Digital wallet warning for South Africa

South African Banking Risk Information Centre (Sabric) CEO Nischal Mewalall says banking customers who use digital wallets should focus on securing their accounts and devices rather than avoiding the technology.

Speaking to Cape Talk, Mewalall said that while criminals will always find a way to breach systems as technology evolves, tap-to-pay and digital wallet systems aren’t a significant concern for his organisation.

This comes after frontend engineer Herman Stander recently published a video showing how cybercriminals use phishing attacks to link people’s payment card details to tap-to-pay systems like Google Pay.

Stander developed the proof-of-concept attack after falling victim to a phishing attack that enabled cybercriminals to link his FNB Virtual Card to a Google Pay wallet and clean out his account.

“We’ve observed that there’s quite a number of complaints, and I think most recently, there’s been a video that has been released that has caused a lot of concern,” said Mewalall.

“We understand that there’s no system that’s bulletproof. For as long as there’s evolution in technology, criminals will evolve their capabilities.”

“Our concern always resides around where data lies. That’s because we often think that the problem is the technology, but rather there are other kinds of problems behind it,” he added.

Mewalall said customers can address several other issues to keep personal banking information secure.

This includes ensuring your smartphone’s security settings are solid in the event that it is stolen or lost.

He added that many people fall victim to phishing scams, making education about these types of attacks critical to keeping your data safe.

“So those are where the major risks lie, rather than the weakness of the technology stack,” said Mewalall.

He also recommended that customers set tap limits to require a PIN for transactions over that amount. This adds an extra barrier of protection.

Nischal Mewallal, Sabric CEO

While criminals could still complete transactions without a PIN under that amount, they won’t be able to withdraw large sums at a time.

Stander’s video shows how an attacker might impersonate the South African Post Office and what wording they might use to trick you into giving up the one-time PIN (OTP) needed to link a payment card to Google Wallet.

While this would be a huge red flag to most, someone in a rush or unfamiliar with online payment systems might not spot this.

In his demonstration, Stander showed how he could register his wife’s FNB Virtual Card to Google Wallet using the details harvested from the attack site.

A few hours later, he processed several transactions, including filling up his car, buying groceries, and purchasing a can of paint.

None of these transactions pushed notifications to his wife’s registered device.

While FNB’s Virtual Cards feature a rotating CVV, the bank explained this is for verifying online purchases or “card not present” transactions.

“A CVV is not required for card present transactions,” FNB explained.

“The CVV and OTP is required at the time that the digital wallet is registered on a device to transact.”