear that my money is not safe in my accounts. Is it safer in my couch? Probably!
Anyway, if you got this far, thanks for reading. It’s just a shame banks don’t care about their customers.