Sunday, December 10, 2023

TymeBank online “security” sucks

“If you are happy with your security, then so are the bad guys”
A few days ago a friend sent me a WhatsApp voice message warning about the dangers of “tap to pay” cards. I had a look on my TymeBank app but it provides no information, so I contacted them on Twitter. Big mistake. Someone saw my post and told me that they have a “very helpful” WhatsApp number: 081-591-8538. Turns out it was fake, but I didn't know that at the time. Now the crooks are using 064-022-6823, 062-858-2151, 064-121-8862, 083-539-9981 and 076-847-4973
Fairly convincing: helpful options, no spelling mistakes. But here's the kicker: once you choose your option, you have to provide your ID number and the last 4 digits of your card number. That's all they need to login to your account and steal your money. They left R0.87 behind. How kind. Plus they changed my login password and my login PIN.
  • My first problem is this: all the OTP are carefully crafted to fit into less than 160 characters (SMS length), but provide little or no meaningful information:
    TymeBank. Never share this One Time PIN with anyone. Use OTP 9411 to change your Login PIN or Internet Banking password. For help 0860999119. 09Dec 22:14
    Had I known that my ID number and the last 4 digits of my card number were all that is required to log in to my account and reset the login password, I obviously would have been more careful.
  • My second problem is that neither the SMS messages nor the banking app on my phone bothered to tell me that the login PIN had been changed. They sent me an email. Except I don't receive emails on my phone, and I wasn't in the office on a Saturday evening. They may as well send it by registered letter for all the good it did.
  • My third problem is that in order to send money to someone's phone, no OTP is required at all. Nothing. I have checked the OTP messages sent to my phone and there is absolutely nothing referring to sending money to anyone. But the app conveniently told me that the money had been sent, after it was sent. Too late of course, but still. And once it has been sent, the money voucher cannot be cancelled or reversed.
  • My fourth problem was when I realised I had been defrauded. I called 0860999119 and reported the fraud. The first lady who answered the call was basically clueless, and didn't ask for my email address or home address, just my ID number. That only happened later when I checked that 0860999119 was in fact a genuine number for TymeBank. On the second call I was asked for my details, and told that I would receive an SMS with the fraud reference number GFD-126181. I'm still waiting for that SMS from the first call, or the second call.
  • Another problem: TymeBank claims to be concerned about my security, but my account cannot be protected by secure second factor like a Google Authenticator code. It's simply not an option. Nor is there any option to limit the size of a tap-to-pay transaction. SMS is not secure. Everyone in the financial sector knows that. But they choose to use it anyway. Insecure by design.
Naturally, I will have to wait until Monday for anything to happen. And it will take a week or so for them to think up a weasel excuse for not refunding me the money. In the meantime, my Christmas is ruined.
No one can explain why the SMS messages don't tell you what the code is for. Nor can they explain why there isn't a security check when you send money, or why the fraud case number hasn't arrived by SMS. Maybe that only happens when someone actually looks at the case, by which time it is too late to reverse the transaction, naturally. Their system is designed for fraud to take place.

Update Sunday 10 December: TymeBank doesn't appear to monitor their own Twitter feed for scammers like this:

Update Monday 11 December 2pm: I got a call from the fraud department (010-241-1363), who can't explain why the message with the fraud case number was not sent, but can assure me that I received and read all their OTP messages. They don't have a facility to disable tap-to-pay, but I do: it's called a microwave. Pop it in for 1 second and the tap-to-pay (and the chip-and-pin) will never work again. “I'm sorry about that we do apologise sir” is a phrase they use often and repeatedly, along with “I hear you”, but until they change the way their systems work, it means nothing and they “heard” nothing. Apparently it's easier to refund R769 than to improve the security of the business. It's not the employee's money they are wasting.
They are an internet business that doesn't have any branches, but they don't operate on internet time, only government time. That leaves plenty of time for the crooks to do their dirty business. They have 4 cell phone numbers from this blog, and they have probably seen these numbers before, but they have not found out from FICA/RICA who owns those numbers, or made any arrests. And they don't seem interested in finding out either.
The lady who called asked me to remove this article. Apparently I will still get a refund if I refuse. We will see. The refund will most likely happen within the next 5 working days. I'm not holding my breath.
Update Tuesday 12 December: TymeBank Twitter account hadn't blocked @Hajra32021956, until I suggested it, even though they are supposed to monitor the activity on their own Twitter feed. Hopeless. And they seem to think that if I block @Hajra32021956 the criminal activity will somehow stop. Clueless.
They block their critics warning of their problems, but allowed the scammers to operate for weeks with impunity. Clueless.

Further update 12 December: I received the following email:
From: Fraud Operations Mailbox <>
Sent: Monday, December 11, 2023 3:34 PM
To: Donn Edwards
Subject: Liability letter for GFD- 126181

Good day

Thank you for contacting TYMEBANK.

Your Fraud Dispute with Case number GFD- 126181 has been finalized.

Kindly find attached outcome letter


Fraud Operations

Phone +27 (0)87 286 8833
4th Floor, 30 Jellicoe Avenue, Rosebank 2196

TymeBank is an Authorised Financial Services Provider (FSP49140).
Tyme Bank Limited Reg no: 2015/231510/06
To which I replied:
From: Donn Edwards
Sent: Tuesday, December 12, 2023 6:54 PM
To: 'Fraud Operations Mailbox' <>
Subject: RE: Liability letter for GFD- 126181

Dear “Fraud Operations”

At what point is this process do you acknowledge that I was not informed in a timeous manner that my login PIN and password were changed, in the same way that I get a notification when the balance changes?

Please can you supply me with the police case number, or do I need to open one myself?

How many times do you get LEGITIMATE withdrawals where:
1. The login PIN was changed;
2. The login PASSWORD was changed; and
3. All the money in the account was sent to a mobile number not used before on the account,
All within a short period of time, such as 30 minutes?

If not, why does your system not throw up a fraud alert when this happens?

When do you plan to obtain the FICA/RICA details of the following phone numbers used by these fraudsters impersonating the bank?

I await your prompt reply, and will be visiting your offices tomorrow.

Best wishes
Donn Edwards

I'm still trying to figure out how to sign the outcome letter which is a read-only PDF format document. I don't think these muppets throught it through, do you? As it turned out, I was unable to visit their offices to deliver the signed letter. But I have scanned it and sent the scanned image containing my signatures.

Update: 14 December 2023: I just received the following email message
In the meantime I have replaced my TymeBank debit card with a Pick 'n Pay Smart Shopper card.
Update: 16 December 2023: According to the outcome letter they sent, my account has been blocked. Perhaps that would explain why they have not refunded the stolen money yet. I'm not holding my breath.
Update Monday 18 December: The refund finally arrived. I have transferred it to my FNB account.