The banking ombud, Reana Steyn, has sounded an alert after her office recently received about 124 near-field communication (NFC) fraud-related complaints. She said that the losses suffered are in the millions, with customers’ accounts fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions such as Dubai, France and Spain while the legitimate cardholders were in South Africa.
“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights,” Steyn warns.
She says one of the major banks in South Africa has confirmed with her office that it received more than 6,000 NFC fraud-related complaints in the 18 months between January last year and the beginning of June this year. The bank’s stats show that in the first six months of last year, about 553 customers fell victim to this fraud with their losses amounting to about R430,000. This year the number of victims jumped to more than 5,450 with combined monetary losses exceeding R6.5-million.
“These are highly concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which in some instances may be impossible to recover from,” Steyn says, adding that victims were targeted across various ages and segments.
Although banks have developed fraud detection and prevention systems, such as SIM swap detection, transaction monitoring, two-factor authentication (2FA) and other customer identification methods, criminals are constantly devising new ways to bypass these systems.
As Steyn’s office so accurately observes, while technology has resulted in improved convenience and efficiency, it cannot be disputed that it has also brought new fraud challenges that require banks and consumers to work together to do all they can to close these loopholes and vulnerabilities that are continually exploited by criminals.
How the NFC scam works
The scam involves fraudsters using stolen bank card information, such as your card number, expiry date and the CVV number (the three-digit security number on the back of the card), to make fraudulent purchases via a digital wallet.
“Unlike with the normal card-not-present fraud where the fraudsters would use the stolen card information to make online purchases, prompting an OTP to be sent to the registered cellphone number of the legitimate cardholder, NFC/digital wallet payments do not require this added OTP mitigation tool for each and every transaction,” Steyn explains.
The stolen card information is used by the fraudsters to link their smart devices (smartphones and smartwatches) on payment platforms such as Samsung Pay, Apple Pay, Garmin Pay and Google Pay, and then they use their smart device to make fraudulent purchases using your account details, with no OTPs sent to you to validate the transactions.
However, Steyn points out that for criminals to link their devices to your stolen bank card information, an OTP or a “Smart inContact notification” would be required to complete the linkage process and this would be sent to your registered number or your banking app.
Once this authorisation is granted, the criminal’s device is linked to your bank card, leaving them free to tap their device at point-of-sale with no further verification required. So, why would you grant permission for someone else’s device to be linked to your bank account?
An analysis of complaints received by Steyn’s office reveals that many consumers received emails or communications from fraudulent websites purporting to be legitimate businesses such as the South African Post Office, courier service companies, or VodaBucks, asking consumers to enter OTPs to redeem credits. Through these fake website links and email addresses, the fraudsters are able to obtain all the details they require to approve the linking of their devices to the payment platforms.
Many of the complainants had received messages containing their bank card number and/or OTP requesting them to complete an authentication process which they never initiated.
“If you receive such a message in instances where you never initiated any transaction with your bank card, you should ignore it and immediately report the incident to your bank,” Steyn says.
Urgent messages with hyperlinks
In March this year, Daily Maverick approached three of the major banks after receiving reader complaints related to digital wallet fraud. Nedbank gave us a generic response reiterating bank safety steps for consumers, while Standard Bank asked for a reference number rather than providing a response at all. FNB was the only bank that gave us a considered response.
Trish Ramdhani, the head of card fraud at FNB, says criminals continue to evolve their modus operandi, often using techniques known as phishing and smishing, where they send SMS and email messages containing a hyperlink.
“These messages are designed to cause panic, suggesting that your banking profile will be blocked or that your parcel will be returned. Customers inadvertently click on the hyperlinks, which lead to an unauthorised website that captures their personal and banking information,” she says.
In 2021, FNB introduced Money Protect, a free insurance benefit for certain fraud-related losses when using digital interfaces, but each claim is evaluated on its own merits. FNB told Daily Maverick that on credit card and Fusion accounts, card swipes account for less than 1% while contactless payments account for more than 60% of all transactions. DM