Hacker shows how to steal someone’s payment card details and buy a tank of petrol

Frontend engineer Herman Stander recently fell victim to a phishing attack, losing his entire month’s salary to a cybercriminal.

Stander was taken aback as the attacker had used one of his FNB Virtual Cards to make several R4,998 purchases and his bank had not sent him a single transaction notification.

First National Bank (FNB) promotes its Virtual Card product as a way to protect yourself from card fraud.

“No more stressing over card fraud. It’s safe, simple and intelligent enough to change its 3-digit CVV regularly. Link your personal or business account for secure online shopping,” FNB’s website states.

After FNB informed Stander that his money was gone through his own fault and it wouldn’t be paying him back, he set about building a proof-of-concept to see if he could replicate the attack.

To his horror, he discovered that building a phishing attack that lets you empty someone’s bank account or max out their credit card is extremely simple.

The rotating CVV of FNB’s Virtual Card provided no protection, and the bank’s failure to send notifications of the transactions meant he didn’t realise the fraud was happening until it was too late.

In Stander’s case, he was taken in by a phishing attack masquerading as a South African Post Office customs clearance message.

He received an SMS stating that he needed to pay R30 for customs clearance within 24 hours or his parcel would be returned to sender.

Although he acknowledged he should’ve known better, Stander said he was expecting a parcel, and the link and webpage it pointed to looked exactly like one you might receive from the Post Office.

Stander’s proof-of-concept attack shows what such an attack site might look like and how easy it is for cybercriminals to harvest the information needed to hijack someone’s payment card.

He demonstrated how the attack works between two willing participants — him and his wife.

Screenshots from Stander’s proof-of-concept: Example phishing SMS (left), attack site (middle), and card details loaded into Google Wallet (right) — Click to enlarge

The attack begins by querying your card information and then slyly asks for a one-time PIN (OTP) to “verify the payment”.

This is a huge red flag, but someone in a rush or unfamiliar with online payment systems might not register that the OTP request is out of place.

In reality, the OTP is not used to verify a payment, but to register the card with a digital wallet platform like Google Pay.

Stander showed how he could register his wife’s FNB Virtual Card in a Google Wallet using the details harvested using the attack site.

He then waited a few hours before performing several transactions, including filling up his bakkie, buying groceries, and picking up a can of paint.

None of these transactions generated notifications on his wife’s phone.

MyBroadband contacted FNB for comment, and the bank explained that its virtual card system’s rotating CVV does not come into play when using digital wallets.

When you make a tap payment using a card stored in such a wallet, it works like a regular card transaction and doesn’t use the CVV.

“A CVV is not required for card present transactions,” FNB corporate affairs executive Jacqui O’Sullivan explained.

“The CVV and OTP is required at the time that the digital wallet is registered on a device to transact.”

O’Sullivan said that, in this case, this was done when the customer’s card details were phished and compromised.

“With cybercriminals becoming more sophisticated, customers are encouraged to remain vigilant and take proactive measures to protect themselves at all times,” she said.

FNB did not provide feedback on why Stander didn’t receive transaction notifications by publication.

Stander’s video demonstrating his proof-of-concept attack is below.

Author’s Note: The term “hacker” is used here in its original meaning. Stander is not an information security professional, but he is a highly skilled programmer, an enthusiastic tinkerer, and when he noticed something strange he “hacked” at it until he understood it.

Latest news

Partner Content

Show comments


Share this article
Hacker shows how to steal someone’s payment card details and buy a tank of petrol