A Wake-Up Call for the Payments Sector Against Smartphone Cyber attacks!

Mobile technology is evolving at a great pace integrating apps to fulfill all daily needs of people to save time. Money, which is the most crucial aspect of all these needs is also assimilated with the technology. In addition, banks and other financial institutions are incorporating mobile technology into their systems to provide convenience to its customers. But, a real thought into it raises a question on everybody’s mind: How secure is mobile technology when dealing with payments?

A recent report released by Moscow-based security firm Kaspersky Lab states, It discovered 2.2 billion malicious attacks blocked on computers and mobile devices during Q1 of 2015. That doubles the amount detected in Q1 of 2014. Listed below are a few illustrations of the breaches that have occurred through smart phones:

Scanty Verification Process of Banks in Apple Pay Fraud Case:

A part of the Apple Pay verification process, which allows users to enter card details manually when it cannot do so via the phone’s camera due to reasons mentioned below, allowed fraudsters to enter random card details (which might have been long stolen) but the banks failed to verify it.

iPhone users generally use the phone’s camera to capture the picture of their card to load the information into the Apple Pay system. The photo is then examined by the Apple Passbook software which extracts the account owner's name and the expiration date of the card. However, capturing the picture of the payment card doesn’t always work if the card is too worn or if the card design conceals the numbers. In such cases, users manually enter the information of the card which might lead to loading of card details of breached cards.

When Apple sends the card data along with the data on the phone and iTunes account to the bank that issued the card. It is up to the bank to decide if the card is valid and if it is being used by the right person. If the card is verified and approved, then it's added to Apple Pay and appears in the Apple Passbook.

Fraud using Mobile Remote Deposit Capture (mRDC) Technology:

A person in Kentucky was arrested in 2013 for using mobile banking to steal $12,000 from multiple Kroger stores. The person used mobile remote deposit capture (mRDC) to commit the fraud. mRDC is a system that allows banking customers to deposit a check by taking a picture of it with a cellphone. The risk for financial institutions that allow mRDC is that the customer retains the paper check and can potentially deposit it multiple times at other institutions.

According to the arrest report, the person went into several different Kroger stores and purchased at least 32 Western Union money orders; each money order was issued for an amount between $195 and $500. He would then leave the store and deposit the money order into his Bank of America checking or savings account via a mobile deposit. He would then go back into the Kroger and cash the same money order. Later, he would withdraw the money order from his bank account.

Smartphone Hacking in Europe:

Europe is known to be most advanced continent to implement digital technology in payments. Back in 2012, more than 30,000 online banking customers in Germany, Italy, Spain and the Netherlands were victims of a digital attack involving smart mobile phones. The hackers stole €36 million from corporate and private banking customers across Europe. Android and Blackberry mobile devices were specifically targeted for the attack. A customized version of Trojan spyware application Zeus called ZITMO or Zeus-In-The-MObile was deployed for the two-stage Trojan virus attack which spread from a victim’s personal computer to their mobile phones. Zeus-In-The-MObile was called Eurograbber by security companies and was a first of a kind PC-to-mobile Trojan malware targeted specifically at online banking.

Over time, mobile cyberattacks have enabled security companies to deploy more secure checks and balances for payment operations, and have pushed the payment sector to be clairvoyant about the process.