Hello everyone and welcome to the New Year! As we look forward to new breakthroughs in security we also look with caution to what fraudulent activities may occur and new tactics criminals will be using to ruin the reputation of businesses and the disrupt the lives of the average victim. In fact, it didn’t take long for one story to gain some covering with cardless transactions now being exploited to siphon funds from new victims.
To those unaware, certain financial institutions have now provided the ability for clients to conduct transactions and withdraw or deposit funds from their account and forgoing a card and PIN with a username, password and smartphone. In fact, we already have two high profile news stories of such incidents occurring with Clark.com and Krebs On Security detailing such an attack in various parts of the world. In both cases, it appears the attacker manages to know the victim’s banking online username and password and configures the financial institutions app to de-list the victims and add the phone number of their smartphone to transfer and withdraw funds from the victims account to, presumably, the attackers. In addition to bypassing the need for the PIN, cardless transactions also had the added feature of conducting transactions at limits typically higher than an average card-to-ATM limit with some victims often having upwards to 3000 USD siphoned out of their accounts.
With regards to protecting one’s own security one can engage in the following steps:
- Check ATMS for PIN Skimmers and tampered machines.
- Attackers often need an entry point to get started with their activities and ensuring card protection is a good first step
- Enable Two-Factor authorization on your smartphone and financial applications
- Using say a fingerprint on your phone + username/password may seem troublesome but it dissuades even the most attacker
- The goal is to have something you own + something you know so if your phone was to receive a verification code for attempted access you’ll be clued in before the damage is done
- Put a block on certain features such as Tap, Paypass, Digital Wallets if uncertain
- If you’re uncertain of the feature maybe disabled it until you feel more at ease with the offerings later
- Screen your bills and alert your financial institution of any suspicious activity
- This is more reactive, but in most cases the bank can help you and freeze the account and contact authorities in hope of helping both your interest and their reputation