FNB Virtual Cards safety warning

While FNB’s virtual cards provide great safety features, like a regularly rotating CVV, they are not a silver bullet for card fraud.

Frontend engineer Herman Stander recently fell victim to a phishing attack in which cybercriminals linked his virtual card to a tap-to-pay digital wallet and cleaned out his bank account.

Unfortunately, the virtual card was linked to his debit card, and his salary had just been paid into his account. They stole it all.

He didn’t receive notifications or SMS messages warning him that transactions were going off against his account.

FNB’s fraud department also didn’t flag that twelve relatively large transactions went off right after one another, many for just under R5,000.

FNB has been promoting its Virtual Card product as a feature that enhances security and prevents card fraud.

It also heavily incentivises clients to use virtual cards by linking them to eBucks rewards.

When FNB told Stander that the loss was his fault for getting phished and it wouldn’t refund him, he set about reverse engineering the attack to understand how it works.

He also developed a proof-of-concept attack, which he tested against his wife’s FNB account to confirm his findings.

Stander’s tests showed that when linking a virtual card to a digital wallet like Google Pay, the CVV is only required when initially registering the card on the platform.

The rotating CVV of FNB’s Virtual Card only helps with online shopping-type payments, also known as card-not-present transactions.

After it is linked to a supported digital wallet, the card’s CVV is bypassed.

FNB confirmed this when MyBroadband asked for comment about Stander’s case and attack demo.

“A CVV is not required for card present transactions,” FNB corporate affairs executive Jacqui O’Sullivan said.

“CVV and OTP is required at the time that the digital wallet is registered on a device to transact, in this case, this was done when the customer’s card details were phished and compromised.”

Fortunately, the CVV is not the only thing preventing attackers from registering a card on platforms like Google Pay.

The trick to this attack is for cybercriminals to convince you to send them a one-time PIN that is SMSed to your phone when registering.

They try to do this in many ways, most of which direct you to a fake website designed to look just like the real thing.

In Stander’s case, an SMS directed him to a website that looked like the SA Post Office to pay customs on a parcel he was expecting.

The attackers probably didn’t know their victim was expecting a package. They simply blast out emails and SMSes to databases containing millions of people’s contact details and hope to catch someone.

Attackers also don’t exclusively use the Post Office as an angle of attack. They’ll claim to be from DHL, FedEx, a bank, or a medical aid — all in the hopes of guessing right once and hooking a victim.

Screenshots from Stander’s proof-of-concept attack: Example phishing SMS (left), attack site (middle), and card details loaded into Google Wallet (right)

For an attack like this, the fake site will ask you to enter your credit card information as usual for “customs clearance” or some other reason.

Once they have your credit card information, they will try to convince you to send the OTP you receive to verify or confirm the payment.

This is a red flag, although even the most vigilant and knowledgeable users might miss it if they are in a rush or otherwise distracted.

However, this would’ve also been one in a series of red flags to watch out for, which is why attackers often try to cloud your judgement with urgency.

Stander’s case highlights several warning signs and security issues to be aware of when making online payments.

  • Virtual cards are not a silver bullet against card fraud.
  • If you can manage your credit and have access to a credit card, avoid using debit cards for payments. Banks generally fix credit card fraud much faster.
  • Be wary when following links from emails, SMSes, WhatsApps, and other messages.
  • Always check a page’s URL. Don’t just check for a lock icon — that doesn’t mean the page is safe.
  • Watch out for typos, spelling mistakes, and similar telltale signs of scams.
  • You will never be asked to provide a banking OTP to a merchant when making a payment. Ensure transaction verification requests match what you are used to seeing with your bank. This is generally via apps nowadays, not OTPs.

“With cybercriminals becoming more sophisticated, customers are encouraged to remain vigilant and take proactive measures to protect themselves at all times,” O’Sullivan stated.

“We encourage customers to immediately report any events that may result in fraud on their bank accounts and to use our FNB App to stop or cancel their cards.”

MyBroadband asked FNB for feedback on why Stander didn’t receive transaction notifications when the criminals cleaned out his account using the hijacked virtual card. It did not provide an answer by publication.

Latest news

Partner Content

Show comments


Share this article
FNB Virtual Cards safety warning