Connect with us

Technology

Hack Breaks Your Visa Card’s Contactless Limit For Big Frauds

Published

on

Think that £30 limit on contactless payments is going to protect you from big thefts? Think again. 


Security researchers have found a way to bypass that limit on Visa cards. Their hack, which isn’t limited to U.K. cards, could let opportunistic crooks drain accounts with a single tap, and they claim they don’t even need to steal the credit card. And little on Visa’s side is being done to address this fresh fraud threat.

Forbes let the researchers—Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies—try it out on a personal Visa card. They extracted three successful payments of £31 ($38). On their own cards they made contactless payments as high as £101, though it’s possible more could be stolen with just a tap.

Their hacks show how contactless fraud could get a lot worse. Typically, if a bank sees multiple £30 contactless payments, the card will cease to work, as fraud detection systems suspect it’s in the hands of a thief. But if it’s possible to make large transactions in one tap, the potential for significant frauds rises. 

READ MORE | Is Forex A Scam Or Money Goals?

Card thieves can now make larger payments than they could before. But now, they don’t even need to steal the card. Criminals could, for instance, take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal).

Or even more dastardly, it’s possible to take a payment reading from a credit card using a mobile phone, send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. For the hack to work, all the fraudsters need is to be close to their victim.

“So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” said Galloway.

There should be some limits on just how much a hacker could steal. Galloway said that while it may be that thieves could go much higher than the £101 they tested, into the hundreds or possibly thousands, fraud detection systems at the banks may be able to spot any wildly high transactions.

“What we found is that actually, we can make reasonably high-value payments. So in the U.K., we’re able to make payments of £100 without any detection,” she added.

They’re still testing whether the hack would work elsewhere in the world, but Galloway confirmed it was not limited to a single country. The limit, of course, differs between nations. For instance, in the U.S., it’s considerably higher at $100.

No fix planned?

That doesn’t detract from the finding that the limit set on Visa cards can be broken. But Visa isn’t planning on updating its systems to deal with the hack. The financial industry giant argued that such a hack wouldn’t be likely to occur in the real world as the criminals would need to have their hands on the card and this doesn’t happen frequently. 

A spokesperson for the company went as far as to say that despite the research there wasn’t a security problem that needed addressing.

“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer,” a Visa spokesperson told Forbes, noting that Visa was continually working on improving its fraud detection tech. 

“Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world.”

READ MORE| #30Under30: Technology Category 2019

Galloway disagreed that the fraudster would need to steal the card. As their tests showed, the hacker only needs to get close enough to the victim’s card for a short period of time to take a payment. This kind of “skimming” has long been proven possible, even if it relies on the card owner being caught unawares.

The Visa spokesperson also claimed that Visa’s global contactless fraud rate declined by 33% between 2017 and 2018 and in Europe by 40%. But data from UK Finance shows fraud using contactless caused £19.5 million of losses during 2018, up from £14 million in 2017.

UK Finance did, however, note this was “low” in light of total spending of £69 billion over the same year. And neither UK finance nor Visa said they’d ever recorded a case of contactless fraud in which the card hadn’t been stolen.

How the contactless hack works

To carry out their hack, the researchers used a specialized piece of hardware to intercept and insert messages in the communications between the card and the reader. For instance, they could tell the card that verification—like a PIN—wasn’t needed, even though the requested amount was more than £30. They then told the terminal that verification has already been made by another means. 

The researchers said these checks hadn’t been made mandatory by Visa, as they had been by its rivals. And as banks follow the guidelines laid out by Visa, it could be doing more to address the issue, Galloway said. Though Visa said that card issuers are ultimately responsible for validating transactions.

For the attack using two mobiles, Galloway explained that it was possible to use one smartphone to tap a card and effectively clone it for a short period. That first mobile takes what’s known as a “payment cryptogram” from the card. This is essentially a signature that is supposed to guarantee the authenticity of future payments.

READ MORE | Cryptocurrency Thefts, Scams Hit $1.7 Billion in 2018: Report

The cryptogram is sent to the second phone, which simulates the card as if it were making a mobile payment. The hackers can then go beyond the limit by doing the same interception attack as before.

