Card-cloning scam hits SA banks from abroad
SA’s banking industry has been hit by an international syndicate fraudulently cloning cards through some restaurant chains and fast-food outlets, resulting in losses of tens of millions of rand.
Customer card details were accessed through virus software on point-of-sale devices, according to Walter Volker, CEO of the Payments Association of SA (Pasa).
“Estimated card losses for the banks are in the tens of millions of rand but not hundreds of millions,” said Mr Volker.
According to industry news website TechCentral, chicken fastfood chain KFC was particularly affected by the scam.
The Payments Association of SA, international card schemes Visa and MasterCard, and big banks were all aware of the “data
compromise”, said Mr Volker.
An overseas syndicate inserted malware, or malicious software, into the retail point-of-sale systems to pick up card data from magnetic strip cards. Chip and pin cards were not affected.
The syndicate used the data to clone cards. Some transactions using these fraudulent cards have been picked up in the US, said Mr Volker.
The fraud took place over six or seven months this year.
Pasa started picking up unusual activity early in the year and established an incident risk committee including representatives of the major banks, Visa and MasterCard.
“It took a while to discover the problem as it was a very sophisticated piece of software inserted in the systems,” said Mr Volker. Once the software was identified, it was quickly removed.
Standard Bank said some of its debit, credit and cheque card customers had been affected.
First National Bank referred queries to Pasa.
Mr Volker said steps had been taken to secure the systems to prevent “further leakage” of card details and identify the extent of the potential exposure.
“There is no need for concern by cardholders,” he said. It was up to the banks to decide whether to replace the cards of customers exposed to the fraud, he said.
“What is important to under- stand is that should fraudulent transactions be perpetrated on any cards as a result of the data compromise, cardholders will not be exposed to any losses.”
SA’s banking risk intelligence centre, Sabric, is co-ordinating the police investigation into the scam, said CEO Kalyani Pillay.
Standard Bank spokesman Ross Linstrom said cardholders who had concerns or were suspicious of transactions on their statements should contact their bank immediately. There was no need for “undue concern”, he said. “The banking industry and Pasa have well-developed and sophisticated fraud and risk management systems in place to limit the exposure of our customers to criminal activity.”
Absa said: “The virus was identified at a number of terminals where the bank has very limited exposure.” It urged customers to check credit card statements for unusual transactions.
Mr Volker said Pasa had strong suspicions where the syndicate originated. No bank or restaurant insiders were involved.