First National Bank has warned that cybercriminals are exploiting new and sophisticated phishing attacks, preying on consumers who don’t understand how digital wallets work.
The bank said in a statement on Thursday that the crooks are not taking advantage of any security deficiencies but instead are using “phishing and smishing” attacks to convince users to provide compromising information. This allows the criminals to load physical card details (like the plastic number, expiry date and card verification value, or CVV) onto their own digital wallets.
Phishing is a type of cybercrime in which people are duped into providing sensitive information such as login credentials, passwords, Pins, card details or ID numbers by using deceptive techniques such as fake e-mails and websites. Smishing is the use of text messages, purportedly from reputable institutions, to trick people into disclosing similar information, FNB explained.
“Criminals have realised that the process of loading a debit or credit card onto a digital wallet – such as Apple Pay, Google Pay, Samsung Pay and SwatchPay – is similar to the process of making an online payment using these cards. Both processes require card details to be entered into an online portal, and both require the submission of a one-time password to confirm the process,” it said in the statement.
Criminals use this similarity to confuse unsuspecting users into providing sufficient information for them to register the fraudsters’ devices as digital wallets on the accounts of unsuspecting customers, said Christopher Boxall, head of card transactions and fraud detection at FNB.
“We’re seeing a rise in attacks that aim to convince users to send through an OTP as part of a fraudulent process. Although the wording for online transaction and digital wallet OTPs differs, the user might not notice this, and the OTP will actually be used to verify the loading of their debit or credit card to a completely separate digital wallet. Once the criminal has loaded this card to their own device, they are able to use their own biometrics to verify transactions made from the device,” Boxall said.
OTPs
FNB said:
- An authentic OTP SMS for online transactions with FNB will always inform the customer that they are about to make an online purchase of a stipulated amount; include the last four digits of the card; followed by the confirmation OTP number.
- An authentic digital wallet OTP notification from FNB will always warn the customer that they are attempting to link a specific card (indicating the last four digits of the card) to a specific wallet, and it will always inform the customer to call 0870 30 30 30 or log into the FNB app to complete or cancel the action.
- The bank will never require a customer to share their OTP with anyone to impute it anywhere on their behalf.
“Conversely, a criminal might send thousands or millions of SMSes claiming that a parcel has been held at a post office for collection, in the hope that some will coincide with a real package being expected. The SMS will include a link to a website which has South African Post Office branding (or that of an international delivery company, medical aid, or other company).
Read: Warning that growing fraud could spell the downfall of SMS
“The URL will be incorrect, but the criminal will hope that the user doesn’t notice that. Then the criminal will ask for a small fee to be paid to release the parcel, which will require the user’s card details, as would be the case for most online transactions,” FNB said.
“The user has no idea that the criminal is entering those details into their own digital wallet. When a bank sends the criminal a request for an OTP, the criminal then asks the user for the OTP. The user mistakenly believes that the OTP has been issued in relation to the fraudulent post office payment.
“If they hand it over to the fraudster, they have effectively given them access to spend on their account via a digital wallet. The criminal is now able to use the card by presenting their own biometrics – because the card has been fraudulently loaded on the criminal’s own device.”
FNB emphasised that the problem does not extend to virtual cards, even though they use similar technologies.
“Virtual cards are specifically generated for enhanced security and privacy for online payments or subscriptions. On the other hand, digital wallets allow either physical or virtual cards to be registered and enable customer devices to facilitate payments. As such, a customer tapping his or her phone (with a registered digital wallet) is a lot like tapping a physical card to facilitate payments from their account,” it said.
“Virtual cards are more secure than physical cards because their details are not physically visible to criminals. Instead, they require a customer to log into their banking app. Additionally, FNB virtual cards have their CVV regularly changed to avoid fraud.”
“Ultimately,” said Boxall, “maintaining strict security around one’s personal and private information is the most important action we can take to prevent malicious attacks. Any payment technology relies on a certain amount of private information known only to the user. It is crucial that we remain vigilant, protect this information, and safeguard our digital identities.” — © 2024 NewsCentral Media
