The Ombudsman for Banking Services in South Africa (OBSSA) has warned consumers about a new fraud technique that exploits a growingly popular contactless payment method to empty people’s bank accounts.

Ombudsman Reana Steyn explained that fraudsters were using stolen card information — such as the card number, expiry date and CVV number —  to make purchases via digital payment wallets.

These include Apple Pay, Fitbit Pay, Garmin Pay, Google Pay, and Samsung Pay.

These apps employ near-field communications (NFC) technology to make tap payments on smartphones and smartwatches using a linked bank card.

Steyn said her office recently received around 124 complaints about fraudulent digital wallet transactions.

The victims have suffered losses in the millions, with their accounts often getting drained through tap payments using smart devices in foreign countries — including France, Spain, and the United Arab Emirates.

One major South African bank had also received over 6,000 complaints related to the same issue over the roughly year and a half from January 2022 to the start of June 2023.

In the first six months, only about 553 customers fell victim to this type of fraud, with losses amounting to R427,487.

During the same period this year, the number of victims increased to over 5,450, with combined losses of over R6.5 million.

“These are highly concerning numbers, and the devastation of the losses caused has the potential of causing bank customers serious financial hardships, which in some instances may be impossible to recover from,” said Steyn.

Reana Steyn, Ombudsman for Banking Services in South Africa. Photo: Dalton Dingelstad

In normal card-not-present fraud transactions, such as online purchases, the credit card owner would typically receive a one-time pin (OTP) to verify a transaction.

Unless the fraudster had somehow gained access to a device or channel that receives these OTPs, they would be unable to complete their purchase.

However, digital wallet payments do not require OTPs and often don’t need a PIN either.

Fraudsters have realized they can add card details on their own devices and use them to perform transactions without being asked for an OTP or PIN.

While this is a concerning development, it should be emphasized that getting the card to work on a new device will require a second layer of attack.

Payment wallets have security measures in place to try and ensure the person linking the card is the actual owner.

Customers making tap payment with digital wallet app

Loading the card will require validation via an OTP or Smart inContact notification sent via the customer’s registered cellphone number or mobile banking app.

“Only after the registration is approved via an OTP or approve-it authenticated, the fraudster’s device is linked to the bank customers bank card,” Steyn said.

Steyn explained the complaints her office had received showed that most people and companies that fell victim to this fraud had also used or engaged with fraudulent or fake websites and emails claiming to be from legitimate businesses or platforms that often require OTPs.

These included websites impersonating the South African Post Office, courier services, and VodaBucks.

“Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms,” Steyn said.

The OBSSA’s office warned against the following techniques used to intercept users’ OTPs:

• Phishing — Fraudsters send deceptive emails, SMS messages, or make phone calls pretending to be a legitimate organization or service provider. They ask the victim to share their OTP as part of a verification process or claim that there is an urgent need for it. If the victim falls for the scam, they unwittingly reveal their OTP.

• SIM swapping —  By deceiving the victim’s mobile service provider, fraudsters can get a new SIM card with the victim’s phone number. With the victim’s incoming calls and messages now diverted to the fraudster’s device, they can intercept OTPs and gain unauthorized access to the victim’s online accounts or perform fraudulent transactions.

• Social engineering — Fraudsters may manipulate or deceive individuals into willingly providing their OTPs by posing as a trusted individual, such as a bank agent, colleague, or friend or a representative of a legitimate company. They exploit the victim’s trust or exploit their naivety to convince them to disclose their OTP, especially when they know a lot of information about the consumer, such as their address, card number, birth date, ID number, home address etc.

The ombudsman provided several tips for consumers to protect themselves against these techniques.

Firstly, be cautious of any unsolicited communication requesting an OTP.

When necessary, verify the authenticity of any request for OTPs by directly contacting the organization or individual purportedly making the request.

“Do not use contact details provided in suspicious messages, instead, use verified contact information from official websites or sources,” the OBSSA advised.

Secondly, you should enable two-factor authentication (2FA) methods other than OTPs whenever possible, such as biometric authentication or hardware security keys.

“Enquire from your bank of the security measures available to you,” the ombudsman recommended.

It is also good practice to update passwords regularly and avoid using the same password across different accounts.

Lastly, keep your personal information as private as possible and ensure it is not shared with unknown or unverified individuals or service providers.

source:Tap payments scam warning in South Africa — R7 million in losses for one bank’s customers (mybroadband.co.za)