Connect with us

Technology

Hack Breaks Your Visa Card’s Contactless Limit For Big Frauds

Published

on

Think that £30 limit on contactless payments is going to protect you from big thefts? Think again. 


Security researchers have found a way to bypass that limit on Visa cards. Their hack, which isn’t limited to U.K. cards, could let opportunistic crooks drain accounts with a single tap, and they claim they don’t even need to steal the credit card. And little on Visa’s side is being done to address this fresh fraud threat.

Forbes let the researchers—Leigh-Anne Galloway and Tim Yunusov from cybersecurity company Positive Technologies—try it out on a personal Visa card. They extracted three successful payments of £31 ($38). On their own cards they made contactless payments as high as £101, though it’s possible more could be stolen with just a tap.

Their hacks show how contactless fraud could get a lot worse. Typically, if a bank sees multiple £30 contactless payments, the card will cease to work, as fraud detection systems suspect it’s in the hands of a thief. But if it’s possible to make large transactions in one tap, the potential for significant frauds rises. 

READ MORE | Is Forex A Scam Or Money Goals?

Card thieves can now make larger payments than they could before. But now, they don’t even need to steal the card. Criminals could, for instance, take a payment from a card when the user wasn’t looking with their own mobile payments machine (though a malicious merchant would eventually be caught by banks’ fraud systems if they used the same terminal).

Or even more dastardly, it’s possible to take a payment reading from a credit card using a mobile phone, send the data to another phone and make a payment on that second device going beyond the limit, the researchers claimed. For the hack to work, all the fraudsters need is to be close to their victim.

“So that means if you found someone’s card or if someone stole your card, they wouldn’t have to know your PIN, they wouldn’t have to impersonate your signature, and they could make a payment for a much higher value,” said Galloway.

There should be some limits on just how much a hacker could steal. Galloway said that while it may be that thieves could go much higher than the £101 they tested, into the hundreds or possibly thousands, fraud detection systems at the banks may be able to spot any wildly high transactions.

“What we found is that actually, we can make reasonably high-value payments. So in the U.K., we’re able to make payments of £100 without any detection,” she added.

They’re still testing whether the hack would work elsewhere in the world, but Galloway confirmed it was not limited to a single country. The limit, of course, differs between nations. For instance, in the U.S., it’s considerably higher at $100.

No fix planned?

That doesn’t detract from the finding that the limit set on Visa cards can be broken. But Visa isn’t planning on updating its systems to deal with the hack. The financial industry giant argued that such a hack wouldn’t be likely to occur in the real world as the criminals would need to have their hands on the card and this doesn’t happen frequently. 

A spokesperson for the company went as far as to say that despite the research there wasn’t a security problem that needed addressing.

“One key limitation of this type of attack is that it requires a physically stolen card that has not yet been reported to the card issuer,” a Visa spokesperson told Forbes, noting that Visa was continually working on improving its fraud detection tech. 

“Likewise, the transaction must pass issuer validations and detection protocols. It is not a scalable fraud approach that we typically see criminals employ in the real world.”

READ MORE| #30Under30: Technology Category 2019

Galloway disagreed that the fraudster would need to steal the card. As their tests showed, the hacker only needs to get close enough to the victim’s card for a short period of time to take a payment. This kind of “skimming” has long been proven possible, even if it relies on the card owner being caught unawares.

The Visa spokesperson also claimed that Visa’s global contactless fraud rate declined by 33% between 2017 and 2018 and in Europe by 40%. But data from UK Finance shows fraud using contactless caused £19.5 million of losses during 2018, up from £14 million in 2017.

UK Finance did, however, note this was “low” in light of total spending of £69 billion over the same year. And neither UK finance nor Visa said they’d ever recorded a case of contactless fraud in which the card hadn’t been stolen.

How the contactless hack works

To carry out their hack, the researchers used a specialized piece of hardware to intercept and insert messages in the communications between the card and the reader. For instance, they could tell the card that verification—like a PIN—wasn’t needed, even though the requested amount was more than £30. They then told the terminal that verification has already been made by another means. 

The researchers said these checks hadn’t been made mandatory by Visa, as they had been by its rivals. And as banks follow the guidelines laid out by Visa, it could be doing more to address the issue, Galloway said. Though Visa said that card issuers are ultimately responsible for validating transactions.

For the attack using two mobiles, Galloway explained that it was possible to use one smartphone to tap a card and effectively clone it for a short period. That first mobile takes what’s known as a “payment cryptogram” from the card. This is essentially a signature that is supposed to guarantee the authenticity of future payments.

READ MORE | Cryptocurrency Thefts, Scams Hit $1.7 Billion in 2018: Report

The cryptogram is sent to the second phone, which simulates the card as if it were making a mobile payment. The hackers can then go beyond the limit by doing the same interception attack as before.