Stephen Ridgway, cofounder and chief technology officer at cybersecurity startup th4ts3cur1ty.company, said that addressing such attacks at a technical level could be problematic.

“There may be no ‘quick fix’ for this, even if the payment providers mandate authentication for payments over £30, if the card and reader are susceptible to a ‘man-in-the-middle’ attack that tricks the system into believing that authentication has already taken place,” he said. 

As for what concerned cardholders can do to protect themselves, keeping cards physically secure is vital. For anyone worried about someone reading their card through their wallet, there are covers that can prevent such “skimming” from working. Ridgway said another cheap solution was to use a phone cover, as they often provide the same protection. And monitoring transactions could help consumers detect fraudulent transactions before banks do.

Improving bank security and fresh new regulation should also improve matters. Ridgway said that should contactless limit bypasses become common, it’s very likely that payment providers will quickly learn to recognize and block them.

And incoming new EU rules could also prove a boon. From September 2019, banks will need to ensure a PIN is required once total contactless payments exceed a value of £130 or when five contactless transactions have been made in a day.

-Thomas Brewster; Forbes

Technology

‘WFH’ here to stay?

Published

on

The home will be hub and flexible working the norm. The result? Renewed employee trust, wellness and cost savings, say more companies.

Even the words out-of-the-box seem out of date at a time when shipping containers are turning into ICU hospitals and arms firms are making ventilators and personal protective equipment.

If technology is being repurposed, so too homes and humans.

Over the last few months the world over, the pandemic-induced ‘new normal’ has seen homes turning into head offices, with the volatile economy forcing businesses to rethink long-term strategies in a work from home (WFH) environment that looks here to stay.

Even the big corporates say this could extend post-pandemic.

Barclays CEO Jes Staley said its staff will not revert fully to its pre-January work habits. “There will be a long-term adjustment in how we think about our location strategy; the notion of putting 7,000 people in a building may be a thing of the past,” he said after the company reported its first quarter profits for 2020.

Internet giant Google said all staff are expected to work from home until 2021, according to a May 2020 report in Bloomberg. S,imilarly, Facebook will let staff work remotely through 2020. Twitter, on the other hand, announced a short while later it would let staff work from home “forever”.

Euromonitor International’s Global Consumer Trends 2020 report has highlighted areas that Covid-19 will have an impact for the year ahead. Some of these include multi-functional homes where, in the long-term, the home becomes the hub and businesses will adapt accordingly; private personalization, which will put privacy concerns on hold in the short term but will return in the long term; and inclusivity for all would see disabled communities benefitting from technology.

In South Africa, the government has stipulated five levels of lockdown dictating how businesses may be carried out, including which sectors can operate as levels change. This requires flexibility and being able to adapt from one week to the other.

Jordan Rittenberry, Edelman Africa CEO, says the company’s transition towards more flexible working policies has been sped up by the Covid-19 pandemic, and the process has been a success with renewed trust in employees.

“We believe that flexibility, particularly in the current environment, is a useful way for companies to treat their staff right and foster mutual trust,” he tells FORBES AFRICA. “The pandemic has required a rapid mind-set change as companies take on new responsibilities towards the people that work for them and employee wellness is the first port of call as we navigate these uncharted waters.

“Every crisis presents opportunities and new ways of doing things. The shift we are seeing now is one of those that could help to meaningfully improve employer-employee relationships if managed carefully.

“As more people work from home, we will naturally require less space over time and this will yield cost savings to the business that can be passed on to clients.

“Besides employee costs, real estate is our biggest expense,” he says. Pieter Bensch, Executive Vice President at Sage Middle East and Africa, has come to a similar conclusion. “We realized that we do not need as much office space going forward and working remotely using cloud technology tools has maintained productivity levels from our colleagues,” says Bensch to FORBES AFRICA.

“Our entire workforce began working remotely before lockdown and are in no rush to return until it is safe but have encouraged video calls so they can see each other.

