Modern consumers have become used to a plethora of easy pay options when transacting. One doesn’t think twice about using their phone or smartwatch to pay for their morning coffee after a workout session at the gym. Contactless payments (such as tapping your card or using your smartphone or smartwatch at a point of sale (POS) machine), are becoming increasingly popular due to the convenience they offer. However, with convenience comes great responsibility and the need for consumers to be more alert and aware as this payment method, like any other platform or area where money or the transfer of money is concerned, is also susceptible to fraud.
It is no secret that technology has made it easier for fraudsters to steal and manipulate personal information through phishing emails, vishing calls, smishing SMS’s, malware attacks. These are also referred to as “social engineered attacks” aimed at allowing the fraudsters to gain access to consumers personal and confidential information which the fraudsters then use to raid and deplete bank accounts.
Although banks have developed fraud detection and prevention systems, such as SIM Swap detection, transaction monitoring, 2 factor authentication (2FA) and other customer identification methods, fraudsters are constantly devising new ways to bypass these systems, making it an ongoing battle for banks to stay one step ahead.
The Ombudsman for Banking Services receives hundreds of complaints and phone calls per month and thus they continue to witness the constant evolution of the techniques adopted by the fraudsters to bypass the vulnerabilities and the loopholes created as a result of consumers not being aware of the dangers and methods employed by the fraudsters. While technology has resulted in improved convenience and efficiency, it cannot be disputed that it has also brought with it new fraud challenges that require both the banks and consumers to work together to do all that they can to close these loopholes/vulnerabilities that are continuously exploited by the fraudsters.
New Modus operandi that has been identified:
“More recently, the Ombudsman for Banking Services has seen the emergence of a new scam involving the use of near-field communication (NFC) technology. This involves fraudsters using stolen bank card information, such as the card number, expiry date and the CVV number (card data), to make fraudulent purchases via the digital wallet. Unlike with the normal card not present (CNP) fraud transactions that we are accustomed to where the fraudsters would use the stolen card information to make online purchases which would prompt an OTPs to be sent to the registered cell phone number of the legitimate cardholder for each of the transactions made, NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction, “ says Reana Steyn, the Ombudsman for Banking Services.
To explain, Steyn, describe NFC/digital wallet payment fraud work as follows: the stolen card information is used by the fraudsters to link their smart devices (smartphones and smart watches) onto payment platforms such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay, etc. and then the fraudster’s smart device is used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.
Important to note, Steyn pointed out that for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or Banking App. Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated, the fraudster’s device is linked to the bank customers bank card. Thereafter the fraudsters device can be tapped at POS machines allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.
Based on the complaints the Ombudsman’s office received as well as the patterns identified by some of the banks whose clients’ fell victim to this fraud, it was evident that fraudulent/fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, Courier Services, VodaBucks, which requires clients to enter OTPs to redeem credits, were being targeted for impersonation by the fraudsters in pursuance of their criminal acts. Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms.
Steyn however cautioned that any business may be impersonated. She reminded people of the importance of reading and understanding the OTPs/inContact messages sent to them, and critically examining whether it is necessary for a transaction that they initiated etc. She advises bank customers to never be pressurized into entering or giving away their OTPs without understanding what exactly they are authorizing. More importantly, consumers must guard against the practice of accessing unsolicited links sent to them especially when they are prompted to insert their personal and banking information. She advised that many of the losses can be prevented if everyone adheres to this simple principle.
With the NCF fraud matters received, Steyn advised that many of the complainants had received messages containing their bank card number and/or OTP (the stolen information) requesting them to complete an authentication process which they never initiated. Should you receive such a message in instances that you never initiated any transaction with your bank card, the Ombud advised bank customers to immediately report the incident to their banks.
The concerning high volume of NCF payment fraud and their accompanying losses:
Steyn confirmed that approximately 124 of these complaints (NFC fraud related complaints) have recently formally been reported and investigated by her office. She advised that the losses suffered are in the millions, with customers’ accounts fraudulently drained through tap & go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France, Spain, etc. whilst the legitimate cardholders were in South Africa. “This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights”, Steyn opined.
In fact, Steyn added that just one of the major banks in South Africa confirmed to have received over 6000 related complaints between January 2022 and 01 June 2023. The said bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud with their losses amounting to +- R427 487. This year the numbers of the victims jumped to over 5 450 with the combined monetary losses of over R6,5 million.
“These are highly concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which in some instances may be impossible to recover from”, said Steyn. Steyn warned that, from what she has noted, the bank customers’ that were targeted were of all ages and segments and could not be reduced to one specific demographic or profile. Because of this, she reminded everyone to always be vigilant and not to be too trusting with card information, especially the OTPs,” says Steyn.
One Time Pins (OTPs) are personal identification numbers (PIN) and are usually sent via SMS, email, or generated by an authentication app to provide bank customers with an extra layer of security for online transactions, registrations, or login processes. These should therefore be treated with utmost privacy and confidentiality and must be inserted or used to perform legitimate customer initiated and known transactions, especially when it relates to your bank account and/or bank card numbers, the Ombudsman stated.
Some of the methods through which OTP fraud occurs are:
- Phishing: Fraudsters send deceptive emails, SMS messages, or make phone calls pretending to be a legitimate organization or service provider. They ask the victim to share their OTP as part of a verification process or claim that there is an urgent need for it. If the victim falls for the scam, they unwittingly reveal their OTP.
- SIM swapping: By deceiving the victim’s mobile service provider, fraudsters can get a new SIM card with the victim’s phone number. With the victim’s incoming calls and messages now diverted to the fraudster’s device, they can intercept OTPs and gain unauthorized access to the victim’s online accounts or perform fraudulent transactions.
- Social engineering: Fraudsters may manipulate or deceive individuals into willingly providing their OTPs by posing as a trusted individual, such as a bank agent, colleague, or friend or a representative of a legitimate company. They exploit the victim’s trust or exploit their naivety to convince them to disclose their OTP, especially when they know a lot of information about the consumer, e.g. address, card number, birth date, ID number, home address etc. Consumers believe that it must be a legitimate caller if they know so much detail. However, this information could have been stolen or obtained through fraudulent means.
TIPS to prevent OTP fraud:
Be cautious of any unsolicited communication requesting an OTP.
- Verify the authenticity of any request for OTPs by directly contacting the organization or individual purportedly making the request. Do not use contact details provided in suspicious messages, instead, use verified contact information from official websites or sources.
- Enable two-factor authentication (2FA) methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire from your bank of the security measures available to you.
- Regularly update passwords and avoid using the same password across different accounts.
- Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.
Lastly, Steyn would like to assure consumers that her office has engaged the banks affected by this fraud with the aim to working on solutions to this challenge. Until a solution is found, she advised all bank customers who are a victim of NFC payment banking fraud or who suspect that they are a victim of OTP fraud, to immediately contact their banks to report the incident and/or to report unresolved complaints to her office.