Banks in South Africa have been rolling out “tap and go” technology to support contactless payments for some time. The technology is used at points of sale at popular outlets, including Pick ‘n Pay, McDonald’s, and Gautrain stations. While major banks have thrown their weight behind the technology, consumers have expressed concerns over the security of tap-and-go cards.
Among the fears is that contactless payment technology makes it easier to clone bank cards, which criminals can then use to steal funds without entering a PIN.
Contactless cards and PINs
Senzo Nsibande, the head of card fraud at FNB Credit Card, told MyBroadband that cards which support contactless payments use the same security that normal chip transactions use. “There are many security features on contactless cards, which includes high-end encryption technology that protects the card’s data from reproduction,” said Nsibande. He said that although smaller payments may be made by simply tapping the card on a supported terminal, for higher value amounts you still enter your card PIN.
“However, some retailers may have their own limits,” he said.
The head of consumer issuing at Absa Card, Tshipi Alexander, said they randomly request a card’s PIN – even on small transactions – as an additional safety measure. This makes it difficult for a fraudster to use the card with any level of confidence, said Alexander. He stated that cloning a contactless card would also mean cloning its chip, as that is the part of the card that facilitates the transaction.
“Some sensational reports show that contactless cards can be remotely read by someone close to you, but upon testing it has shown that the data that can be retrieved is not sufficient to be used in fraudulent transactions – the chip cryptograms are just too strong,” said Alexander. “Internationally there has been no known instance of a chip being successfully cloned and used fraudulently.”
Alexander added that contactless cards are actually less prone to card-cloning fraud. “What fraudsters do is copy or clone the magnetic stripe.
They then use that in countries where chip technology is not yet fully deployed,” said Alexander. The United States is an example of a country where chip-and-PIN technology is not widely adopted. This means contactless cards are actually less vulnerable, as the card never leaves your hands – let alone your line of sight.
“As such, contactless actually enhances the security of the customer by ensuring the plastic remains in his/her hand and thereby reducing the opportunities of fraudsters to see the PIN being entered,” said Alexander. Alexander added that the only way fraud can be committed through the contactless functionality, albeit for small amounts, would be if the card is stolen. “Make sure your cards are in a safe place and immediately report it to the bank if it is stolen or if you lose the card,” he said.
You should also subscribe to your bank’s SMS and email notification services, he added.
- ^ Gautrain stations. (mybroadband.co.za)
- ^ Credit card with fingerprint tech now in South Africa (mybroadband.co.za)
Absa’s credit card call centre is informing clients that an IT issue is causing transactions from 17 December to not reflect in their accounts. Transactions were reflected accurately yesterday evening, with clients discovering this morning that they were reverted in error. The problem is also causing accounts to show an available balance of zero, resulting in cards being declined.
Absa’s call centre is currently overloaded, with wait timess of over ten minutes to get through to the Premium banking credit card help desk.
The bank’s customer support said the IT department is aware of the issue and that it is expected to be resolved this evening when a batch process runs.
Absa was contacted for more details about the outage, but it did not respond by the time of publication.
Now read: Absa moving away from SMS and USSD
Absa has informed clients that it will upgrade its security in the coming weeks to make online banking “even safer.” It stated that users do not need to re-register, and that none of their login details or other credentials will change. “Cybercriminals employ increasingly sophisticated methods to access customer Internet banking information through email phishing, SIM swaps, and other methods,” said Absa’s chief executive for customer channels Marius de la Rey.
De la Rey told MyBroadband that Absa has invested heavily in a comprehensive and robust suite of information protection measures. It is also rolling out enhanced security to its customers using smartphones to transact, he said. Further details about the security upgrades are expected to be revealed in the coming weeks.
“Cybercrime is an industry-wide issue that can only be successfully minimised through vigilance by banks, cellphone providers, and customers alike,” said de la Rey.
Guarding against SIM-swap fraud
Online banking attacks using SIM-swap fraud and phishing are a problem for local banks and network operators, with the South African Banking Risk Information Centre (Sabric) warning that fraudsters have started using more direct forms of social engineering to attack victims. Dubbed vishing, Sabric said that instead of only sending phishing emails, attackers now phone victims and try to trick them into giving up their private information. “If you receive a phone call requesting confidential or personal information, do not respond and end the call,” said Sabric.
It warned that if you lose mobile connectivity under circumstances where you are usually connected, you must check whether you have been the victim of a fraudulent SIM swap.
Receiving a one-time-PIN on your phone without conducting any online transactions should also raise red flags.
“Contact your bank immediately to alert them to the possibility that your information may have been compromised,” said Sabric.