NFC carders hide behind Apple Pay and Google Wallet

[harlan4096]

Cybercriminals are inventing new ways to swipe money from payment cards by using credentials phished online or over the phone. Sometimes, just holding your card to your phone is enough to leave you penniless.
 
Payment card security is constantly improving, but attackers keep finding new ways to steal money. In days gone by, having tricked the victim into handing over card credentials on a fake online store or through another scam, cybercriminals would make a physical duplicate card by writing the stolen data onto a magnetic stripe.

Such cards could then be used in stores and even at ATMs without a hitch. The advent of chip cards and one-time passwords (OTPs) made life much harder for scammers, but they adapted. The shift to mobile payments using smartphones increased resilience against some types of scams — but also opened up new avenues for it. Now, having phished a card number, they try to link it to their own Apple Pay or Google Wallet account. That done, they use this account from a smartphone to pay for goods using the victim’s card — either in a regular store or at a fake outlet with an NFC-enabled payment terminal.

How card credentials are phished

Such cyberattacks entail preparation on an industrial scale. Attackers create networks of fake websites designed to phish for payment data. These might imitate delivery services, large online stores, and even portals for paying utility bills or traffic fines. The cybercriminals also buy up dozens of smartphones, create Apple or Google accounts on them, and install contactless payment apps.

Next comes the juicy bit. When a victim lands on a bait site, they’re asked to link their card or make a mandatory small payment. This requires entering their card details and confirming ownership of the card by entering an OTP. In fact, the card is not charged at this point.

What actually happens? The victim’s data is almost instantly transferred to the cybercriminals, who attempt to link the card to a mobile wallet on their smartphone. The OTP code is needed to authorize this operation. To speed up and simplify the process, the attackers use special software that takes the data supplied by the victim and generates an image of the card that replicates it perfectly. After that, it’s enough just to take a photo of this image from Apple Pay or Google Wallet. The exact process of linking a card to a mobile wallet depends on the specific country and bank, but usually, no data is required other than the number, expiration date, cardholder name, CVV/CVC, and OTP. All this can be phished in a single session and put to use immediately.

To make attacks even more effective, cybercriminals employ additional tricks. First, if the victim comes to their senses before tapping the Submit button, any data already entered into the forms is still passed to the criminals — even if it’s just a few characters or an incomplete entry. Second, the fake site may report that the payment failed and prompt the victim to try a different card. This way, the criminals might phish details for two or three cards in one go.
The cards aren’t charged right away, and many people, seeing nothing suspicious on their bank statement, forget all about the incident.

Continue Reading...