South Africans lose millions to new NFC fraud

Admire Moyo
By Admire Moyo, ITWeb's news editor.
Johannesburg, 03 Aug 2023
Customers’ accounts have been fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions.
Customers’ accounts have been fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions.

The Ombudsman for Banking Services is warning members of the public about the rise in contactless payments fraud in South Africa.

According to the banking ombud, it has seen the emergence of a new scam involving the use of near-field communication (NFC) technology.

NFC is short-range wireless connectivity technology that lets NFC-enabled devices communicate with each other.

The ombud explains that fraudsters are now using stolen bank card information, such as the card number, expiry date and CVV number (card data), to make fraudulent purchases via digital wallets.

“Unlike with the normal card-not-present fraud transactions that we are accustomed to, where the fraudsters would use the stolen card information to make online purchases, which would prompt an OTP to be sent to the registered cellphone number of the legitimate cardholder for each of the transactions made, NFC or digital wallet payments do not require this added OTP mitigation tool for each and every transaction,” says Reana Steyn, banking services ombudsman.

Highly-concerning numbers

According to Steyn, the banking ombud has so far received 124 NFC fraud-related complaints.

She notes the losses suffered are in the millions, with customers’ accounts fraudulently drained through tap-and-go purchases made with smart devices in mostly foreign jurisdictions, such as Dubai, France, Spain, etc, while the legitimate cardholders are in South Africa.

“This is a clear indication that an international crime syndicate is operating within this space and has South African consumers in its sights.”

Steyn points out that one of the major banks in South Africa is confirmed to have received over 6 000 related complaints between January 2022 and 1 June 2023. This bank’s stats show that between January and June 2022, about 553 customers fell victim to this fraud, with losses amounting to about R427 487.

This year, Steyn reveals, the number of victims jumped to over 5 450, with combined monetary losses of over R6.5 million.

“These are highly-concerning numbers and the devastation of the losses caused has the potential of causing bank customers serious financial hardships which, in some instances, may be impossible to recover from.

“The bank customers that were targeted were of all ages and segments, and could not be reduced to one specific demographic or profile.”

Describing how the NFC/digital wallet payment fraud works, she says: “The stolen card information is used by the fraudsters to link their smart devices (smartphones and smart watches) onto payment platforms, such as Samsung Pay, Apple Pay, Garmin Pay, Google Pay, etc. The fraudster’s smart device is then used to perform fraudulent purchases on the victims’ accounts without OTPs being sent to cardholders to validate the transactions.”

She points out that for the fraudsters to be able to link their devices to the stolen bank card information of the legitimate bank customer, an OTP or a “Smart inContact notification” required to complete the linkage process is sent to the bank customer’s registered number or banking app.

Only after the transaction, registration or linkage is approved via an OTP or approve-it authenticated, the fraudster’s device is linked to the bank customer’s bank card, she notes.

“Thereafter, the fraudster’s device can be tapped at POS [point-of-sale] machines, allowing transactions to take place on the card with no further verification required for the approval of the individual purchases from the bank customer.”

Impersonation attacks

Based on complaints the ombudsman’s office received, as well as patterns identified by banks whose clients fell victim to this fraud, Steyn says it is evident fraudulent websites and e-mails purporting to be from legitimate businesses, such as the South African Post Office, courier services and VodaBucks, which require clients to enter OTPs to redeem credits, are being targeted for impersonation by fraudsters.

She adds that through these fake website links and e-mail addresses, the fraudsters are able to obtain all the details they require to approve the linking of their devices to the payment platforms.

Steyn cautions that any business may be impersonated, and reminds the public about the importance of reading and understanding the OTPs or InContact messages sent to them.

She advises bank customers to never be pressured into entering or giving away their OTPs without understanding what exactly they are authorising.

“More importantly, consumers must guard against the practice of accessing unsolicited links sent to them, especially when they are prompted to insert their personal and banking information.”