payments

now browsing by tag

 
 

#cybersecurity | #hackerspace | In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud

Source: National Cyber Security – Produced By Gregory Evans

Consumers love the convenience of paying for goods and services in store by using their NFC enabled smartphones and stored credit cards. This is demonstrated by the fact that you can download retailer specific apps for your smartphone to pay for everything from coffee, to movie tickets, to poutine using a retailer specific mobile app.

As more and more retailers embrace this technology and release their own mobile apps with in-store payment options, the threat of fraudsters looking to benefit from flaws in the implementation, or by exploiting the human component must be carefully considered. The following are a few example Card Not Present (CNP) fraud schemes that retailers who offer in-store purchasing using a store branded mobile app should be aware of.

In these scenarios, we will use the imaginary retailer Smoothie Shop. Smoothie Shop has a mobile app that allows customers to save their credit card in the app in order to facilitate easy in-store purchases. Consumers log into their Smoothie Shop account using an email address and password. Smoothie Shop has recently seen an increase in CNP fraud and chargebacks, but is unable to pinpoint the root cause.

(Smoothie Shop mobile app login)

CNP Fraud Scheme #1 – Fraudster takes over a Smoothie Shop account that has a Credit Card saved in the app

In this scenario, the fraudster has to take over an existing Smoothie Shop account. This is known in the industry as Account Takeover (ATO) which is explained here.

In this scenario the fraudster has lucked out! Since the account that was taken over by the fraudster already has a credit card saved in the app, the fraudster can simply walk over to a Smoothie Shop, present the mobile app with the saved credit card information and enjoy a refreshing smoothie that was paid for via some other Smoothie Shop customer’s stored credit card.

CNP Fraud Scheme #2 – Fraudster takes over a Smoothie Shop account that does not have a Credit Card saved in the app

Again this scenario requires the Frauster to take over an existing Smoothie Shop account, however this scenario requires a little bit more legwork, and is less profitable as Fraud Scheme #1 above. Since the Smoothie Shop account that was taken over does not have a credit card saved in the app, the fraudster will instead need to buy a stolen credit card off the Dark Web or some other electronic market*, and then add the freshly purchased credit card to the Smoothie Shop account and app. Once this is done, the fraudster proceeds in-store to obtain smoothies using the stolen credit card.

Why would the fraudster go through the trouble of taking over an existing Smoothie Shop account you ask? Good question! Fraudsters are aware that aged accounts (e.g. accounts more than 3-6 months old) with a good transaction history are usually given more leeway and transactions from these accounts are less closely scrutinized when compared to a brand new account with no transaction history.

*Stolen credit cards can be acquired for as little as $3 or as much as several hundred dollars depending on the credit limit, zip/postal code, issuing bank, etc.

https://securityboulevard.com/

(screenshot from Dark Web Credit Card market)

CNP Fraud Scheme #3 – Fraudster creates a brand new Smoothie Shop account

This scheme doesn’t require taking over an existing account, but instead requires the fraudster to use a bot tool or a human clickfarm to create hundreds of “fake” Smoothie Shop accounts. Once the fraudster has access to multiple Smoothie Shop fake accounts, he can then add in as many stolen credit cards as he pleases in order to make in-store purchases at Smoothie Shop, each one being a unique incident of CNP fraud.

https://securityboulevard.com/

(In-store payment via Smoothie Shop mobile app and stored credit card)

What can Retailers and Consumers do to protect themselves?

Prevention Methods for Retailers

1) Prevent Account Takeover. This is easier said than done. There are many ways to prevent or at least significantly reduce the amount of ATO, such as by eliminating Credential Stuffing. The goal of the organization should be to eliminate the economic advantage that fraudsters obtain from taking over an account. If the cost/effort of taking over an account outweighs the value of said account, there will be no incentive for the fraudster and he/she will likely go elsewhere to commit fraud.

