- South Africa's oldest bank, First National Bank (FNB), has cautioned that cybercriminals are increasingly using advanced phishing tactics to target users of digital wallets.
- The bank highlighted that the criminals are not leveraging any security deficiency but rather employing "phishing and smishing" tactics to trick users into sharing sensitive information, enabling them to load physical card details such as plastic number, expiry date, and card verification value (CVV) onto their digital wallets.
- “Criminals have realised that the process of loading a debit or credit card onto a digital wallet – such as Apple Pay, Google Pay, Samsung Pay and SwatchPay – is similar to the process of making an online payment using these cards. Both processes require card details to be entered into an online portal, and both require the submission of a one-time password to confirm the process,” the bank revealed.
Christopher Boxall, head of card transactions and fraud detection, stressed that criminals exploit these similarities to confuse unsuspecting users to provide information allowing the fraudsters to register their devices as digital wallets linked to the accounts of unsuspecting customers.
He noted an uptick in attacks where users are tricked into sending an OTP as part of fraudulent schemes. Despite the differing wording between OTPs for online transactions and digital wallets, users may overlook this distinction.
Consequently, the OTP is exploited to authorise the loading of their debit or credit card onto a different digital wallet. Subsequently, they unwittingly use their biometrics to authenticate transactions conducted through the compromised device.
Boxall emphasised that maintaining strict security around personal and private information is the most crucial measure to prevent malicious attacks, noting that every payment technology requires some private information known only to the user making it important to remain vigilant, protecting their information, and safeguarding their digital identities.
Meanwhile, the South African bank clarified that the issue does not affect virtual cards, even though they use similar technologies. It added that virtual cards are specifically generated for enhanced security and privacy for online payments or subscriptions while digital wallets enable customers to register either physical or virtual cards and facilitate payments using their devices.