Advertisements

Exclusive: Hack Breaks Your Visa Card’s Contactless Limit For Big Frauds

Think that £30 limit on contactless payments is going to protect you from big thefts? Think again.

Security researchers have found a way to bypass that limit on Visa cards. Their hack, which isn’t limited to U.K. cards, could let opportunistic crooks drain accounts with a single tap, and they claim they don’t even need to steal the credit card. And little on Visa’s side is being done to address this fresh fraud threat.

Forbes let the researchers—Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies—try it out on a personal Visa card. They extracted three successful payments of £31 ($38). On their own cards they made contactless payments as high as £101, though it’s possible more could be stolen with just a tap.

Their hacks show how contactless fraud could get a lot worse. Typically, if a bank sees multiple £30 contactless payments, the card will cease to work, as fraud detection systems suspect it’s in the hands of a thief. But if it’s possible to make large transactions in one tap, the potential for significant frauds rises.

Card thieves can now make larger payments than they could before. But now, they don’t even need to steal the card. Criminals could, for instance, take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal). Or even more dastardly, it’s possible to take a payment reading from a credit card using a mobile phone, send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. For the hack to work, all the fraudsters need is to be close to their victim.

“So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” said Galloway.

There should be some limits on just how much a hacker could steal. Galloway said that while it may be that thieves could go much higher than the £101 they tested, into the hundreds or possibly thousands, fraud detection systems at the banks may be able to spot any wildly high transactions. “What we found is that actually, we can make reasonably high-value payments. So in the U.K., we’re able to make payments of £100 without any detection,” she added.

They’re still testing whether the hack would work elsewhere in the world, but Galloway confirmed it was not limited to a single country. The limit, of course, differs between nations. For instance, in the U.S., it’s considerably higher at $100.

No fix planned?

That doesn’t detract from the finding that the limit set on Visa cards can be broken. But Visa isn’t planning on updating its systems to deal with the hack. The financial industry giant argued that such a hack wouldn’t be likely to occur in the real world as the criminals would need to have their hands on the card and this doesn’t happen frequently. A spokesperson for the company went as far as to say that despite the research there wasn’t a security problem that needed addressing.

“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer,” a Visa spokesperson told Forbes, noting that Visa was continually working on improving its fraud detection tech. “Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world.”

Galloway disagreed that the fraudster would need to steal the card. As their tests showed, the hacker only needs to get close enough to the victim’s card for a short period of time to take a payment. This kind of “skimming” has long been proven possible, even if it relies on the card owner being caught unawares.

The Visa spokesperson also claimed that Visa’s global contactless fraud rate declined by 33% between 2017 and 2018 and in Europe by 40%. But data from UK Finance shows fraud using contactless caused £19.5 million of losses during 2018, up from £14 million in 2017. UK Finance did, however, note this was “low” in light of total spending of £69 billion over the same year. And neither UK finance nor Visa said they’d ever recorded a case of contactless fraud in which the card hadn’t been stolen.

How the contactless hack works

To carry out their hack, the researchers used a specialized piece of hardware to intercept and insert messages in the communications between the card and the reader. For instance, they could tell the card that verification—like a PIN—wasn’t needed, even though the requested amount was more than £30. They then told the terminal that verification has already been made by another means.

The researchers said these checks hadn’t been made mandatory by Visa, as they had been by its rivals. And as banks follow the guidelines laid out by Visa, it could be doing more to address the issue, Galloway said. Though Visa said that card issuers are ultimately responsible for validating transactions.

For the attack using two mobiles, Galloway explained that it was possible to use one smartphone to tap a card and effectively clone it for a short period. That first mobile takes what’s known as a “payment cryptogram” from the card. This is essentially a signature that is supposed to guarantee the authenticity of future payments. The cryptogram is sent to the second phone, which simulates the card as if it were making a mobile payment. The hackers can then go beyond the limit by doing the same interception attack as before.

Stephen Ridgway, cofounder and chief technology officer at cybersecurity startup th4ts3cur1ty.company, said that addressing such attacks at a technical level could be problematic. “There may be no ‘quick fix’ for this, even if the payment providers mandate authentication for payments over £30, if the card and reader are susceptible to a ‘man-in-the-middle’ attack that tricks the system into believing that authentication has already taken place,” he said.

As for what concerned cardholders can do to protect themselves, keeping cards physically secure is vital. For anyone worried about someone reading their card through their wallet, there are covers that can prevent such “skimming” from working. Ridgway said another cheap solution was to use a phone cover, as they often provide the same protection. And monitoring transactions could help consumers detect fraudulent transactions before banks do.

Improving bank security and fresh new regulation should also improve matters. Ridgway said that should contactless limit bypasses become common, it’s very likely that payment providers will quickly learn to recognize and block them. And incoming new EU rules could also prove a boon. From September 2019, banks will need to ensure a PIN is required once total contactless payments exceed a value of £130 or when five contactless transactions have been made in a day.

Follow me on Twitter. Check out my website. Send me a secure tip.

I cover security and privacy for Forbes. I’ve been breaking news and writing features on these topics for major publications since 2010. As a freelancer, I worked for The Guardian, Vice Motherboard, Wired and BBC.com, amongst many others. I was named BT Security Journalist of the year in 2012 and 2013 for a range of exclusive articles, and in 2014 was handed Best News Story for a feature on US government harassment of security professionals. I like to hear from hackers who are breaking things for either fun or profit and researchers who’ve uncovered nasty things on the web. Tip me on Signal at 447837496820. I use WhatsApp and Treema too. Or you can email me at TBrewster@forbes.com, or tbthomasbrewster@gmail.com.

