Mobile payment apps: How to stay safe when paying with your phone

Are mobile payments and digital wallets safe? Are the apps safer than credit cards? What are the main risks? Here’s what to know.

While cash transactions aren’t going anywhere anytime soon, the convenience of electronic payment solutions has been steadily growing in popularity over the years. According to a recent survey by the US Federal Reserve, cash payments accounted for just 26% of all payments. Meanwhile, credit and debit cards and electronic payment methods were used for 65% of all payments.

The COVID-19 pandemic has also triggered changes in how people shop, with e-commerce experiencing a surge in demand due to either governments limiting interaction between people to curb the spread of the disease or by people isolating themselves and doing most of their shopping online.

As convenience is king, the surge of both cashless payment methods and online shopping, as well as the use of smartphones for shopping, has led to the increased adoption of mobile payment methods. Apple Pay, Google Pay, PayPal, Venmo, and WeChat Pay prove to be among some of the most popular mobile payment apps. However, they may come with their own sets of risks, and threat actors like to utilize them in their scams as well.

Risks

Since we’re mainly focusing on mobile payment apps, it stands to reason that one of the greatest risks is losing your smartphone, which houses most of your sensitive information and your payment data if you use payment apps. If you haven’t secured it properly, criminals could rack up charges on your cards or use your payment apps to go on a shopping spree. Besides ending up with either an empty bank account or overcharging your balance, the incident may damage your credit rating with the bank, which may make taking out a loan or mortgage difficult in the future.

Smartphones, like other computing devices, can also be infested by malware. Depending on the type, it can carry out various kinds of malicious activities; keyloggers can record and transmit every finger tap on your smartphone to the cybercriminals allowing them to gain hold of your passwords or account credentials you use to access your payment apps. Alternatively, they can deploy fake apps that masquerade as something else and attack your payment apps. Just one example – ESET researchers discovered a trojan masquerading as a battery optimization tool, which targeted users of the official PayPal app and attempted to transfer €1,000 (roughly US$1,200)  to the attacker’s accounts.



Scam me not

Beyond directly trying to steal your smartphone or trying to infest it with malware, cybercriminals also rely on other more traditional means of making a dent in your wallet – cyber-scams.

The premise is usually similar to other fraud attempts, such as impersonating someone you may know and asking you to help out during an emergency. The fraudster might also gain access to your contact list and pretend to be someone you’ve already sent money to using a mobile payment app.

Cybercriminals can also resort to the usual flavors of fraud. They can use dating applications to cultivate a relationship and then once they establish it, try to coax money out of their victims citing various reasons such as hospital bills.

Lottery scams are also an abundant tactic: the targets will be informed that they have won a huge prize, however, to claim it they’ll have to pay a transaction fee. Of course, they’ll never receive the imaginary prize from the fictional lottery they could never have bought a ticket in, and probably will never get their “transaction fee” back either.

Then there are phishing attacks where the crooks impersonate the company operating the mobile payment app. The scammers’ copycat websites try to trick the victims into divulging their account credentials so they can clean out the accounts or sell the login details on underground markets.

Another threat involves spam requests for money that pop up directly in the users’ accounts. If a user accidentally taps on one of these requests, it would immediately trigger a transfer to the scammers in the various amounts that they requested.

How to protect yourself

The first line of defense available for protecting yourself and your hard-earned money is by enabling all security measures afforded to you by your smartphone. This includes enabling a combination of a biometric lock (face scan, retina scan, fingerprint scan) and lock code. Once you’ve done that, it gets difficult both to break into your smartphone and use the payment apps, since they require you to verify your identity whenever you want to access them or perform a transaction or purchase something. Both Android and Apple devices also support “Find my phone” features, which allow you to disable your phone remotely if you lose it or it is stolen… and may even allow you to wipe it remotely.

Most payment apps also allow you to turn on additional security features such as two-factor authentication, which you should activate immediately if you haven’t done so yet. You can also lock the apps with additional security measures such as biometric and code locks and enable those for transactions as well. You should also turn on notifications whenever a transaction or payment takes place. Then, if a suspicious activity occurs, you’ll be alerted in (almost) real time.

To avoid downloading any malicious apps that will target your wallet, it is always necessary to scrutinize what you’re installing, lest you install a fraudulent app disguised as something else. A good rule of thumb is to also review all of the permissions apps ask to be granted.

Last but not least, consider using security software to protect yourself against most threats and help stop malicious activities dead in their tracks. An added boon is that fully featured security products have payment protections in place to protect your banking and payment applications.