“Our cloud accounting and payroll product sales have increased, which is a clear indication that our customers now understand the power and benefits of cloud solutions to maintain business continuity.”

The mental wellbeing of employees has also been top priority.  “All Sage colleagues received a free subscription to Headspace, a brilliant award-winning app and guide to everyday mindfulness,” adds Bensch. The company also formed a ‘[email protected]’ community for staff looking for peer support on how to adapt with differing family needs and challenges.

A Johannesburg-based agency called BetterWork that specializes in design thinking for human resources has been hosting weekly lunchtime Zoom calls since the beginning of lockdown in South Africa. Attendees include a mix of its professional network, members of The GoodWork Society and other members of the general public. Some of its takeaways have proven that WFH is more productive than working in the office, which cited minimal distractions and the extra hours gained from not having to sit in traffic. Additionally, introverts seem to be thriving and tend to feel more comfortable with contributions to teamwork. On the other hand, BetterWork says parents on the call have expressed being overwhelmed with not just their own work but also the additional responsibility of being teacher-guides to their children.

The company believes the home-office is now the responsibility of the employer where people-focused services such as tele-therapy, support for parents and social programs become an additional duty to ensure a healthy, productive team. It adds that an obvious benefit would be the compensation or subsidizing of laptops, stable internet connectivity, webcams, etc.

Palesa Sibeko, Co-founder of BetterWork, says offices are typically expertly assessed and constructed to suit an organization’s work activity needs, but the same is not true for the millions of homes that are now acting as places of work. “There is not a concerted effort to view home-work life more holistically, to identify the needs and address them to create environments conducive to doing great work.” BetterWork says it is currently looking into how to support organizations on this important mission.

– Nafisa Akabor

Continue Reading

Health

Warning: COVID-19 Contact Tracing Apps Could Be Turned Into Tools For Domestic Abuse

Published

on

By

If governments don’t focus on strong privacy protections in their COVID-19 contact tracking tools, it could exacerbate domestic abuse and endanger survivors, according to a warning from women’s support charities.

They’ve urged the U.K. government to include domestic abuse and violence against women and girls (VAWG) experts in the development of such initiatives.

Though the U.K. doesn’t yet have a widely available track and trace app, the charities – including Women’s Aid and Refuge – are already anxious enough about the current tracing program, where infected people are called up and asked to register themselves online as someone who has contracted COVID-19. They’re then asked to share details on people with whom they’ve been in contact so they too can be informed.

In a joint whitepaper, the nonprofits said they were anxious about contact tracing staff inadvertently leaking contact details of survivors to perpetrators. They also raised fears the program could be turned into a “tool for abuse.” 

“For example, perpetrators may make fraudulent claims that they have been in contact with survivors in order for them to be asked to self-isolate unnecessarily, and in these circumstances survivors will have no means to identify the perpetrator as the original source,” they warned. “Perpetrators or associates may also pose as contact tracing staff and make contact with victims [or] survivors requesting they self-isolate or requesting personal information.”

The paper also claims abusers are already using the coronavirus pandemic for “coercive control,” in some cases deliberately breathing, spitting and coughing in survivors’ faces. As Forbes previously reported, the sharing of child abuse material has also spiked during global COVID-19 lockdowns.

As for apps, the report warned they required location services to be switched on. “While the NHS app itself doesn’t collect location data, if a perpetrator has installed spyware onto a survivor’s phone or is able to hack into it, then turning on location services will expose their location.”

Problems with Palantir?

The charities also raised concerns about a number of companies who’d partnered with the U.K. on the contact tracing initiatives. They said Serco, which is handling recruiting for contact tracing staff, “has a significant track record of failings and human rights violations, including running a controversial women’s immigration detention centre where staff have been accused of sexual misconduct and involvement in unlawful evictions of asylum seekers.” Serco also recently had to apologize for leaking email addresses of contact tracer staff.

Serco denies that it has any kind of significant track record of failing and human rights violations and that the evictions to which the charities are referring were in Scotland and were ruled legal. It also said that in seven years there had been no substantiated complaints about any sexual wrongdoing at the Yarl’s Wood immigration removal centre, where reports had revealed allegations.