Source: Exclusive: Hack Breaks Your Visa Card’s Contactless Limit For Big Frauds

Advertisements

Billionaire John De Mol Takes Facebook to Court Over Fraudulent Bitcoin Ads

John de Mol, a Dutch billionaire and media magnate, has recently sued Facebook over fraudulent bitcoin ads that showed him next to quotes about how much money he purportedly made investing in BTC with a company that was swindling users.

According to Reuters, De Mol’s lawyer has claimed the businessman, who created the reality show ‘Big Brother’ and is one of brains behind the Endemol entertainment studio, is suing the social media giant over damages to his client’s reputation, and over Facebook’s inability to stop the ads from appearing altogether.

De Mol’s lawyers would, as such, like to see Facebook automatically block ads featuring him and cryptocurrencies. The businessman’s lawyer further claimed consumers sent a total of €1.7 million (around $1.9 million) to the scammers, before Facebook reacted to complaints and removed the ads from its platform.

De Mol is also looking to get the names of those behind the fraudulent bitcoin ads, so he can hand them over to authorities. Jacqueline Schapp, one of his lawyers, argued that Facebook’s system of reacting to users reporting problems isn’t good enough.

I don’t know what reality Facebook lives in, but that doesn’t work.

Facebook’s lawyer, Jens van den Brink, revealed the company couldn’t be forced to monitor every ad that goes through it all the time, and that it’s “technically impossible” to block ads with De Mol’s name on it, as other people have the same name.

Van den Brink also added Facebook has met with Dutch financial market regulator AFM this month to discuss ways to combat scammers on its platform. It’s worth noting that Facebook banned cryptocurrency-related ads last year to stop them, but later on lifted the ban.

A judge at the Amsterdam District Court gave both parties two weeks to come up with a reasonable solution. If they fail to reach an agreement, the judge noted he would rule on the case.

This isn’t the first time celebrities are used to get users to buy into fraudulent cryptocurrency schemes through Facebook’s ads.

Source: CryptoGlobe

Crypto Dusting’ Attack Sends Illegally Obtained Bitcoin to Random Cryptocurrency Wallets

Crypto dusting attack, a hack on cryptocurrency wallets is used to distribute laundered money to the wallets of unsuspecting customers, which in turn, affects their reputation and draws the attention of law enforcement, reports DarkReading on January 8, 2019. According to DarkReading, crypto dusting is a new attack which distributes illegally obtained funds from an unknown source to the wallets of innocent cryptocurrency holders……

Source: ‘Crypto Dusting’ Attack Sends Illegally Obtained Bitcoin to Random Cryptocurrency Wallets

U.S. Trader Fined $1.1 Million and Sentenced to 15 Months for Commiting Bitcoin Fraud – Aisshwarya Tiwari

1.jpg

According to a report by Bloomberg, published November 13, 2018, U.S. resident named Joseph Kim has been fined $1.1 million and sentenced to 15 months in prison for orchestrating fraudulent schemes related to bitcoin (BTC), and litecoin (LTC), thus duping his employer and several other customers of their money. In 2017, the U.S. Commodity Futures Trading Commission (CFTC) found out that Kim had transferred $601,000 worth of bitcoin and litecoin from his employer’s cryptocurrency exchange wallet to his wallet. The misappropriation of funds was done sometime between September and November 2017, when Kim used to work for a Chicago based trading firm…………

Read more: https://btcmanager.com/u-s-trader-bitcoin-fraud/

 

 

 

 

Your kindly Donations would be so effective in order to fulfill our future research and endeavors – Thank you

Florida Man Used Pinterest Template to Print Counterfeit Money, Tried to Sell It on Facebook, Police Say — INKLING LEAGUE

1.jpg

A Florida man looking to make a quick buck printed dozens of counterfeit bills at a library using a Pinterest template and then tried to sell the phony money on Facebook, police said. Levy Newberry, 29, printed counterfeit 5, 10, 20 and 50 dollar bills on resume paper he bought at Walmart, according to the […]

via Florida man used Pinterest template to print counterfeit money, tried to sell it on Facebook, police say — INKLING LEAGUE

 

 

 

Your kindly Donations would be so effective in order to fulfill our future research and endeavors – Thank you

Billionaire Elon Musk’s $40 Million Tweet May Be A Blessing For Tesla After Settling Fraud Suit -Antoine Gara

1.jpg

A tried and true platitude for many entrepreneurs is they learn more from mistakes than success. The maxim may prove especially true when it comes to automotive and aerospace billionaire Elon Musk and his $45 billion electric car giant Tesla TSLA -13.96%. In August, Musk used his Twitter TWTR -3.26% account to float a buyout of the company for a price of $420 a share, stating he’d secured funding for the take-private and had shareholder support. The price, as it turns out, was a veiled drug joke to Musk’s then-girlfriend Grimes and was pulled mostly out of thin air……

Read more: https://www.forbes.com/sites/antoinegara/2018/09/30/billionaire-elon-musks-40-million-tweet-may-be-a-blessing-for-tesla-after-settling-fraud-suit/#55b46e987435

 

 

Your kindly Donations would be so effective in order to fulfill our future research and endeavors – Thank you

%d bloggers like this:
Skip to toolbar