Crooks are using 'near field tech' to empty your bank accounts

03 August 2023 - 10:20
By TimesLive
Customers’ accounts are being fraudulently drained through 'tap and go' purchases made with smart devices.
Image: 123RF/9dreamstudio Customers’ accounts are being fraudulently drained through 'tap and go' purchases made with smart devices.

The ombud for banking services is cautioning consumers about a new modus operandi adopted by fraudsters, with the emergence of a scam involving the use of near-field communication technology (NFC).

This involves fraudsters using stolen bank card information, such as the card number, expiry date and the CVV number, to make fraudulent purchases via digital wallet.

“Unlike with the normal 'card not present' fraud transactions that we are accustomed to where the fraudsters would use the stolen card information to make online purchases which would prompt an OTP to be sent to the registered cellphone number of the legitimate cardholder for each of the transactions made, NFC/digital wallet payments do not require this added OTP mitigation tool for every transaction,” says ombud Reana Steyn.

The stolen card information is used by the fraudsters to link their smart devices (smartphones and smartwatches) onto payment platforms such as Samsung Pay, Apple Pay, Garmin Pay and Google Pay. The fraudster’s smart device is then used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.

About 124 NFC fraud-related complaints have been investigated by the ombud's office. The losses suffered are in the millions, Steyn says, with customers’ accounts fraudulently drained through “tap and go” purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France and Spain, while the legitimate cardholders were in South Africa.

“This is a clear indication an international crime syndicate is operating within this space and has South African consumers in its sights.”

One of South Africa's major banks received more than 6,000 complaints between January 2022 and June 2023, according to Steyn.

“The bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud with their losses amounting to about R427,487. This year the numbers of the victims jumped to 5,450 with combined monetary losses of more than R6.5m.

“These are concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships, which in some instances may be impossible to recover from.”

The bank customers targeted were of all ages and segments and could not be reduced to one specific demographic or profile. Because of this, she reminded everyone to always be vigilant and not to be too trusting with card information, especially OTPs.

Based on the complaints the ombud’s office received and the patterns identified by some of the banks whose clients fell victim to this fraud, she says fraudulent/fake websites and emails purporting to be from legitimate businesses such as the South African Post Office, courier services and VodaBucks, which require clients to enter OTPs to redeem credits, are being targeted for impersonation by the fraudsters.

“Through these fake website links and email addresses, the fraudsters were able to obtain all the details they required to approve the linking of their devices to the payment platforms.”

Steyn says many of the complainants had received messages containing their bank card number and/or OTP (the stolen information) requesting them to complete an authentication process which they never initiated. 

She advises bank customers to never be pressured into entering or giving away their OTPs without understanding what exactly they are authorising — and to guard against clicking on unsolicited links.

For the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, Steyn says an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or banking app. Only after the transaction/registration/linkage is approved via an OTP or approve-it authenticated, is the fraudster’s device linked to the bank customer's bank card. Then the fraudster's device can be tapped at point of sales machines allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.

Her office has engaged the banks affected by this fraud to work on solutions. Until a solution is found, she advises all bank customers who are a victim of NFC payment banking fraud or who suspect they are a victim of OTP fraud, to immediately contact their bank.

INSIGHTS:

One time pins (OTPs) are personal identification numbers (PIN) and are usually sent via SMS, email, or generated by an authentication app to provide bank customers with an extra layer of security for online transactions, registrations, or login processes. These should be treated with utmost privacy and confidentiality and must be inserted or used to perform only legitimate customer initiated and known transactions.

The ombud says some of the methods through which OTP fraud occurs are:

Phishing: Fraudsters send deceptive emails, SMS messages, or make phone calls pretending to be a legitimate organisation or service provider. They ask the victim to share their OTP as part of a verification process or claim that is an urgent need for it. If the victim falls for the scam, they unwittingly reveal their OTP.

SIM swapping: By deceiving the victim's mobile service provider, fraudsters can get a new SIM card with the victim's phone number. With the victim's incoming calls and messages now diverted to the fraudster's device, they can intercept OTPs and gain unauthorised access to the victim's online accounts or perform fraudulent transactions.

Social engineering: Fraudsters may manipulate or deceive individuals into willingly providing their OTPs by posing as a trusted individual, such as a bank agent, colleague, or friend or a representative of a legitimate company. They exploit the victim's trust or exploit their naiveté to convince them to disclose their OTP, especially when they know a lot of information about the consumer, such as address, card number, birth date, ID number or home address. Consumers believe it must be a legitimate caller if they know so much detail. However, this information could have been stolen or obtained through fraudulent means.

TIPS:

Be cautious of any unsolicited communication requesting an OTP. Verify the authenticity of any request for OTPs by directly contacting the organisation or individual purportedly making the request.

Do not use contact details provided in suspicious messages, instead, use verified contact information from official websites or sources.

Enable two-factor authentication (2FA) methods other than OTPs whenever possible, such as using biometric authentication or hardware security keys. Enquire at your bank about the security measures available to you.

Regularly update passwords and avoid using the same password across different accounts. Keep personal information private and ensure it is not shared with unknown or unverified individuals or service providers.

TimesLIVE