If you’ve used your debit or credit card at a restaurant or fast-food outlet in South Africa this year, you could be among the “hundreds of thousands” of customers whose card details have been swiped by malware and used to make fraudulent cards for use overseas.
On Tuesday, TechCentral.co.za broke the story that “South Africa’s banks have suffered tens of millions of rands in losses, due to a major breach of customer card data by criminal syndicates that infected electronic point-of-sale (POS) terminals using a variant of malicious software called Dexter”.
Walter Volker, chief executive of the Payments Association of South Africa (Pasa), confirmed that the security breach took place and that the consequent fraud is running into “tens of millions of rands, and is to date the biggest single incident of its kind in South Africa.
“There is no need for panic: the banks are taking the knock, as they always do when you’re the victim of card fraud. The consumer is ultimately protected in the card environment, except if there was gross negligence on your part.”
You are not liable for fraud arising from data theft. Volker says the banks are not to blame for the breach, either.
“If anyone is to blame, it is probably the technology supplier [of the software], who shall remain nameless. There was no gross negligence, but one [supplier] was exposed through a ‘back door’. There was a chink in their armour. They [the hackers] exploited that and managed to get into the servers belonging to a lot of retail stores,” he says.
Volker says the breach is the work of highly sophisticated hackers. The virus software, which is believed to have been loaded, via the internet, on to the servers of the merchants who were hit, is undetectable by the standard antivirus software used by many merchants.
He says that, while transactions are done at a POS terminal, the virus reads the data on the magnetic strip on your card and sends it to the syndicate, which, in turn, sells the data to other syndicates that produce fraudulent cards.
Volker declined to provide Personal Finance with the names of the merchants whose servers were affected, because, he says, there is no risk to you, and naming the merchants would damage their brands.
However, it has been widely reported that thousands of terminals used by restaurants and fast-food chains were infected and that Kentucky Fried Chicken has been the hardest hit.
All “sites [merchants] have been cleaned; consumers can relax. It is safe to use your debit and credit cards”, Volker says.
You won’t necessarily know if you’ve been a victim of fraud; you may only become aware of it when fraudulent transactions show up on your card statements, he says.
Although your bank knows that your data has been compromised, it will not necessary inform you, nor will it advise you directly that you need to check your past bank statements. It seems that Absa is the only bank that is contacting customers whose data has been compromised.
Willie van Zyl, head of commercial cards and card acquisition at Absa, says you weren’t told about the Dexter attack earlier because “we didn’t want the syndicates to know that we were on to them, lest they started mutating the virus”.
Van Zyl says that Absa identified the affected cards and dealt with them on a case-by-case basis.
“We contacted customers and asked them to check their bank statements for suspect transactions. We have reversed those that were fraudulent, and there has been no loss to customers,” he says.
Van Zyl says he would advise customers to check their bank statements over the past six months for any international transactions.
Absa customers whose card data has been compromised and who need old bank statements can approach their branches, and the bank will consider carrying the cost of those statements.
Van Zyl says that Absa customers who have the NotifyMe service will receive an SMS notification even when a transaction is performed using a cloned card.
“I would urge customers to keep using their bank cards. It is still the safest form of payment, because you are insured against fraudulent transactions, thanks to the charge-back policy,” he says.
Van Zyl has the following advice for bank customers:
* Reduce your daily withdrawal limit (to limit your losses in the event of fraud);
* Opt in to receive SMS notifications of transactions;
* Never disclose your PIN to anyone; and
* Always check your statements. “If you find a fraudulent transaction and you were not at fault, it’s your bank’s problem, not yours,” he says.
Volker says that a cloned card cannot be used to draw cash, because the user does not have your PIN. It also cannot be used for online purchases, because the user doesn’t have your CSV number (a unique security number on the back of your card). Fraudsters also cannot access accounts linked to the compromised card, he says.
Volker says it is unnecessary to replace your card, but if you feel vulnerable, “the banks should be happy to replace your card”. This should not necessarily be at your expense “if it’s a more secure card”.
If you have a chip card, it is “virtually impossible” that you were hit in the Dexter attack; it was mainly signature-based cards that were compromised, Volker says.
In South Africa, nearly 90 percent of credit cards are chip cards, as are between 80 and 90 percent of debit and cheque cards, he says.
