For may holidays nearly a hundred cardholders “Corn” was left without their funds. Hackers withdraw money from the accounts using the popular payment app Apple Pay. They tied the card of the victim “Apple” service and translated rubles to third party accounts. “360” has a conversation with experts on cyber security and learn how to pay for their purchases via a mobile payments system without endangering your wallet.
In early may, the cardholders “Corn” have begun to complain that their account became debited without their consent. For example, a profile on the forum banki.ru such angry messages now, there are about 50. They all say that at first the scammers themselves connected their cards to Apple Pay. Then they come to the notice of withdrawal to the mobile operator. However, no SMS or push notification that is required to install and operate Apple Pay, the victim had received.
“Today, in the same way as describe above, the card “Corn” was tied to Apple pay and two minutes later carried out the operation to transfer to [the mobile operator] — 15 000 rubles. Codes to confirm binding to Apple pay did not come!” — says one of the defrauded user. According to the woman, when she tied the card to the smartphone, she had the password to verify the user. This time the message is already on the write-off of money.
Recall that “Corn” is the bonus payment instrument of the combined company “Svyaznoy Evroset”. It is tied to the payment system Mastercard and its Issuer is rnko “Payment center”. According to information on the company’s website, a map use more than 20 million Russians.
Photo source: RIA “Novosti”
The victims themselves are inclined to believe that their data was stolen from the system that hackers simply cracked the. Others believe that their money was stolen because of vulnerabilities in the application on the smartphone. After all, fraudsters were able to connect the card without confirmation.
In the “Euroset” adhere to similar opinion. As told to “360” in a press-service of the company, the attack was successful largely due to the naivety of the users.
“They (the scammers — approx. ed.) came from the possibility that people use the same password for different services. They got the passwords of clients on third-party services and tried to apply them in the dashboard “Corn””, — the representative of “Euroset”.
According to the company, only the hackers managed to get access to maps 83 users. While no customer was hurt, and all funds were returned, the company said.
“System protection, see these actions and blocked the possibility of selection. In addition, when it became clear that this attack was promptly released update application, excluding the possibility of selection. The problem is solved”, — added in “Euroset”.
In the rnko “Payment center” also point out that hackers gained personal information about clients “Corn” from social services.
“According to available information was hacked one of the social services that have nothing to do with “Corn” and rnko “Payment center”, and then the attackers checked whether the password in the social service with a password for online banking. If successful, the attacker could log on to Internet or mobile banking customer,” — said the “360” in the press service of rnko.
To avoid the repeated attacks, the “Payment center” is put for affected customers a mandatory password change.
Insidious Apple Pay
Photo source: RIA “Novosti”
Meanwhile, users are not in vain complain about the imperfection of technologies of work Apple Pay, saying the respondents “360” experts on cyber security. Now the rules of connectivity to ApplePay are governed by Apple and payment systems. They teach about the economic feasibility, because to identify client need, including to spend on sending SMS. If the Bank refuses such verification, the application works without SMS, opening the opportunity for hackers to theft.
On average, 90% of theft occurs with the use of social engineering techniques, so this case does not fit the standard scheme, noted in conversation with “360” in the Department of information security of commercial Bank Nicholas Pyatiizbyan.
“Usually, banks send SMS notification of the transaction with Apple Pay, but this service is Advisory in nature. In fact, there’s hackers have made hacking related — first took advantage of the vulnerability of social services and white spots payment application”, — explained the interlocutor of “360”.
To protect your funds from theft, experts advise to bind to Apple Pay only those cards that are required for small purchases, that is not necessary to include in the application his salary card.
“It is also necessary to use different credentials to access their web services. Then the fraudsters will be much harder to guess the password to use your card and withdraw money,” — said in a conversation with “360” Director General Technologies Group Sergei Sherstobitov.
The volume of theft from Bank cards of Russians grows every year, the expert added. So, last year hackers managed to steal from the Bank accounts of gullible Russians about 1.4 billion rubles. Compared with 2017 the level of such thefts has increased almost 1.5 times.
Read more •••