Insight from a malware analyst

Although there are risks associated with using mobile payment apps, some are safer than the alternatives, according to ESET Malware Researcher Lukas Stefanko.

Week in security with Tony Anscombe

Is your smart doorbell putting you at risk of cyberattacks? – Spotify accounts hijacked en masse – Staying safe from SIM swapping

This week, the UK’s consumer watchdog Which? published research showing that internet-connected doorbells contain serious vulnerabilities that expose their owners to a host of cybersecurity and privacy risks. Researchers have spotted an unsecured database containing records that were used to hijack up to 350,000 accounts on Spotify. Also this week, we looked at SIM swap fraud where a scammer takes over the victim’s phone number and go on to wreak major havoc on their life. All this – and more – on WeLiveSecurity.com.

Europol and partners thwart massive credit card fraud scheme

The operation was carried out against fraudsters trying to monetize stolen credit card data on the internet’s seedy underbelly

Europol and several national law enforcement agencies have teamed up to disrupt trade in stolen credit card data on the dark web, ultimately preventing around €40 million (US$48 million) in losses for both consumers and financial organizations.

The operation, dubbed Carding Action 2020, was carried out over a span of three months and involved an analysis of 90,000 pieces of credit card information. It was led by law enforcement authorities from Italy and Hungary and supported by their peers from both the United Kingdom and Europol. It’s not immediately clear if any arrests were made.

Europol chalked up the operation’s success to the close cooperation between the various police authorities and partners from the private sector, with the EU’s law enforcement agency acting as a go-between and helping with the coordination of the efforts and exchange of data.

Officers foil fraudsters from stealing €40 million in payment card scam in huge international operation. 90 000 pieces of card data analysed in 3 months. Joint effort of @poliziadistato @police_HU @CityPolice (DCPCU) #Europol and @GroupIB_GIB
Read more: https://t.co/zoovgrbQgA pic.twitter.com/nXztQ8cl4p

— Europol (@Europol) November 26, 2020

“With more than €40 million in losses prevented, Carding Action 2020 is a great example of how sharing information between private industries and law enforcement authorities is a key in combating the rising trend of e-skimming and preventing criminals from profiting on the back of EU citizens,” said Edvardas Šileris, head of Europol’s European Cybercrime Centre, praising the success of the collaborative effort.

Detective Chief Inspector Gary Robinson of the UK’s Dedicated Card and Payment Crime Unit also commended his team for the work on the operation: “Acting as a gateway, the unit facilitated the sharing of data with the card schemes involved to stop the criminals behind these callous activities and protect the public from card payment fraud.”

In fact, it has been a busy week for law enforcement agencies cracking down on cybercrime. Europol’s press release came hot on the heels of an announcement by Interpol that it apprehended three individuals in Nigeria on suspicion of being members of a gang that has compromised government and private organizations across more than 150 countries. The group is thought to be responsible for the distribution of malware, phishing attacks, and for running Business Email Compromise (BEC) fraud, which sits atop the list of the costliest types of fraud. Although the investigation is still ongoing, Interpol and its partners have been able to identify some 50,000 victims of the gang’s schemes.

FBI warns of threat actors spoofing Bureau domains, email accounts

The U.S. law enforcement agency shares a sampling of more than 90 spoofed FBI-related domains registered recently

The Federal Bureau of Investigation (FBI) has issued a warning about domains designed to spoof the Bureau’s official website, fbi.gov. The alert lists more than 90 such fraudulent websites that have been registered recently.

“The FBI observed unattributed cyber actors registering numerous domains spoofing legitimate FBI websites, indicating the potential for future operational activity,” said the law enforcement agency. The list of fraudulent domains includes somewhat plausible examples, such as “fbihelp.org” and “fbifrauddepartment.org”, as well as more or less bizarre ones like “powerfulfbi.ninja” or “fbigiftshop.shop”.

For context, domain spoofing involves the creation of a website whose domain name has near-to-identical characteristics to the original. However, there will be some subtle differences, such as the threat actors changing a letter, symbol, or adding a word in the domain name. Another telltale sign will be that the website will use an alternate top-level domain (TLD) compared to the original, government-related websites in the United States, for example, use the “.gov” TLD.

The goal of the cybercriminals is to use these webpages to wreak all manner of havoc, such as disseminating false information, gathering sensitive data from unwitting victims who have fallen for their ruses, or spreading malware. The gathered information typically includes account credentials, usernames, passwords, email addresses, and a range of other personally identifiable information that can then be utilized to carry out various forms of fraud and identity theft or be sold on the internet’s dark web bazaars.