“We are proud to be supporting the government’s test and trace programme with our Tier 3 contact centre team working from pre-approved Public Health England scripts. This is important work and we would like to thank all our teams who have stepped forward. In just four week we mobilised many thousands of people, which is a huge achievement, and we are focussed on ensuring that all our people are able to support the government’s programme going forwards,” a Serco spokesperson said.

Palantir, the $20 billion big data crunching business, also raised an eyebrow. The company, which has secured millions of dollars in contracts to help health agencies manage the outbreak, has come in for criticism for assisting U.S. immigration authorities on finding and ejecting illegal aliens.

Palantir hadn’t responded to a request for comment at the time of publication.

UK’s delayed COVID-19 app

The charities’ warning comes as the U.K. announced its contact tracing app would be shifting to the Apple and Google models, which promise stronger privacy protections than the app being tested by the government. The main difference is in where user information goes. In the government’s app, anonymized phone IDs of both the infected person and the people they’ve been near are sent to a centralized server, which determines who to warn about possible COVID-19 infection. In the Apple and Google model, only the phone ID of the infected person is sent to a centralized database. The phone then downloads the database and decides where to send alerts. The latter means the government has access to far less data on people’s phones, pleasing some critics but aggravating the government.

Health secretary Matt Hancock said on Thursday that Apple’s restrictions on third-party apps’ use of Bluetooth may’ve been one reason the government’s own app wasn’t as successful as hoped. Bluetooth is being used to determine whether an infected person has been in close proximity with another person’s phone.

Earlier this week, Amnesty International cybersecurity researcher Claudio Guarnieri warned that global rollouts of contact tracing apps were a privacy “trash fire.” After analyzing 11 apps, he found many contained privacy shortcomings. So concerned was Norway that it suspended its tool.

Even with lockdowns easing, those who’re infected are still being advised to isolate. However,  the NHS guidance says that “the household isolation instruction as a result of Coronavirus (COVID-19) does not apply if you need to leave your home to escape domestic abuse.” That message may not have been amplified as much as it should’ve been.

Thomas Brewster, Forbes Staff, Cybersecurity

Continue Reading

Technology

Twitter Begins Asking Users To Actually Read Articles Before Sharing Them

Published

on

By

TOPLINE Twitter announced Wednesday that it will test a new feature that will prompt users to open up a link to an article before sharing it, which appears to be a move to further combat the spread of misinformation on the platform.

KEY FACTS

  • Some Twitter uses may be subject to a prompt to click on a link if they try to retweet without reading the article first, billed by Twitter as a feature “designed to empower healthy and informed public conversation.”
  • English speakers on Android devices will be the first to see the tests.Users will still have the ability to retweet a message without clicking the link first if they chose to tap through the prompt.
  • According to Twitter Support, an official company account, the platform will only check if a user has clicked the article link recently through Twitter, not elsewhere on the internet.
  • Twitter denied some skeptical users’ accusations that the platform is testing the feature to establish a revenue stream via click-through to outside websites, saying the platform is not testing ad products with the prompts.
  • Twitter Support told one user it would watch to see if reminding users to read an article before they share it leads to more informed discussion.

CRUCIAL QUOTE

“It’s easy for links [and] articles to go viral on Twitter. This can be powerful but sometimes dangerous, especially if people haven’t read the content they’re spreading. This feature (on Android for now) encourages people to read a linked article prior to retweeting it,” Twitter product lead Kayvon Beykpour commented upon the announcement of the feature testing.

KEY BACKGROUND

The new prompt tests are the latest Twitter effort to curb the spread of misinformation on the platform. Twitter last month displayed fact-check tags on two of President Donald Trump’s tweets that featured misleading information regarding mail-in ballots and voter fraud. Twitter also rolled out testing for a new feature to allow users to limit who can reply to their tweets. The platform has faced criticism from both sides of the aisle in recent weeks, from conservatives over accusations of censorship and from the left for not doing enough to stifle misinformation.

Carlie Porterfield, Forbes Staff, Business

Continue Reading

Trending