2) Maintain control of Account Creation process. Creation of accounts by bots and scripts can be limited by using a CAPTCHA, however captchas can be bypassed by mid-level sophistication fraudsters, and consumers generally dislike captchas. Preventing bulk creation of accounts requires collecting device level information in order to restrict the number of new accounts that can be created by a single device. There are device farms available for rent, but forcing the fraudster to leverage a device farm could make their rate of return less desirable and push the fraudster elsewhere.

3) Ensure your customers are not logging into your site/mobile app with credentials that have been compromised in 3rd party data breaches. This is a NIST recommendation that makes a lot of sense in today’s world of daily breaches. The customers that are logging in to your website or mobile app with compromised credentials are most likely the accounts that will be taken over and defrauded first.

4) Build controls around misuse of credit cards in the mobile app. Legitimate customers will likely need to add 1, maybe 2 unique credit cards to their account/device. Any account/device trying to add 3, 4, 5, or more credit cards to an account should be closely inspected and possibly restricted from adding any more. The stored credit card should also be tied to the device, rather than the account. That way, if an account is taken over from a new device, there will be no stored credit card information available for the fraudster to use. Both of these require a strong and unique identifier on the device level.

Prevention Methods for Consumers

1) Don’t reuse passwords across multiple sites! – This is the single most important piece of advice consumers should follow. If you reuse the same password across multiple sites, it is no longer a question of if, but rather when you will become a victim of Account Takeover and fraud. Using a Password Manager to create strong and unique passwords will greatly improve your personal security posture.

2) Be mindful of the sites and apps that you enter your username and password in to. Many fraudsters are now relying on phishing scam sites that look eerily similar to the real retailer/airline/bank site but are in fact under the control of the fraudster and are meant to harvest credentials in order to commit fraud.

3) Make sure you have a reputable antivirus on your Smartphone and uninstall any apps that are flagged as suspicious or malicious.

4) Use a virtual credit card. Virtual credit cards are now available from a number of organizations. These are beneficial as you can create a single use virtual credit card with a credit limit for a specific retailer. That way if the retailer suffers a data breach, or your account is taken over, your fraud exposure is contained and your real credit card is still secure.

5) Ask the retailer about their security controls and practices, and how they prevent Account Takeover. If they give you a sub-par canned answer, maybe you should think twice before saving your credit card information in their app.


*** This is a Security Bloggers Network syndicated blog from Shape Security Blog authored by Carlos Asuncion. Read the original post at: https://blog.shapesecurity.com/2020/02/13/in-store-payments-via-mobile-apps-can-lead-to-increase-in-card-not-present-cnp-fraud/

Source link

The post #cybersecurity | #hackerspace |<p> In-store Payments via Mobile Apps Can Lead to Increase in Card Not Present (CNP) Fraud <p> appeared first on National Cyber Security.

View full post on National Cyber Security

Scammers Stealing Down Payments By Hacking Real Estate Agents’ Email Accounts

Source: National Cyber Security – Produced By Gregory Evans

Buying a home is the biggest purchase most Americans will make during their lifetime. But now hackers have figured out how to steal the down payment, leaving the buyer without a new home and often wiping out their life savings. “The timing was impeccable, actually,” said Kristina Soloviena, a real…

The post Scammers Stealing Down Payments By Hacking Real Estate Agents’ Email Accounts appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments

Source: National Cyber Security – Produced By Gregory Evans

Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments

Samsung has made it official that its facial recognition feature related to mobile security is still not ready to make mobile payments. The world-renowned smartphone maker has also added in its media briefing that it might take at least 4 …

The post Samsung’s Facial Recognition related Mobile Security is not yet ready for Mobile Payments appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Banks to face expulsion from global payments systems over IT security

redcard-580x358

Source: National Cyber Security – Produced By Gregory Evans

SWIFT to review security strategy following cyber attacks – with the ultimate on the table for banks with poor security SWIFT, the global inter-bank payments system, will threaten members with expulsion over poor cyber security in a shake-up in the organisation’s security strategy. That is the message of SWIFT CEO Gottfried Leibbrandt following a string […]

The post Banks to face expulsion from global payments systems over IT security appeared first on National Cyber Security.

