First National Bank (FNB) is warning that criminals are increasingly exploiting digital wallet users through sophisticated phishing attacks.
In a statement, the big-four bank says as payment methods become more sophisticated, so are the cyber criminals, who are exploiting consumers that are insufficiently informed about how digital wallets work.
According to FNB, fraudulent activity doesn’t take advantage of any security deficiencies in the cards or wallets themselves but, instead, uses phishing and smishing attacks to convince users to provide compromising information that allows the criminal to load physical card details, like the plastic number, expiry date and card verification value (CVV) onto their own digital wallets.
Phishing is a type of cyber crime in which people are duped into providing sensitive information − such as login credentials, passwords, PINs, card details, or ID numbers − by using deceptive techniques such as fake e-mails and websites.
Smishing is the use of text messages, purportedly from reputable institutions, to trick people into disclosing similar information.
According to FNB, criminals have realised the process of loading a debit or credit card onto a digital wallet – such as Apple Pay, Google Pay, Samsung Pay and SwatchPay – is similar to the process of making an online payment using these cards.
It points out that both processes require card details to be entered into an online portal, and require the submission of a one-time password (OTP) to confirm the process.
Christopher Boxall, head of card transact and fraud detection at FNB, explains that criminals use this similarity to confuse unsuspecting users into providing sufficient information for them to register the fraudsters’ devices as digital wallets on the accounts of unsuspecting customers.
Sneaky diversions
“We’re seeing a rise in attacks that aim to convince users to send through an OTP as part of a fraudulent process. Although the wording for online transaction and digital wallet OTPs differs, the user might not notice this, and the OTP will actually be used to verify the loading of their debit or credit card to a completely separate digital wallet.
“Once the criminal has loaded this card to their own device, they are able to use their own biometrics to verify transactions made from the device.”
An authentic OTP SMS for online transactions with FNB will always inform the customer that they are about to make an online purchase of a stipulated amount, include the last four digits of the card, followed by the confirmation OTP number, says the bank.
It adds that an authentic digital wallet OTP notification from FNB will always warn the customer that they are attempting to link a specific card (indicating the last four digits of the card) to a specific wallet, and it will always inform the customer to call 0870 30 30 30 or log into the FNB app to complete or cancel the action.
FNB will never require a customer to share their OTP with anyone to input it anywhere on their behalf, says Boxall.
“Conversely, a criminal might send thousands or millions of SMSes claiming that a parcel has been held at a post office for collection, in the hope that some will coincide with a real package being expected. The SMS will include a link to a website which has SA Post Office branding (or that of an international delivery company, medical aid, or other company),” he notes.
“The URL will be incorrect, but the criminal will hope the user doesn’t notice that. Then the criminal will ask for a small fee to be paid to release the parcel, which will require the user’s card details, as would be the case for most online transactions.
“The user has no idea that the criminal is entering those details into their own digital wallet. When a bank sends the criminal a request for an OTP, the criminal then asks the user for the OTP. The user mistakenly believes the OTP has been issued in relation to the fraudulent Post Office payment. If they hand it over to the fraudster, they have effectively given them access to spend on their account via a digital wallet. The criminal is now able to use the card by presenting their own biometrics – because the card has been fraudulently loaded on the criminal’s own device.”
Know the difference
FNB says there is an important distinction to be made between virtual cards and these digital wallets – all of which use similar technologies and processes as physical cards and are susceptible to these phishing attacks.
It explains that virtual cards are specifically generated for enhanced security and privacy for online payments or subscriptions.
On the other hand, it adds, digital wallets allow either physical or virtual cards to be registered and enable customer devices to facilitate payments. As such, a customer tapping his or her phone (with a registered digital wallet) is a lot like tapping a physical card to facilitate payments from their account, says the bank.
Virtual cards are more secure than physical cards because their details are not physically visible to criminals − instead, they require a customer to log into their banking app. Additionally, FNB virtual cards have their CVV regularly changed to avoid fraud, it says.
“Ultimately, however,” Boxall concludes, “maintaining strict security around one’s personal and private information is the most important action we can take to prevent malicious attacks. Any payment technology relies on a certain amount of private information known only to the user. It is crucial that we remain vigilant, protect this information and safeguard our digital identities.”
Share