“There are less than one million signature/magnetic strip cards in circulation,” Volker says.
If your bank “suddenly” sends you a chip card, it’s because the banks are accelerating the roll-out of these cards, he says.
WHAT IS DEXTER?
Dexter is malware – malicious software, such as a virus – named after a text string found in some of its components – and not to be confused with the cartoon character Dexter, the boy genius who, in his secret laboratory, takes on the greatest scientific challenges of his time.
QUESTIONS THE BANKS WOULDN’T ANSWER
In response to questions put to them by Personal Finance, the South African Banking Risk Information Centre and all of the banks – with the exception of Absa – ignored specific questions and instead forwarded us a statement prepared by the Payments Association of South Africa (Pasa) or referred us to Pasa.
These are the questions that First National Bank, Nedbank and Standard Bank will not answer:
* The banks became aware of the Dexter virus early in the year: why didn’t you warn your customers sooner? Surely that would have mitigated the losses?
* Our understanding is that the onus is on the customer to report any fraudulent transactions to the bank; how far back must customers check?
* If, unbeknown to me, I’m a victim of Dexter and of fraud committed abroad, would I receive an SMS notification of fraudulent transactions (provided I’ve signed up for SMS notifications)? If not, why not?
* If I don’t keep my bank statements and I now have to ask for statements dating back to the beginning of the year to check for any suspicious transactions, will the bank issue those statements to free of charge?
* How many, or what percentage of, customers caught by Dexter have chip cards?
WHAT THE BANKS DID HAVE TO SAY
Alan Scoular, chief executive of merchant services at First National Bank (FNB), says that customers who think that their card might have been compromised should contact the bank, and FNB will issue them with a new card at no cost. FNB will also reverse any transactions committed fraudulently, he says.
Standard Bank spokesperson Ross Linstrom says all Standard Bank cards that might have been affected have been placed under a heightened level of monitoring to detect unusual or possibly fraudulent activity. “Should fraudulent transactions occur on any of these cards, cardholders will not be exposed to any losses, and Standard Bank will replace the cards of affected customers.”
Rene de Villiers, head of risk at Nedbank card division, says: “Where fraud losses have been reported, Nedbank clients have been refunded and issued with new cards.”
Investec Private Bank issued a media release this week informing clients of the breach and stating that its clients are “not affected”.
THINK YOU’VE BEEN SCAMMED? HERE’S WHAT TO DO
When a purchase transaction is shown on your bank statement that you did not perform or authorise, it may indicate that:
* Fraudsters have obtained your card details or your card itself. This could be because your card has been stolen or intercepted in the post, or because your card details have been compromised (through “skimming”, “shoulder-surfing” or another means, such as the Dexter virus); or
* The merchant initiated a fraudulent transaction, using your card details (as above).
The Payments Association of South Africa has the following advice:
* Try to determine who the merchant was (from the description on the statement), and when and where the transaction took place, to ensure that you might not have forgotten about the purchase – some payments are processed days or even weeks after the transaction occurred. Ensure that another member of your family has not (mis)used your card.
* If you are sure that you are the victim of fraud, contact the bank that issued you with the card and inform it that you want to dispute the transaction. The bank will generally ask you to submit the dispute in writing, providing your reasons for disputing the transaction and as much detail as possible.
* The issuing bank will then institute a charge-back process, which means that it will reverse the transaction from your account and send it back to the bank that submitted the transaction (the acquiring bank) on behalf of the merchant. The merchant then has an opportunity to provide proof of the transaction. If the transaction took place in a store, for example, the merchant will need to produce the original credit card receipt that was signed by you. If the signature matches the one on your card, the transaction will be re-instated. If the transaction proves to be fraudulent and the merchant did not follow the correct card acceptance procedures, the charge-back will stand and your account will be credited.
* Be aware that the issuing bank may levy a charge for this service if you are in part to blame for the fraud.
BANK HELPLINES
If you suspect fraudulent activity on your bank account, contact:
* Absa: 0860 557 557
* First National Bank: 087 575 1188 (credit card fraud); 087 575 9444 (debit or cheque card fraud)
* Investec Private Bank: 011 286 9663 or 0860 110 161
* Nedbank Fraud Desk: 011 710 4710 or 0860 555 111
* Standard Bank: 0861 201 000