Pay check As contactless transactions become the norm, technology is having to close the security gap That great ka-ching! noise you heard at the end of November was the sound of shoppers across Africa cashing in on the continent’s Black Friday sales. Pan-African e-commerce platform Jumia reported a 30% year-on-year increase in sales (up to US$150 million) over the weekend; while South African payment gateway Payfast saw its online transaction volumes rise by 34%, powered by a 30% increase in total purchase values overall. Standard Bank reported one very enthusiastic shopper using their credit card 79 – seventy-nine! – times over the Black Friday weekend, while online payment platform Ozow revealed that one of its users tried (and failed) to make a ZAR628 million transaction during the flurry of sales. ‘Although we believe this transaction was most likely an error, you can never be sure over Black Friday,’ the company says. ‘In the same vein, another customer attempted to process a ZAR817 000 transaction four times. Each attempt was declined, but not for lack of trying from the customer. They really wanted the product.’ That boom in online sales is not limited to Black Friday’s silly season. According to the Mastercard Economic Institute’s Economy 2021 report, the COVID-19 pandemic has ‘permanently changed consumer spending habits’, bringing with it dramatic growth in the fintech sector. Visa’s Back to Business Study – 2021 Outlook, for example, found that 65% of consumers now prefer contactless payments. And while only 16% of consumers would prefer to return to the traditional way of paying, some 74% say they will still use contactless payments, and 47% straight-out say they don’t want to buy from vendors who don’t offer contactless payment options. Recent digital innovation has enabled several new payments options, from contactless to virtual cards, QR codes, tap-and-go and more. But that convenience has come at a significant cost. As Paul Abbate, deputy director of the US Federal Bureau of Investigation, put it in a recent report, the pandemic has enabled cybercriminals to ‘profit from our dependence on technology to go on an internet crime spree’. That’s where the excitement about fintech and cashless-payment technology has to be tempered. In late 2020, for example, the South African Reserve Bank (SARB) and the Financial Sector Conduct Authority (FSCA), in consultation with the Payments Association of South Africa (PASA), issued a strong warning against instant EFT services, where third-party providers use ‘screen scraping’ technology to access bank account data and automate actions on behalf of a consumer using that consumer’s online banking access credentials to facilitate payment. This, the SARB, FSCA and PASA warned, exposes consumers to a string of risks related to data privacy. ‘Consumers have no control over how their credentials, and any other data or personal information, are accessed and used by the third party,’ they said. ‘EFT payments are final and irrevocable in nature, and consumers are unable to lodge disputes to reverse a transaction in the event of the online store not honouring their agreement,’ they added, cautioning that ‘by providing their internet banking login credentials to a third party, consumers [who] use instant EFT products might be in breach of their banks’ terms and conditions which regulate internet banking. As a result, knowingly or unknowingly, consumers might be giving up their rights of recourse and any legal protection in the event of suffering fraud and/or subsequent loss’. Having become used to the convenience of digital transactions, customers are unlikely to revert to traditional payment methods Ozow, which built its business on instant EFT technology, issued a strong response. CEO Thomas Pays insisted that the tech was no less secure than any other payment method. ‘Focusing on obscure risks that are pervasive to the whole system seems centred on fear-mongering to protect historic revenue at the expense of the consumer value add,’ he said – but the risk is there. Meanwhile, digital wallets such Apple Pay are similarly convenient, yet similarly flawed. All of South Africa’s major banks have recently made Apple Pay available to their customers, with Standard Bank saying in a statement that ‘security and privacy are at the core of Apple Pay. When customers use a cheque or credit card with Apple Pay, the actual card numbers are not stored on the device, or on Apple servers. Instead, a unique device account number is assigned, encrypted and securely stored in the Secure Element, an industry-standard, certified chip designed to store the payment information safely on the device’. However, at the Black Hat Europe 2021 cybersecurity event in November, Positive Technologies’ Timur Yunusov demonstrated how a security hole in public transport payment services could lead to fraudulent payments, even on the latest smartphone models – and even when the phones’ batteries were dead. Yunosov’s team tested a series of payments to see how much money they could get away with stealing. They stopped at GBP101. They’d made their point. Yunusov said that a lack of offline data authentication allowed the exploit, even though the transactions were subject to global safety standards. ‘The only problem is that now big companies like Mastercard, Visa and AMEX don’t need to follow these standards when we talk about near-field communication payments,’ he said. ‘These companies diverged in the early 2010s, and everyone is now doing what they want here.’ He said that phone manufacturers and payment companies would have to work together to address the vulnerability, but conceded that even though the problem lay with the mobile phones, the liability was being passed on to the banks. ‘The mobile wallets are in a sweet spot,’ he said. ‘On one side, they [payment companies] earn money from transactions and popularise their products. From another side, they tell customers if there’s any fraud, to contact the issuing bank to ask why they allowed the payment.’ Admittedly, the Black Hat conference is the kind of event where you frequently check your back pocket to make sure it hasn’t been picked. But by highlighting some of the flaws in payment security, speakers such as Yunusov hope to encourage better, safer technologies. Andrew Springate, CEO of South African payment gateway PAYM8, has marked 2021 as ‘the Year of the Online Payment’. One of the payment technologies that caught his attention during the year was DebiCheck, an authenticated debit order-collection system that came into effect on 1 November. ‘DebiCheck requires debit orders to be authorised by the debtor before processing, and will do away with the debit order abuse that has plagued South Africa in recent years – whether that was companies processing invalid debit orders or consumers unfairly disputing debit orders with their banks,’ he says. ‘Now, debtors simply have to electronically authorise new debit orders on a once-off basis, giving their bank the details of the agreement and preventing debit orders outside these terms.’ Springate believes that the acceptance of digital transactions will be a permanent shift after the pandemic. ‘It’s safer, contactless and more convenient,’ he says. ‘And having tried and tested it in recent months, consumers have also come to trust digital transactions more. We’ve seen mainstream institutions and traditional banks accelerating their digital offering, but non-bank payment providers are often able to adapt faster to specific customer needs – making fintechs the trend-setters in the race to the digital, cashless future.’ One of those offerings is the Rapid Payments Project (RPP), which Springate believes will go from launch in 2022 to being South Africa’s most preferred e-payment option in 2023. ‘RPP will allow people to make real-time bank-account-to-account payments using an identifier like a cellphone number or email address, without the need of remembering the account detail,’ he says. ‘It will also deepen financial inclusion and contribute to building a safe, reliable and efficient national payments system.’ Until, one fears, cybercriminals poke at it and find holes in its security armour. That’s why the fintech industry is pushing so hard for its ‘fin’ arm to be protected by ‘tech’ that has security written into its DNA. Speaking ahead of the US government’s recent Cybersecurity Summit, an anonymous senior White House official described a future where mobile devices – which now also double as payment devices – are secure by design. ‘We need to transition to where technology is built securely by default, and baked in by design,’ they said. ‘You know, we don’t buy a car and then buy the airbag separately. We need to know we’re buying secure tech.’ Hopefully that level of tech will be available soon. And who knows? You might even pick it up on the next Black Friday sale. By Mark van Dijk Images: Gallo/Getty Images