And that’s what the FBI is worried about: “Members of the public could unknowingly visit spoofed domains while seeking information regarding the FBI’s mission, services, or news coverage. Additionally, cyber actors may use seemingly legitimate email accounts to entice the public into clicking on malicious files or links.”

The Bureau, therefore, urges the public to remain vigilant and scrutinize any websites they visit and carefully inspect the emails they receive, regardless of whether they’re work-related or personal. Moreover, if they are interested in the FBI’s mission or information about its work, they should search for it using verified and trusted sources.

Beyond increased vigilance, you can also take additional protective measures to defend yourself from website spoofing attacks and their consequences.

Do not respond to any unsolicited email requesting any kind of information, even if they seem legitimate. Use a reputable up-to-date security solution, which will protect you from most threats, including blocking known malicious websites and blocking potentially malicious downloads. Make sure that all your programs and your operating system are patched and up to date to prevent black hats from using any security flaws to infiltrate your systems. Use multi-factor authentication to mitigate the chances of hackers gaining access to your accounts even if your credentials get compromised.

SIM swap scam: What it is and how to protect yourself

Here’s what to know about attacks where a fraudster has your number, literally and otherwise

SIM swap scams have been a growing problem, with fraudsters targeting people from various walks of life, including tech leaders, and causing untold damage to many victims. Here’s why you should be on the lookout for attacks where someone can upend your life by first hijacking your mobile phone number.

How SIM swap fraud works

Also known as SIM hijacking and SIM splitting, SIM swapping can be described as a form of account takeover fraud. To make the attack work, the cybercriminal will first gather information on their mark, often through trawling the web and searching for every tidbit of data the potential victim may have (over)shared. The victim’s personal information can also be gleaned from known data breaches or leaks, or via social engineering techniques, such as phishing and vishing, where the fraudster wheedles the information directly out of the target.

With enough information in their hands, the fraudster will contact the target’s mobile phone provider and trick its customer service representative into porting their telephone number to a SIM card owned by the criminal. More often than not, the scammer’s story will be something along the lines that the switch is needed due to the phone being stolen or lost.

Once the process is done, the victim will lose access to the cellular network and phone number, while the hacker will now receive the victim’s calls and text messages.

What makes the scams so dangerous?

Commonly, the point of this type of attack is to gain access to one, or more, of the target’s online accounts. The cybercriminal behind the attack is also banking on the assumption that the victim uses phone calls and text messages as a form of two-factor authentication (2FA).

If that’s the case, the fraudsters can wreak unseen havoc on their victim’s digital and personal lives, including cleaning out their bank accounts and maxing out their credit cards, damaging the victim’s standing and credit with banks in the process.

The hackers could also access their victim’s social media accounts and download sensitive messages or private conversations that could be damaging in the long run. Or even post insulting messages and statuses that could cause major reputational damage to their victims.

How to protect yourself

Start by limiting the personal information you share online, avoid posting your full name, address, phone number. Another thing you should avoid is oversharing details from your personal life: chances are that you included some aspects of it in your security questions that are used to verify your identity.

When it comes to using 2FA, you might want to reconsider SMS text messages and phone calls being your sole form of additional authentication. Instead, opt for using other forms of two-factor authentication such as an authentication app or a hardware authentication device.

Phishing emails are also a popular way for cybercriminals to obtain sensitive information. They do so by impersonating a trusted institution, relying on the assumption that you won’t hesitate to answer their questions or scrutinize the emails too closely. While many of the phishing emails will be caught by your spam filters, you should also educate yourself on how to spot a phish.

Telecom companies are also working towards protecting their clients. Verizon, for example, launched a feature called ‘Number Lock’ that should protect its customers against potential SIM-swapping attacks, while AT&T, T‑Mobile, and Sprint offer the option of additional authentication in the form of PIN codes, passcodes, and additional security questions. You should check with your provider to learn how to enable such features, should they offer them.

In summary

While SIM swap scams are ever-present and a threat to everybody, there are ways to protect yourself. Taking one or more of the several steps outlined in the article can help you lower your chances of falling victim to such an attack. Additionally, you can contact your bank and telecommunications providers to inquire about any supplementary security services you can enable to lock down your accounts.

