Last week the European Payments Council released a report – 2016 Payment Threats Trends Report – which highlights some current cybersecurity threats resulting in fraudulent payments. In this post, i summarise those key payment threats:
1. Denial of Service (DoS) Attack
- A Denial of Service (DoS) attack involves resetting or overwhelming the targets resources to the point where their system, application or network is made unavailable to its user base
- DoS attacks involve 2 types of perpetrators:
- Old school hackers or hacktivists who aim to pursue a personal goal or belief
- Hacking for financial gain
- A denial of service attack can be used to hide other attacks and/or provide a distraction
- Distributed Denial of Service (DDoS) have a single target but involve attacking multiple systems at the same time making it really difficult control the situation
- There are 3 types of Denial of Service (DoS) and Distributed Denial of Service (DDos) attacks:
- Flooding Attack – involves block access to a system by exceeding the maximum bandwidth available
- Protocol Attack – involves sending data packets through the communication protocols to such an extent too many communication sessions are opened (and not properly closed) leading to blocks and overflows that prevent new and genuine sessions from being initiated
- Application Layer Attack – Exploiting an error in the implementation or setup of a protocol which may be used to crash a particular server
2. Social Engineering and Phishing
- Social Engineering attacks involve tricking your target (people!) into inadvertantly performing tasks or disclosing confidential information
- A well known example of this is CEO Fraud or business email compromise
- Phishing involves attackers disguise themselves as legitimate and trustworthy groups in order to get sensitive information such as usernames and passwords for fraudulent purposes
- Interestingly the EPC report indicates that “Criminals use social engineering tactics because it is usually easier to exploit an individual’s natural inclination to trust than it is to discover ways to hack software“!
3. Malware
- Malicious software or malware attacks often take advantage of weaknesses in browsers, third party software and/or operating systems in order to gain control of the targets device
- Malware attacks can also use social engineering methods in order to trick targets into installing the malware and steal valuable information
- There are many types of malware: Trojan Horse, Spyware, Adware, Banking Trojans, Ransomware, Advanced Persistent Threats, Remote Access Trojans (RATs)
4. Mobile Related Attacks
- Mobile related attacks involve:
- Malicious / fake apps posing as banking apps
- SIM swap based attacks – the goal here is to get hold of the SMS based authentication/validation/verification messages OR to take advantage of new contactless payment methods
- Phishing and vishing attacks on the mobile device
- Mobile device malware
- Social engineering attacks using bogus or spoofed SMS messages to extract sensitive information
- Bad application or application system security
- Lack of user awareness, abuse of privacy, SIM duplication and enrollment processing
5. Botnets
- Botnet, also known as a “zombie army”, attacks involve a collection of infected computers or internet connected devices. Each compromised device is known as a bot and is “armed” with malicious code that controls and commands it to be part of the collective botnet
- The “botmaster” or “bot herder” controls the infected or compromised computers
6. Card related fraud
- Credit related fraud involves theft using a payment card to debit money from the targets account by:
- Stealing the debit or credit card
- Losing ones debit or credit card
- Payment card not being received by the intended recipient
- Counterfeit card
- Stealing the data on the debit or credit card
7. ATM Attacks
- ATM attacks involve:
- Against the card – By obtaining the targets debit or credit card details by fixing special devices in or on the ATM
- Card skimming – to capture data from the payment cards magnetic strip
- Eavesdropping – installing a device at the ATM to capture payment card data
- Card Shimming – to capture data from the payment card chip
- Software skimming – infecting the ATM with malware that captures the payment card and PIN data
- Card Trapping – the payment card is held at the ATM and the PIN captured separately
- Spying – on the target while they withdraw money
- Against the ATM
- Transaction reversal fraud – an error is created at the ATM which makes it look like the cash will not be released, only for the attacker to grab the money later
- Jackpotting / cash out attack – malware is used to take over the ATM PC allowing the attacker to withdraw cash directly
- Black boxing – Similar to jackpotting, only here the hackers own PC is used to corrupt the communication between the ATM PC and the ATM dispenser
- Man in the middle – here vulnerabilities between the ATM PC and the host system are exploited
- Physical attacks
- Cash Trapping – the attacker fixes a device to the ATM that traps and prevents the cash from being dispensed to the legitimate customer. the bad guy comes along and releases the trapped cash
- Ram raids – the ATM is ripped out
- ATM burglary – brute force, explosives or gas are used to breach the ATM
- Against the card – By obtaining the targets debit or credit card details by fixing special devices in or on the ATM
8. Multi-vector attacks
- Multi-vector attacks involve taking advantage of various weaknesses in the security chain by combining one or more of the above described payment threats
- Such attacks recognise various developments in cybersecurity and potential vulnerabilities in a targets environment and often go unnoticed for long periods of time
Interesting stuff, eh? 🙂