As payment methods become more sophisticated, so are the cybercriminals who are exploiting consumers who are insufficiently informed about how digital wallets work.
Fraudulent activity doesn’t take advantage of any security deficiencies in the cards or wallets themselves but, instead, uses phishing and smishing attacks to convince users to provide compromising information that allows the criminal to load physical card details (like the plastic number [PAN], expiry date and Card Verification Value [CVV]) onto their own digital wallets.
Phishing is a type of cybercrime in which people are duped into providing sensitive information such as login credentials, passwords, PINs, card details, or ID numbers by using deceptive techniques such as fake emails and websites. Smishing is the use of text messages, purportedly from reputable institutions, to trick people into disclosing similar information.
Criminals have realised that the process of loading a debit or credit card onto a digital wallet – such as Apple Pay, Google Pay, Samsung Pay and SwatchPay – is similar to the process of making an online payment using these cards. Both processes require card details to be entered into an online portal, and both require the submission of a one-time password (OTP) to confirm the process.
As Christopher Boxall, head of card transact and fraud detection at FNB, explains, criminals use this similarity to confuse unsuspecting users into providing sufficient information for them to register the fraudsters’ devices as digital wallets on the accounts of unsuspecting customers.
“We’re seeing a rise in attacks that aim to convince users to send through an OTP as part of a fraudulent process. Although the wording for online transaction and digital wallet OTPs differs, the user might not notice this, and the OTP will actually be used to verify the loading of their debit or credit card to a completely separate digital wallet. Once the criminal has loaded this card to their own device, they are able to use their own biometrics to verify transactions made from the device.”
An authentic OTP SMS for online transactions with FNB will always inform the customer that they are about to make an online purchase of a stipulated amount; include the last four digits of the card; followed by the Confirmation OTP number. On the other hand, an authentic digital wallet OTP notification from FNB will always warn the customer that they are attempting to link a specific card (indicating the last four digits of the card) to a specific wallet, and it will always inform the customer to call 0870 30 30 30 or log into the FNB app to complete or cancel the action.
FNB will never require a customer to share their OTP with anyone to impute it anywhere on their behalf, says Boxall.
“Conversely, a criminal might send thousands or millions of SMSs claiming that a parcel has been held at a post office for collection, in the hope that some will coincide with a real package being expected. The SMS will include a link to a website which has SA Post Office branding (or that of an international delivery company, medical aid, or other company).
“The URL will be incorrect, but the criminal will hope that the user doesn’t notice that. Then the criminal will ask for a small fee to be paid to release the parcel, which will require the user’s card details, as would be the case for most online transactions.
“The user has no idea that the criminal is entering those details into their own digital wallet. When a bank sends the criminal a request for an OTP, the criminal then asks the user for the OTP. The user mistakenly believes that the OTP has been issued in relation to the fraudulent Post Office payment. If they hand it over to the fraudster, they have effectively given them access to spend on their account via a digital wallet. The criminal is now able to use the card by presenting their own biometrics – because the card has been fraudulently loaded on the criminal’s own device.”
There is an important distinction to be made between virtual cards and these digital wallets – all of which use similar technologies and processes as physical cards and are susceptible to these phishing attacks.
Virtual cards are specifically generated for enhanced security and privacy for online payments or subscriptions. On the other hand, digital wallets allow either physical or virtual cards to be registered and enable customer devices to facilitate payments. As such, a customer tapping his or her phone (with a registered digital wallet) is a lot like tapping a physical card to facilitate payments from their account.
Virtual cards are more secure than physical cards because their details are not physically visible to criminals – instead, they require a customer to log into their banking app. Additionally, FNB virtual cards have their card-verification value (CVV) regularly changed to avoid fraud.
FNB has a multi-layered approach to mitigate the risk of fraud. The purpose of OTPs is stipulated, and additional warning messages will be instituted to further clarify the use of OTPs. These steps are, however, not of much use when certain phones forward OTPs between SMS and browser without including the context. FNB also has a sophisticated rules-based model to identify possibly fraudulent activity. Unusual or suspicious user behaviour is flagged, and transactions might be prevented until confirmation has been received that they are genuine.
“Ultimately, however, maintaining strict security around one’s personal and private information is the most important action we can take to prevent malicious attacks,” Boxall concludes. “Any payment technology relies on a certain amount of private information known only to the user. It is crucial that we remain vigilant, protect this information, and safeguard our digital identities.”