Up to 350,000 Spotify accounts hacked in credential stuffing attacks

This won’t be music to your ears – researchers spot an unsecured database replete with records used for an account hijacking spree

Researchers have found an unsecured internet-facing database containing over 380 million individual records, including login credentials that were leveraged for breaking into 300,000 to 350,000 Spotify accounts. The exposed records included a variety of sensitive information such as people’s usernames and passwords, email addresses, and countries of residence.

The treasure trove of data was stored on an unsecured Elasticsearch server that was uncovered by vpnMentor. Both the origin and owners of the database remain unknown. However, the researchers were able to validate the veracity of the data by contacting Spotify, which confirmed that the information had been used to defraud both the company and its users.

For context, credential stuffing is an automated account takeover attack during which cybercriminals leverage bots to hammer sites with login attempts using stolen access credentials from data breaches that occurred at other sites until they find the right combination of “old” access credentials and a new website and gain access. Usually applying some form of multi-factor authentication mitigates the chances of accounts being compromised, but Spotify doesn’t support the option.

The team contacted the Swedish audio streaming giant on July 9th and received an almost immediate response. Within a period of eleven days between July 10th and 21st, Spotify addressed the issue and deployed a rolling reset of passwords for all users affected by the issue.

“In this case, the incident didn’t originate from Spotify. The exposed database belonged to a 3rd party that was using it to store Spotify login credentials. These credentials were most likely obtained illegally or potentially leaked from other sources that were repurposed for credential stuffing attacks against Spotify,” the researchers explained.

The continuing success of credential stuffing attacks can, in large part, be attributed to users having poor password hygiene. People often commit many of the common cardinal sins of password creation and use, such as password recycling or even sharing their access credentials with others. To illustrate the questionable choices people make when it comes to their passwords,  you need not look any further than the list of the most common passwords of 2020, which is topped by veritable gems like “123456” and “123456789”.

To protect the sensitive data stored in your accounts, you should start by opting for a strong and unique password, or even better passphrase. For convenience’s sake, you can also use a password manager that will do all the heavy lifting for you, including generating and storing all your tough-to-crack passcodes, so you’ll only have to remember one master password. For an extra layer of security, also activate multi-factor authentication where possible.

Security flaws in smart doorbells may open the door to hackers

The peace of mind that comes with connected home security gadgets may be false – your smart doorbell may make an inviting target for unwanted visitors

Smart doorbells commonly found on marketplaces such as Amazon and eBay contain serious vulnerabilities that expose their owners to a host of security and privacy threats, according to an investigation led by the British consumer watchdog Which?.

Together with NCC Group, Which? looked into 11 internet-connected video- and audio-equipped doorbells, finding disconcerting vulnerabilities in all of them. A number of the gadgets are designed to have the look and feel of Amazon’s Ring and Google’s Nest Hello and are sold either under their own brands or have no discernible branding. Some devices were promoted with the “Amazon’s Choice” logo and received rave users reviews.

Notably, this includes the Victure VD300 smart doorbell, listed as “the number one bestseller in ‘door viewers’”. The device was found to send a Wi-Fi network password to servers in China unencrypted. If stolen, the login details might not just give crooks access to the victim’s Wi-Fi network, but also to other devices connected to it and exposing people’s sensitive data in the process.

The lack of data encryption was overall a common find in the test and also affected video footage, which was often stored unencrypted.

RELATED READING: These things may be cool, but are they safe?

Other flaws had to do with poor password protections, since the units came with basic and easy-to-guess default passwords or their passwords were easy to reset by unwanted guests. Some devices were vulnerable to being readily switched off or stolen, paving the way for burglars to do their ‘job’ and be gone while nobody is watching. One gadget was susceptible to a critical exploit taking advantage of the Key Reinstallation AttaCK (KRACK) vulnerability in Wi-Fi authentication that could ultimately leave Wi-Fi networks wide open to compromise.

Unsurprisingly, most units gathered more customer data than they actually needed for their operations. Overall, the test’s findings are by no means unique as similar probes have been conducted before and also brought unflattering results.

RELATED READING: IoT security: Are we finally turning the corner?

Amazon has since removed the listings for at least seven products. Meanwhile, eBay had this to say: These listings do not violate our safety standards but represent technical product issues that should be addressed with the seller or manufacturer,” said the company.

If you’re in the market for any connected gizmo, you want to do your homework and choose a reputable manufacturer with a proven track record of securing their devices. Then, when you first set up your new smart device, at the very least make sure you protect it with a strong and unique password or passphrase as well as with two-factor authentication.