Stephen Ridgway, cofounder and chief technology officer at cybersecurity startup th4ts3cur1ty.company, said that addressing such attacks at a technical level could be problematic.

“There may be no ‘quick fix’ for this, even if the payment providers mandate authentication for payments over £30, if the card and reader are susceptible to a ‘man-in-the-middle’ attack that tricks the system into believing that authentication has already taken place,” he said. 

As for what concerned cardholders can do to protect themselves, keeping cards physically secure is vital. For anyone worried about someone reading their card through their wallet, there are covers that can prevent such “skimming” from working. Ridgway said another cheap solution was to use a phone cover, as they often provide the same protection. And monitoring transactions could help consumers detect fraudulent transactions before banks do.

Improving bank security and fresh new regulation should also improve matters. Ridgway said that should contactless limit bypasses become common, it’s very likely that payment providers will quickly learn to recognize and block them.

And incoming new EU rules could also prove a boon. From September 2019, banks will need to ensure a PIN is required once total contactless payments exceed a value of £130 or when five contactless transactions have been made in a day.

-Thomas Brewster; Forbes

Technology

Where The Medium’s The Topic And The Topic is Topical

Published

on

UJ, 4IR, and the CloudebateTM concept

UJ is the University of Johannesburg. 4IR is the Fourth Industrial Revolution. CloudebateTM? Well – it’s a place where really interesting questions are asked, such as: is the academic thesis a thing of the past? Have books outlived their physical form? Are we witnessing the demise of childhood? Will eye-tracking, sip and puff, or exoskeletons lead to true equality of opportunity? Will society change Africa? Will Africa help change society? Will education teach our children what they really need to know? And if so, how?

As 4IR sweeps the world, sending many preconceptions, predilections, and presuppositions tumbling as it goes, UJ sees the asking of questions like these as a fundamental response. And it’s responding because, since 2013, when it first embarked on its strategy of global excellence and stature, the university saw a clear need to take the lead in exploring the applications, implications and potential of 4IR. What’s more, it saw a need to do this not just as part of its positioning as a thought-leader on the continent, but as part of making a proactive and positive contribution towards African society, education and enablement.

A vision of width, a platform of depth

It’s a significant vision, and as part realising it, UJ has been investigating new and challenging ways, not just of identifying the issues at stake, but of presenting them in depth. It sought a way that would bring medium and content, idea and action, debate and initiative, together on one unique platform.

And that unique platform, one that UJ has not only created, but given a unique name to as well, is the CloudebateTM

The CloudebateTM

The CloudebateTM has essentially taken the traditional debate/panel discussion and reimagined it, placing it firmly within the realm of its own 4IR scope, and using the latest live-streaming technology. It is the place where 4IR ideas that have been identified as relevant, meaningful, challenging and thought-provoking are placed before an expert panel as well as an online audience who are invited to participate in real time, online, in a very 4IR way, in the discussion, analysis and dissection.  

There have been seven Cloudebates held so far, and their names provide an insight into their capacity to provoke thought: The Way Tomorrow Works; Digitally Equal; Is 4IR the Demise of Childhood? Questioning the Answers; Obsolete or Absolute? Should Books be Shelved? Adding Muscle to Open Doors.

When thought is action

It’s all about the kind of world we are creating for our children to inhabit. What will the elimination of jobs do to society? Are children growing directly into the immediacy of adulthood? Are academic theses outdated? Are libraries passé? Can technology enable opportunity equally for all?

The digital reach has been immense, not just in South Africa but globally, where it has found a worldwide audience. Moreover, UJ’s CloudebateTM initiative is set to continue into 2020 with further challenges to our received wisdom, our perceived way of doing things. So, if you have any stimulating 4IR topics that you would like to see discussed, send them to [email protected] – UJ would love to hear from you. And if you’d like to see the discussions that have already taken place, then just go to uj.ac.za/4IR, where you can watch, and take a view of your own.

Creating tomorrow

With its innovative CloudebateTM concept, UJ’s pursuit of global excellence has been a most rewarding journey that will continue to develop and expand along with 4IR, and along with UJ’s ongoing commitment to creating tomorrow.

Content provided by the University of Johannesburg

Continue Reading

30 under 30

Applications Open for FORBES AFRICA 30 Under 30 class of 2020

Published

on

FORBES AFRICA is on the hunt for Africans under the age of 30, who are building brands, creating jobs and transforming the continent, to join our Under 30 community for 2020.


JOHANNESBURG, 07 January 2020: Attention entrepreneurs, creatives, sport stars and technology geeks — the 2020 FORBES AFRICA Under 30 nominations are now officially open.

The FORBES AFRICA 30 Under 30 list is the most-anticipated list of game-changers on the continent and this year, we are on the hunt for 30 of Africa’s brightest achievers under the age of 30 spanning these categories: Business, Technology, Creatives and Sport.