View full post on National Cyber Security

Cyber security expert warns German banks of retail payments risks

Source: National Cyber Security – Produced By Gregory Evans

Cyber security expert warns German banks of retail payments risks

A top cyber security researcher has warned German banks that their retail payment systems have security flaws that could allow fraudsters to steal payment card PIN codes, create fake cards or siphon funds from customer or merchant accounts. Karsten Nohl, who is credited with revealing major security threats in mobile phones, automobiles, security cards and thumb-sized USB drives, told Reuters he has found critical weaknesses in software that runs retail point-of-sale terminals in Germany.Nohl outlined two types of attacks. One to steal personal identification numbers (PIN) or spoof transactions when customers pay at checkout tills and a second method that tricks payment processors that act as intermediaries between banks and merchants to transfer funds into other, fraudulent accounts.Nohl and fellow researchers Fabian Braeunlein and Philipp Maier at Security Research Labs in Berlin disclosed their findings to banks, card issuers, device makers and industry associations in recent weeks. SRLabs acts as a security consultant to Fortune 500 firms, including several big banks.In 2012, SRLabs uncovered defects in the most popular retail payment terminal in Germany, the Artema Hybrid from U.S.-based VeriFone Systems. The latest findings go further to show that virtually all terminals in Germany are liable to having payments hijacked […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Cyber security expert warns German banks of retail payments risks appeared first on National Cyber Security.

View full post on National Cyber Security

Samsung says its mobile payments data is safe despite hack

Source: National Cyber Security – Produced By Gregory Evans

Samsung Electronics has said its mobile payment system is safe after a hacking attack against its US-based subsidiary LoopPay. An article in the New York Times on Wednesday said the hacking incident had occurred against LoopPay’s network in March. LoopPay, acquired by Samsung in February, developed the payment system used to run Samsung Pay – a competitor to Apple Pay. Samsung said user data was not at risk. In August, the Korean electronics giant launched its mobile wallet serviceSamsung Pay in South Korea, followed by a launch in the US in September. Samsung Pay competes against rival Apple’s pay facility, which launched last year and operates in the US and UK. Google offers a similar payment system. The mobile phone payment systems are designed to convince shoppers to use their handsets to make in-store purchases – rather than using cards. The New York Times article says Chinese hackers – the so-called Codoso Group – gained access to LoopPay’s office network and were not discovered until five months later in August. Samsung said its payment system “was not impacted and at no point was any personal payment information at risk”. The firm said it was an “isolated incident” and stressed that […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Samsung says its mobile payments data is safe despite hack appeared first on National Cyber Security.

View full post on National Cyber Security

Fraud alert to freight forwarders as email hackers divert payments for shipments

Currency-621x4141-420x220

Source: National Cyber Security – Produced By Gregory Evans

The independent freight forwarder sector appears to have become the latest victim of internet crime, with several cases of international payments between forwarders being redirected into fraudsters’ accounts. Over $100,000 has been stolen from WCA members in a series of stings over the past nine months, according to WCA vice-president of customer service Andy Robins. WCA, the world’s largest network of independent freight forwarders, with over 5,000 members across the world, has monitored an alarming increase in the number of forwarders targeted, although Mr Robins believed that the fraudsters’ modus operandi has largely been established and he told The Loadstar that forwarders need to be especially vigilant if their international partner claims to have changed bank account details during the payment process. “There’s a hacker out there watching freight forwarders and getting into the negotiations at the last moment. “The pattern seems to be that they will hack into an email conversation between two members, and then, at the last minute when a payment is due to be made, they block the emails of the recipient of the funds and instead email the agent who is due to pay and informs them of a change of bank details which the […]

For more information go to http://www.NationalCyberSecurity.com, http://www. GregoryDEvans.com, http://www.LocatePC.net or http://AmIHackerProof.com

The post Fraud alert to freight forwarders as email hackers divert payments for shipments appeared first on National Cyber Security.

View full post on National Cyber Security