NFC fraud, face-to-face records and Ts&Cs

In this weekly segment of bite-sized chunks of useful information, consumer journalist Wendy Knowler summarises news you can use:

Fraudsters are setting up Apple Pay on their devices — with your credit card details

Yes, it’s not only honest folk embracing so-called NFC (near fear communication) fraud in huge numbers — fraudsters are paying for their things that way too; only they’re using their victims’ credit card accounts.

Ombudsman for banking services Reana Steyn revealed this week her office has recently investigated 124 complaints of NFC fraud, with losses running into the millions. The fraudsters tap into their victims’ credit card accounts via tap and go purchases made with their (the fraudsters’) smartphones, mostly in foreign destinations such as Dubai, France and Spain.

“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights,” Steyn said.

One major bank (she hasn’t named it) has confirmed to the ombud’s office that almost 5,500 of its clients have fallen victim to this fraud this year so far, with losses totalling more than R6.5m. The victims can’t be boxed into a single demographic, Steyn said — the statistics reveal everyone’s vulnerable.

How do the fraudsters do it? They use stolen bank card information such as the card number, expiry date and the CVV number, to link their smartphones or smartwatches onto payment platforms such as Samsung Pay, Apple Pay, Garmin Pay and Google Pay, and use them to make fraudulent purchases on their victims’ accounts without needing one-time PINs (OTPs) to validate the transactions.

But for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer — that’s you and me — an OTP or a “Smart inContact notification” is needed to complete the process.

Those are sent to the genuine bank customer’s registered number or banking app. How do they get that right? They send their victims what look like genuine SMSs or links to legitimate entities such as the post office, VodaBucks or a courier service, tricking them into providing the linkage confirmation they need to link their smart devices to their (the victims’) credit card accounts.

In many cases the fraudster goes on a tapping spree in another time zone while their victim is asleep and oblivious to the payment notifications sent to their phones by their bank. So it’s crucial that you read the OTPs/inContact messages you receive and critically examine whether it's necessary for a transaction you initiated, Steyn said.

Most of the cases with her adjudicating team are still under investigation, but in some they have found in favour of the complainant despite them having unwittingly given the fraudsters “the keys to the safe”.

“One of the mitigating factors could be that the bank didn’t act fast enough to stop the card when the victim reported a fraudulent transaction,” she said.

Her office instructed one bank to refund its client a R600,000 payment made with her card details in Dubai while she was in Johannesburg and unaware. Steyn says her office is engaging the banks with a view to finding solutions.

If you’ve fallen victim to this form of fraud and your bank has refused to refund you, log a complaint with the OBS here. It’s free, so you have nothing to lose.

F2F meetings and phone calls are great, but where’s the proof of who said what?

When things go wrong with your chosen service provider, your chances of a resolution — with the help of higher-ups or third parties such as an ombudsman’s office or a consumer journalist — are greatly improved if you have an e-mail trail of who said and did what along the way.

In a recent dispute between a car owner and a motor dealership, there were big gaps in the documenting of the two-month saga because their interactions mostly happened face to face in the dealership. And that’s because the dealership was ignoring her e-mails and not returning her calls.

Things started to happen after I escalated the case to the dealership group’s head office, but they had a hard time piecing together the “he said, she saids” due to the lack of e-mails.

So here’s the advice: when you’re in a dispute with a company, after every call and in-person encounter, send an e-mail to the person you engaged, summarising what transpired and what undertakings were made. That way you create your own “evidence” of what went down and if the other party doesn’t dispute your version, it stands as accurate, should third parties get involved later.

Check out the Ts & Cs — if you can

This week I stumbled on an interesting Advertising Regulatory Board (ARB) ruling against Truworths with regard to a line the company has been using to entice people to open accounts.

The line, used on Truworths’ social media accounts and in-store, is this: “R1,000 fashion vouchers when you open an account”.

Complainant Shane Rule said the vouchers were subject to a minimum spend of R375 and were spread across several months. And while the advertisement states “T&Cs apply”, those requirements and limitations were not brought to his attention when signing up and were not explained to him when collecting his card from the shop.

Truworths told the advertising regulator: “Upon successfully opening an account, R1,000 in fashion vouchers is loaded onto the account. All the vouchers total R1,000.00. There is a voucher with an expiry date for each month.

“One would need to purchase for a certain amount on the account to redeem a voucher on that purchase and receive the discount. Our advert states T&Cs apply, to which T&Cs are readily available on our website or on request.”

In its decision published on its website two weeks ago, the ARB Directorate said the vouchers were effectively discount vouchers that could only be redeemed subject to certain spending thresholds and were only valid for a limited time.

“There is a clear contradiction between the likely expectation created by the advertisement and the reality confronting customers who apply for an account,” the ruling read.

“The implication is this will happen as soon as their account is opened and they would be free to spend these vouchers as and when they see fit. But the directorate was unable to find any reference to, or explanation of the mechanics of the advertised offer (online).

“This means even those hyper vigilant customers who notice the generic 'T&Cs apply' and go through the effort of trying to familiarise themselves with the applicable 'T&Cs' would be none the wiser.”

So the directorate found the “R1,000 fashion vouchers when you open an account” line to be misleading and ordered Truworths to amend it to clarify the applicable conditions.

GET IN TOUCH: You can contact Wendy Knowler for advice with your consumer issues via e-mail: consumer@knowler.co.za or on Twitter: @wendyknowler.

TimesLIVE