As payment methods become more convenient, the threats targeting users are growing too. Indeed, wherever money or the transfer of money is concerned, fraud will be a factor.
Although banks have developed fraud detection and prevention systems, such as SIM Swap detection, transaction monitoring, two-factor authentication (2FA) and other customer identification methods, fraudsters are constantly devising new ways to bypass these systems, making it an ongoing battle for banks to stay one step ahead.
The Ombudsman for Banking Services receives hundreds of complaints and phone calls per month and continues to witness the constant evolution of the techniques adopted by the fraudsters to bypass the vulnerabilities and the loopholes created as a result of consumers not being aware of the dangers and methods employed by the fraudsters.
“Most recently, we have seen the emergence of a new scam involving the use of near-field communication (NFC) technology,” says Reana Steyn, the Ombudsman for Banking Services. “This involves fraudsters using stolen bank card information, such as the card number, expiry date and the CVV number (card data), to make fraudulent purchases via the digital wallet.
“Unlike with the normal card not present (CNP) fraud transactions that we are accustomed to where the fraudsters would use the stolen card information to make online purchases which would prompt an OTPs to be sent to the registered cell phone number of the legitimate cardholder for each of the transactions made, NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction.”
Steyn, describe NFC/digital wallet payment fraud work as follows: the stolen card information is used by the fraudsters to link their smart devices (smartphones and smart watches) on to payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay, etc. and then the fraudster’s smart device is used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.
She points out that, for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or banking app. Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated, the fraudster’s device is linked to the bank customers bank card.
Thereafter the fraudsters device can be tapped at POS machines allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.
Based on the complaints the Ombudsman’s office received as well as the patterns identified by some of the banks whose clients’ fell victim to this fraud, it is evident that fraudulent/fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, courier services, VodaBucks (which requires clients to enter OTPs to redeem credits) are being targeted for impersonation by the fraudsters in pursuance of their criminal acts.
Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms.
Steyn cautions that any business could be impersonated. She reminds users to read and understand the OTPs/inContact messages sent to them, and critically examine whether it is necessary for a transaction that they initiated. She also advises bank customers to never be pressurised into entering or giving away their OTPs without understanding what exactly they are authorising.
More importantly, consumers must guard against the practice of accessing unsolicited links sent to them especially when they are prompted to insert their personal and banking information – many losses can be prevented if everyone adheres to this simple principle.
Regarding NCF fraud matters received, Steyn advises that many of the complainants had received messages containing their bank card number and/or OTP (the stolen information) requesting them to complete an authentication process which they never initiated.
Steyn confirms that approximately 124 of these NFC fraud-related complaints have been formally reported and investigated by her office.
The losses suffered are in the millions, with customers’ accounts fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France, Spain, etc. whilst the legitimate cardholders were in South Africa. “This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights,” she says.
In fact, Steyn adds that just one of the major banks in South Africa confirmed to have received over 6 000 related complaints between January 2022 and June 2023. The bank’s statistics show that between January and June 2022, about 553 customers fell victim to this fraud with their losses amounting to about R427 487. This year, the numbers of the victims jumped to over 5 450 with the combined monetary losses of over R6,5-million.
“These are highly concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which in some instances may be impossible to recover from,” says Steyn. She adds that targeted customers were of all ages and segments, and could not be reduced to one specific demographic or profile.
OTP fraud
OTPs are personal identification numbers (PIN) and are usually sent via SMS, email, or generated by an authentication app to provide bank customers with an extra layer of security for online transactions, registrations, or login processes.
These should be treated with utmost privacy and confidentiality and must be inserted or used to perform legitimate customer initiated and known transactions, especially when it relates to your bank account and/or bank card numbers, the Ombudsman warns.
Some of the methods through which OTP fraud occurs are:
* Phishing: Fraudsters send deceptive emails, SMS messages, or make phone calls pretending to be a legitimate organization or service provider. They ask the victim to share their OTP as part of a verification process or claim that there is an urgent need for it. If the victim falls for the scam, they unwittingly reveal their OTP.
* SIM swapping: By deceiving the victim’s mobile service provider, fraudsters can get a new SIM card with the victim’s phone number. With the victim’s incoming calls and messages now diverted to the fraudster’s device, they can intercept OTPs and gain unauthorized access to the victim’s online accounts or perform fraudulent transactions.
* Social engineering: Fraudsters may manipulate or deceive individuals into willingly providing their OTPs by posing as a trusted individual, such as a bank agent, colleague, or friend or a representative of a legitimate company. They exploit the victim’s trust or exploit their naivety to convince them to disclose their OTP, especially when they know a lot of information about the consumer, such as address, card number, birth date, ID number, home address etc. Consumers believe that it must be a legitimate caller if they know so much detail. However, this information could have been stolen or obtained through fraudulent means.
Tips to prevent OTP fraud include:
* Be cautious of any unsolicited communication requesting an OTP.
* Verify the authenticity of any request for OTPs by directly contacting the organisation or individual purportedly making the request. Do not use contact details provided in suspicious messages, instead, use verified contact information from official websites or sources.
* Enable two-factor authentication (2FA) methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire from your bank of the security measures available to you.
* Regularly update passwords and avoid using the same password across different accounts.
* Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.