Worrying news for South Africans hit by huge credit card fraud
Standard Bank CEO Sim Tshabalala has revealed that fraudsters who use stolen card information on large platforms that don’t implement 3D Secure have ways of frustrating banks’ efforts to recover victims’ money.
“Unfortunately, the bandits have sophisticated ways of standing between us and our clients in those contexts,” Tshabalala told Stephen Grootes of 702’s The Money Show.
“We’re working very closely with the law enforcement authorities. We’re also working with the large hyperscalars — all those companies that remove the friction and make it easy and quick for clients to transact.”
Tshabalala’s remarks come after MyBroadband reported about a flood of complaints from mostly FNB and Standard Bank customers that huge sums were being deducted from their cards with “FACEBK” in the description.
Although some Nedbank, Capitec, and Absa customers also complained, those reports were far fewer.
There were also some reports of banks successfully blocking fraud attempts and helping customers block their cards and issue new ones.
Where transactions were allowed through, they went off without customers being prompted to authenticate them via their app or one-time PIN, raising questions about whether there was a security breach.
Standard Bank also experienced a brief outage on Monday, further fuelling speculation that the incidents were related or that it had been hacked.
However, the institutions explained that merchants can choose not to implement multi-factor authentication like 3D Secure by assuming all the risk for potential fraud.
It is understood that platforms like Facebook and Amazon choose to do this to save on card payment processing costs and make it easier for customers to spend money on their platforms.
Fortunately, this means anyone who was defrauded should be able to get their money back.
However, each case must be individually assessed before the banks can recover funds from the merchant.
In the context of Tshabalala’s remarks about the criminals standing between the banks and their clients, some customers could wait a long time to be reimbursed.
Tshabalala said the recent spate of “FACEBK” fraud impacted only an extremely small proportion of their clients.
“A lot of people have been affected, but not the majority of our clients. The number is in the hundreds as opposed to the thousands,” he said.
FNB’s Head of Card Transact and Fraud, Chris Boxall, also previously told MyBroadband that the fraud impacted a limited number of customers.
Another question raised by this recent surge in card fraud is where the fraudsters obtained people’s card information.
Although Facebook does not implement 3D Secure, the criminals still need people’s full card numbers, expiry dates, and CVV.
One popular theory is that cards are getting compromised at toll gates.
Within days of the FACEBK fraud making headlines, FNB told customers that they would no longer be able to swipe their cards at toll booths along several popular holiday routes.
However, BusinessTech reported that Trans African Concessions announced last month that motorists would no longer be able to swipe their cards to pay for tolls along the N4 from December.
Shortly after, FNB and Visa announced that they were rolling out contactless card payments at tollgates along the N3, N4, and Chapman’s Peak.
They also warned that magstripe (i.e. swiping) would not be accepted at these toll plazas from 1 December 2024.
Therefore, the timing of FNB’s tollgate notice to customers this week is coincidental.
It is important to remember that people’s card details could have been compromised in a number of different ways — including an as-yet-unknown breach at a payment processor, a series of global data leaks, and tollgates.