Home LifeStyleFinance OBSSA sounds the alarm over digital wallet fraud

OBSSA sounds the alarm over digital wallet fraud

by Tania Griffin

Modern consumers have become used to a plethora of easy pay options when transacting. One doesn’t think twice about using one’s phone or smartwatch to pay for a morning coffee after a workout session at the gym. Contactless payments (such as tapping your card or using your smartphone or smartwatch at a point-of-sale machine) are becoming increasingly popular due to the convenience they offer.

With convenience comes great responsibility, however, and the need for consumers to be more alert and aware as this payment method, like any other platform or area where money or the transfer of money is concerned, is also susceptible to fraud.

It is no secret that technology has made it easier for fraudsters to steal and manipulate personal information through phishing emails, vishing calls, smishing SMSes or malware attacks. These are also referred to as ‘social engineered attacks’, aimed at allowing the fraudsters to gain access to consumers’ personal and confidential information, which the fraudsters then use to raid and deplete bank accounts.

Although banks have developed fraud detection and prevention systems – such as SIM Swap detection, transaction monitoring, 2-factor authentication and other customer identification methods – fraudsters are constantly devising new ways to bypass these systems, making it an ongoing battle for banks to stay one step ahead.

The Ombudsman for Banking Services of South Africa (OBSSA) receives hundreds of complaints and phone calls per month and thus it continues to witness the constant evolution of the techniques adopted by the fraudsters to bypass the vulnerabilities and the loopholes created as a result of consumers not being aware of the dangers and methods employed by the fraudsters.

While technology has resulted in improved convenience and efficiency, it cannot be disputed that it has also brought with it new fraud challenges that require both the banks and consumers to work together to do all they can to close these loopholes/vulnerabilities that are continuously exploited by fraudsters.

New modus operandi identified
“More recently, the Ombudsman for Banking Services has seen the emergence of a new scam involving the use of near-field communication (NFC) technology,” says Reana Steyn, Ombudsman for Banking Services. “This involves fraudsters using stolen bank card information – such as the card number, expiry date and the CVV number (card data) – to make fraudulent purchases via the digital wallet.

“Unlike with the normal card-not-present fraud transactions that we are accustomed to – where the fraudsters would use the stolen card information to make online purchases, which would prompt a one-time PIN (OTP) to be sent to the registered cellphone number of the legitimate cardholder for each of the transactions made – NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction.”

To explain, she describes NFC/digital wallet payment fraud work as follows: The stolen card information is used by the fraudsters to link their smart devices (smartphones and smart watches) onto payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay etc. and then the fraudster’s smart device is used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.

Importantly, Steyn points out that for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or banking app. Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated, the fraudster’s device is linked to the bank customer’s bank card. Thereafter, the fraudster’s device can be tapped at POS machines, allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.

Based on the complaints the Ombudsman’s office received as well as the patterns identified by some of the banks whose clients fell victim to this fraud, it was evident that fraudulent/fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, courier services and VodaBucks (which requires clients to enter OTPs to redeem credits) were being targeted for impersonation by the fraudsters in pursuance of their criminal acts. Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms.

Steyn cautions that any business may be impersonated. She reminds people of the importance of reading and understanding the OTPs/inContact messages sent to them, and critically examining whether it is necessary for a transaction they initiated etc. She advises bank customers to never be pressurised into entering or giving away their OTPs without understanding what exactly they are authorising.

More importantly, consumers must guard against the practice of accessing unsolicited links sent to them, especially when they are prompted to insert their personal and banking information. She advises that many of the losses can be prevented if everyone adheres to this simple principle.

With the NCF fraud matters received, Steyn says many of the complainants had received messages containing their bank card number and/or OTP (the stolen information), requesting them to complete an authentication process that they never initiated. Should you receive such a message in instances that you never initiated any transaction with your bank card, the Ombud advises bank customers to immediately report the incident to their bank.

The concerning high volume of NCF payment fraud and their accompanying losses

Steyn confirms that approximately 124 of these complaints (NFC fraud-related complaints) have recently formally been reported and investigated by her office. She notes the losses suffered are in the millions, with customers’ accounts fraudulently drained through tap & go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France, Spain etc. while the legitimate cardholders were in South Africa. “This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights”, she opines.

In fact, Steyn adds that just one of the major banks in South Africa confirmed to have received over 6 000 related complaints between January 2022 and 01 June 2023. The said bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud, with their losses amounting to +/- R427 487. This year, the number of victims jumped to over 5 450, with the combined monetary losses of over R6.5 million.

“These are highly concerning numbers, and the devastation of the losses caused has the potential of causing bank customers serious financial hardships – which in some instances may be impossible to recover from”, says Steyn. She warns that, from what she has noted, the bank customers who were targeted were of all ages and segments and could not be reduced to one specific demographic or profile. Because of this, she reminds everyone to always be vigilant and not to be too trusting with card information, especially OTPs.

OTPs are personal identification numbers usually sent via SMS, email or generated by an authentication app to provide bank customers with an extra layer of security for online transactions, registrations or login processes. These should therefore be treated with utmost privacy and confidentiality, and must be inserted or used to perform legitimate customer-initiated and known transactions, especially when it relates to your bank account and/or bank card numbers.

Some of the methods through which OTP fraud occurs:

• Phishing: Fraudsters send deceptive emails or SMS messages or make phone calls pretending to be a legitimate organisation or service provider. They ask the victim to share their OTP as part of a verification process or claim there is an urgent need for it. If the victim falls for the scam, they unwittingly reveal their OTP.

• SIM swapping: By deceiving the victim’s mobile service provider, fraudsters can get a new SIM card with the victim’s phone number. With the victim’s incoming calls and messages now diverted to the fraudster’s device, they can intercept OTPs and gain unauthorised access to the victim’s online accounts or perform fraudulent transactions.

• Social engineering: Fraudsters may manipulate or deceive individuals into willingly providing their OTPs by posing as a trusted individual such as a bank agent, colleague or friend, or a representative of a legitimate company. They exploit the victim’s trust or exploit their naivety to convince them to disclose their OTP, especially when they know a lot of information about the consumer e.g. address, card number, birth date, ID number, home address etc. Consumers believe it must be a legitimate caller if they know so much detail. However, this information could have been stolen or obtained through fraudulent means.

TIPS to prevent OTP fraud:

• Be cautious of any unsolicited communication requesting an OTP.
• Verify the authenticity of any request for OTPs by directly contacting the organisation or individual purportedly making the request. Do not use contact details provided in suspicious messages – instead, use verified contact information from official websites or sources.
• Enable two-factor authentication methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire from your bank of the security measures available to you.
• Regularly update passwords and avoid using the same password across different accounts.
• Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.

Lastly, Steyn would like to assure consumers that her office has engaged the banks affected by this fraud, with the aim to working on solutions to this challenge. Until a solution is found, she advises all bank customers who fall victim to NFC payment banking fraud – or who suspect they are a victim of OTP fraud – to immediately contact their bank to report the incident and/or report unresolved complaints to the OBSSA office.

You may also like

Leave a Comment