Explained: The Bitcoin Scam in Israeli Banks' Payment Apps

Despite complaints to the authorities, users haven’t been warned about cybercriminals who swindle sellers of bitcoin using popular payment apps

PayBox.

As payment apps become increasingly popular with Israelis, swindlers have been quick to get in on the act. Over the past few months, a number of scams affecting bitcoin transactions have been perpetrated through Pepper Pay (Bank Leumi) and PayBox (Israel Discount Bank), an investigation by TheMarker revealed.

An investigation by TheMarker found that the thieves found their “marks” on Telegram and Facebook pages for bitcoin trading. They answered ads from group members seeking to sell bitcoin, and arranged for purchase through one of the payment apps.

While the thieves received “real” bitcoin in the transactions, because they used stolen credit cards the transfers were ultimately canceled. But because bitcoin transfers between people are encrypted, it is very difficult to track the thieves.

Prior to conducting the transaction, the bitcoin sellers and the thieves exchanged photos of their IDs, ostensibly to create mutual trust. But while the sellers sent copies of their real IDs, the thieves sent copies of other people’s IDs and meanwhile added the IDs that were sent to them by the sellers to their collection of IDs to be used in future stings.

In these cases, the thieves used fake profile pictures taken from Facebook, WhatsApp and Telegram. Sometimes the thieves agreed to purchase the bitcoin at rates significantly higher than the actual bitcoin rate at the time of the transaction in order to hasten the transaction and keep the sellers from getting cold feet. In some instances, the thieves offered a 10% premium on the price of bitcoin at the time of the transaction.

The thieves used stolen credit cards to sign up with the popular payment apps, mainly Pepper Pay and PayBox. At the time of the transactions, the apps gave no indication that stolen credit cards were being used.

The thieves exploited the delay between the time of the transaction on the app and the deposit of funds in the recipient’s account, which can be a full day, or up to 48 hours on weekends.

When the transaction carried out through the payment app reached the bank, the system flagged the credit card that was used as stolen. The transfer was rejected and canceled by the bank that operates the payment app. When this happened, the recipients, who’d already seen a notice on the app that the transfer was completed, suddenly discovered a day later that the money never went into their account and the status of the transfer was changed from “accepted” to “rejected.”

Full and immediate compensation

Last week, a customer using Pepper Pay was swindled out of 2,000 shekels ($545) in this manner. “Hila” advertised on the Israeli bitcoin Telegram group that she wanted to sell some of the cryptocurrency. She was contacted by someone who used a stolen ID. As soon as she saw on Pepper Pay that the money had been transferred to her, she transferred her bitcoin to the guy she’d been in touch with. Before going ahead with the transaction, the seller called Pepper Pay’s customer service line twice to make sure that the person depositing the money in her account could not later withdraw it and was told very definitively that the money could not be withdrawn by the sender once it was transferred.

A few hours later, when she saw that the money did not appear in her account, she was told that the money would appear in her account within 48 hours. But it never got to her. After 48 hours, the status of the transaction was shown as “rejected.” At first, Pepper customer service reps told Hila that she was the one who rejected the transfer, but she insisted that she hadn’t rejected it and that initially a status had appeared saying the transfer was successfully completed. After Pepper did a more thorough review, she was told that she’d been the target of a scam, and that once the bank saw that the credit card with which the transfer was stolen, it rejected the transaction. Pepper Pay immediately informed Hila that she would receive full compensation for the sum that was supposed to have been transferred to her, and the company followed through. Hila also went to the police but she says the detective who took her complaint didn’t know what Telegram or Bitcoin is. She says she was told the complaint would be handled by the cybercrime unit, but she has yet to hear anything more from the police. “In the cryptocurrency world, everything is secret and discreet. You can’t know whom you’re transferring money to. It’s so discreet that a person could send money to himself on the app with a problematic credit card and then say that he was defrauded — and steal money that way from the bank that runs the app. I’m glad that Pepper returned the money to me and acknowledge that there’s a loophole in the app and didn’t try to evade responsibility,” says Hila.

Victim’s account blocked

“David” was targeted in a similar bitcoin transaction through PayBox. With PayBox, incoming funds sit in a digital wallet and appear on the app as “accumulated balance for withdrawal.” The user must make a withdrawal from this balance and transfer it into his bank account.

After the transaction to sell his bitcoin, confirmation appeared in David’s PayBox account for a transfer of 6,000 shekels, and the money also appeared in the balance in the digital wallet. But when he went to withdraw the money from the digital wallet to put in his bank account, it did not go through, and he found out that the amount that appeared in the wallet balance was not really there. He also discovered that his PayBox account had been blocked. He says that despite numerous conversations with PayBox customer service reps, in which he was promised that he would be compensated and receive the money that was transferred to him, nothing has changed. The money has not shown up and his PayBox account is still blocked.

“Tal” was also the victim of this type of fraud, when payments he was supposed to receive through these apps never made it into his account. It happened to him twice, both with transactions of 6,000 shekels, one via Pepper Pay and one via PayBox. He says Pepper Pay quickly assumed responsibility and promised to repay him the full amount, PayBox’s response was disappointing. Instead of returning the money he lost, they blocked his account and all activity on the app. When he asked why he’d been blocked, PayBox referred him to the app’s terms of service.

PayBox recommends that users avoid transactions with people they don’t know. It also recommends avoiding making transactions in digital currency. All of the scams described here exploited the fact that the recipient of the payment did not personally know the person making the transfer and all of the transactions involved digital currency, where the level of discretion makes it especially difficult to trace who received the currency. However, this is all advice to users and not part of the terms of service, and users should know that if they have been scammed in this way, PayBox should take responsibility and ensure they are properly compensated. Bank Discount, which runs PayBox, says it has no intention of evading responsibility and will compensate users who were innocently taken advantage of.

In a written response, Pepper Pay said: “The transaction described was made with a stolen credit card and approved because the card had not been reported stolen at the time of the transaction. During the night the card was reported stolen and therefore the transfer was rejected. As part of the service experience, we decided to compensate the customer for the amount of the transfer. This type of transaction with a stolen credit card could occur in any business, physical or digital, and the only way to prevent it is to report the theft to the credit card company. Pepper Pay will continue to provide its customers with service that meets the highest standards.”

Israel Discount Bank said: “PayBox places the utmost importance on protecting its customers and their money, particularly in the digital realm. Therefore PayBox carefully monitors the activity on the app in order to spot suspicious transactions made with stolen credit cards under a stolen identity, or other prohibited activity (as listed in the terms of service). When suspicious transactions, which account for a tiny fraction of all the transactions made on the app, are identified, PayBox freezes the transfer request for a few days until the validity of the transaction has been determined. PayBox believes that the inconvenience caused to a very small number of customers due to the implementation of this process is negligible compared to the protection and confidence it creates for hundreds of thousands of app users.”

Bank Hapoalim, which offers the Bit payment app, says: “A transfer done with Bit cannot be canceled. It’s important to note that if a customer is harmed through no fault of his own, we have the customer sign a letter of indemnity and credit him in the amount of the damage, regardless of whether the event occurred in a bank branch, an ATM or through digital channels.”