Each year, FORBES AFRICA looks for resilient self-starters, innovators, entrepreneurs and disruptors who have the acumen to stay the course in their chosen field, come what may.

Past honorees include Sho Madjozi, Bruce Diale, Karabo Poppy, Kwesta, Nomzamo Mbatha, Burna Boy, Nthabiseng Mosia, Busi Mkhumbuzi Pooe, Henrich Akomolafe, Davido, Yemi Alade, Vere Shaba, Nasty C and WizKid.

What’s different this year is that we have whittled down the list to just 30 finalists, making the competition stiff and the vetting process even more rigorous. 

Says FORBES AFRICA’s Managing Editor, Renuka Methil: “The start of a new decade means the unraveling of fresh talent on the African continent. I can’t wait to see the potential billionaires who will land up on our desks. Our coveted sixth annual Under 30 list will herald some of the decade’s biggest names in business and life.”

If you think you have what it takes to be on this year’s list or know an entrepreneur, creative, technology entrepreneur or sports star under 30 with a proven track-record on the continent – introduce them to FORBES AFRICA by applying or submitting your nomination.

NOMINATIONS AND APPLICATIONS CRITERIA:

Business and Technology categories

  1. Must be an entrepreneur/founder aged 29 or younger on 31 March 2020
  2. Should have a legitimate REGISTERED business on the continent
  3. Business/businesses should be two years or older
  4. Nominees must have risked own money and have a social impact
  5. Must be profit generating
  6. Must employ people in Africa
  7. All applications must be in English
  8. Should be available and prepared to participate in the Under 30 Meet-Up

Sports category

  1. Must be a sports person aged 29 or younger on 31 March 2020
  2. Must be representing an African team
  3. Should have a proven track record of no less than two years
  4. Should be making significant earnings
  5. Should have some endorsement deals
  6. Entrepreneurship and social impact is a plus
  7. All applications must be in English
  8. Should be available and prepared to participate in the Under 30 Meet-Up

Creatives category

  1. Must be a creative aged 29 or younger on 31 March 2020
  2. Must be from or based in Africa
  3. Should be making significant earnings
  4. Should have a proven creative record of no less than two years
  5. Must have social influence
  6. Entrepreneurship and social impact is a plus
  7. All applications must be in English
  8. Should be available and prepared to participate in the Under 30 Meet-Up

Your entry should include:

  • Country
  • Full Names
  • Company name/Team you are applying with
  • A short motivation on why you should be on the list
  • A short profile on self and company
  • Links to published material / news clippings about nominee
  • All social media handles
  • Contact information
  • High-res images of yourself

Applications and nominations must be sent via email to FORBES AFRICA journalist and curator of the list, Karen Mwendera, on [email protected]

Nominations close on 3 February 2020.

Continue Reading

Technology

Facebook Is Still Leaking Data More Than One Year After Cambridge Analytica

Published

on

By

Facebook said late Tuesday that roughly 100 developers may have improperly accessed user data, which includes the names and profile pictures of individuals in certain Facebook Groups.

The company explained in a blog post that developers primarily of social media management and video-streaming apps retained the ability to access Facebook Group member information longer than the company intended.

The company did not detail the type of data that was improperly accessed beyond names and photos, and it did not disclose the number of users affected by the leak.

Facebook restricted its developer APIs—which provide a way for apps to interface with Facebook data—in April 2018, after the Cambridge Analytica scandal broke the month before. The goal was to reduce the way in which developers could gather large swaths of data from Facebook users.

But the company’s sweeping changes have been relatively ineffective. More than a year after the company restricted API access, the company continues to announce newly discovered data leaks.

“Although we’ve seen no evidence of abuse, we will ask them to delete any member data they may have retained and we will conduct audits to confirm that it has been deleted,” Facebook said in a statement.

The social media giant says in its announcement that it reached out to 100 developer partners who may have improperly accessed user data and says that at least 11 developer partners accessed the user data within the last 60 days.

Facebook has been reviewing the ways that companies are able to collect information and personal data about its users since the New York Times reported that political consulting firm Cambridge Analytica harvested data of millions of users. Facebook later said the firm connected to the Trump campaign may have improperly accessed data on 87 million users.

The Federal Trade Commission slapped Facebook with a $5 billion fine as a result of the breach. As part of the 20-year agreement both parties reached, Facebook now faces new guidelines for how it handles privacy leaks.

“The new framework under our agreement with the FTC means more accountability and transparency into how we build and maintain products,” Facebook’s director of platform partnerships, Konstantinos Papamiltiadis, wrote in a Facebook post.

“As we work through this process we expect to find examples like the Groups API of where we can improve; rest assured we are committed to this work and supporting the people on our platform.”

Michael Nuñez

Continue Reading

Trending