FNB warns of criminals targeting its customers

FNB warned that cybercriminals are exploiting its consumers who do not have strong knowledge about how digital wallets work.

Last month, FNB issued a statement warning customers that cybercriminals are becoming more adept at using the sophistication of payment systems to target clients.

Criminals do not take advantage of security deficiencies in their cards or wallets to steal money.

Instead, they use social engineering attacks, including phishing and smishing, to convince users to provide them with sensitive information.

Phishing is a cybercrime in which people are duped into providing sensitive information such as login credentials, passwords, PINs, card details, or ID numbers.

Phishing typically uses deceptive techniques such as fake emails and websites to gather this information.

Smishing is using text messages, purportedly from reputable institutions, to trick people into disclosing similar information.

After receiving this information, the criminals load physical card details like the plastic number (PAN), expiry date, and Card Verification Value (CVV) into their own digital wallets.

Loading a debit or credit card onto a digital wallet—such as Apple Pay, Google Pay, Samsung Pay, or SwatchPay—is similar to making an online payment using these cards.

Both processes require card details to be entered into an online portal and the submission of a one-time password (OTP) to confirm the process.

Criminals use this similarity to confuse unsuspecting users into providing sufficient information to register the fraudsters’ devices as digital wallets on their customers’ accounts.

Christopher Boxall, head of card transaction and fraud detection at FNB, said they saw increased attacks to convince users to send through an OTP as part of a fraudulent process.

“Although the wording for online transactions and digital wallet OTPs differs, the user might not notice this,” he said.

“The OTP will be used to verify the loading of their debit or credit card into a completely separate digital wallet.”

Once the criminal has loaded this card into their own device, they are able to use their own biometrics to verify transactions made from the device.

Watch out for criminals trying to steal personal information

FNB said it would never require a customer to share their OTP with anyone to impute it anywhere on their behalf.

An authentic OTP SMS for online transactions with FNB will always inform the customer that they are about to purchase a stipulated amount online.

The authentic SMS will include the last four digits of the card, followed by the confirmation OTP number.

An authentic digital wallet OTP notification from FNB will always warn the customer that they are attempting to link a specific card to a specific wallet.

It will always inform the customer to call 0870 30 30 30 or log into the FNB app to complete or cancel the action.

In comparison, criminals typically send thousands of SMSs claiming that a parcel has been held at a post office for collection.

The SMS will include a link to a website with SA Post Office branding, or that of an international delivery company, medical aid, or other companies.

The URL will be incorrect, but the criminal hopes the user overlooks that. Then, the criminal will ask for a small fee to release the parcel.

The payment platform will require the user’s card details, as would be the case for most online transactions.

The user has no idea that the criminal is entering those details into their own digital wallet.

When a bank sends the criminal a request for an OTP, the criminal then asks the user for the OTP.

The user mistakenly believes that the OTP has been issued linked to the Post Office payment.

If they hand it over to the fraudster, they have effectively given them access to spend on their account via a digital wallet.

The criminal can now use the card by presenting their own biometrics, because the card has been fraudulently loaded on the criminal’s own device.

source:FNB warns of criminals targeting its customers – BusinessTech