A surge in fraudulent payments processed through Net1's online payment system, EasyPay, led to one of SA's largest banks making the unprecedented move of stopping all credit card transactions through the site.
Absa suspended all payments for transactions through online payment processing portal EasyPay last week, only opening access again yesterday morning, because one in three deals were discovered to be fraudulent.
EasyPay, owned by JSE-listed Net1 UEPS, is an online portal that allows people to buy airtime and electricity, pay traffic fines and bills, among other services.
Fraudsters were illicitly entering stolen credit card details into the site to buy prepaid products such as airtime and electricity to sell them at a profit. The company processes four million to five million transactions a day.
EasyPay, which fulfils all the banks' security requirements, has now suspended sales of high-risk items such as airtime through the portal, although its retail-based kiosks are fully functional.
The exact extent of fraud perpetrated through the site is unknown, but at least R500 000 in illicit transactions has been reversed so far this year, by just one bank.
Unusual step
Paul Mathias, Absa's head of fraud risk management, says this is the first time the bank has suspended payments through an online vendor, although it has previously shut down individual merchants. Customers will have been inconvenienced, but will not have to pay for the fraudulent transactions, he adds.
Mathias says the bank has seen an increase in illicit transactions in the past few weeks, to the point that a third of all payments coming from EasyPay were not legitimate. He says people's credit card details are illicitly used to buy items such as airtime, which is then on-sold, allowing criminals to profit.
As a last resort, Absa shut down credit card transactions made through the site last week, but opened the channel again yesterday morning after EasyPay suspended high-risk purchases such as airtime on its site, says Mathias.
Mathias says the bank ends up footing the bill for fraudulent payments and not the customer or EasyPay. He could not quantify the value of the losses.
Absa has laid criminal charges and is investigating how customers' credit card details were illegally obtained, says Mathias. He explains the details could have been captured through phishing or card skimming.
Escalating problem
In July, the South African Banking Risk Information Centre (Sabric) warned that phishing e-mails were targeting people using products such as EasyPay, e-Wallet, Cash Focus and My Money.
The e-mails are designed in the same manner as the classic phishing e-mails where the bank client is requested to click on a link in order to update details, or face their service being discontinued, said Sabric.
“It is very clear from this trend that perpetrators are keeping abreast of developments in the industry to identify new means to defraud clients,” noted Sabric CEO Kalyani Pillay.
First National Bank (FNB) is EasyPay's acquiring bank; all transactions done through the site are rerouted to FNB, which then collects payments from other banks.
FNB credit card CEO Jacques Celliers says the bank has recently been experiencing an increase in fraudulent activities targeting EasyPay, and is working with the company to implement whatever measures it can to trim fraud.
“There are a number of legitimate online businesses, including banks, that have fallen victim to this form of fraud both locally and internationally,” says Celliers. He adds online retailers and service providers can be affected by phishing regardless of how strong their security systems are.
Celliers says the amounts reversed on a daily basis can vary from nothing to several thousand rand. He was unable to quantify how much has been reversed so far this year.
However, fraud losses overall have declined 40% over the last two years due to increased security measures such as chip and PIN, the bank says.
Rene de Villiers, head of Nedbank's card risk services, says there have been about 100 instances so far this year where clients have disputed transactions as being fraudulent. As a result, she says, about R500 000 has been reversed this year.
De Villiers says credit card details can be compromised through phishing, or card numbers and the security code on the signature strip can be copied by a sales person and sold to a fraudster.
“Our experience is that their systems are being exploited by fraudsters. We do not think that they are processing false debits,” says De Villiers. Nedbank has monitoring tools in place to try and combat fraud, she adds.
Not our fault
Net1 CEO Serge Belamant says it is not easy to be an online payment provider, because of the security certification requirements from the banks. He explains that, for example, online sites need to prove they do not store credit card information.
EasyPay moves between four million and five million transactions through its site every day, notes Belamant. He says fraud, either through phishing or card cloning, is a global problem.
A Visa-designed verification tool called 3D Secure is among the security measures, says Belamant. The system, which works like an online passport, allows users to sign up online, have their details verified through a third-party, and then shop without the need to type in a password.
EasyPay has not been charged back for one transaction that has been fraudulently submitted through its site as it follows the rules laid down by the banks, says Belamant. “We followed the rules...We've never done anything wrong.”
Belamant explains that the company does not authorise transactions, as that responsibility is the banks'. He does not know how many deals have been reversed by the banks because of fraud.
Banking security has not fundamentally changed in 50 years, Belamant points out. He says all that has happened is that holes have been plugged, but this creates more problems than it stops. SA's online portals follow international standards, he adds. “It's not a simple problem; it needs to be addressed, it's getting out of hand.”
Share