Organised crime gangs are selling software that can load compromised credit card details onto mobile payment systems, Europe’s law enforcement agency has warned.
In its annual Internet Organised Crime Threat Assessment report, Europol says hackers have learned how to bypass security on Android mobile payment apps, allowing them to use stolen credit card data to make in-store purchases with the devices.
Experts have repeatedly warned that it would only be a matter of time before criminals worked out how to compromise smartphone payment platforms, noting that mobile wallets are likely not as secure as their manufacturers have liked to make them out to be.
“The possibility of compromising NFC [near field communication] transactions was explored by academia years ago, and it appears that fraudsters have finally made progress in the area,” the Europol report said.
“Several vendors in the dark net offer software that uploads compromised card data on to Android phones in order to make payments at any stores accepting NFC payments.”
Discussing the potential consequences of the new technique, Europol noted that vendors will likely not know what to do if they are told to retain a stolen card that is used on a mobile device. It also observed that only Android devices are likely to have been compromised, as Apple does not allow third-party apps to access the iPhone’s NFC chip.
The agency recommended that smartphone makers, app publishers and the manufactures of NFC-enabled point of sale terminals take action to address the security flaws that have allowed hackers to develop these new methods.
Being able to load compromised credit card information onto smartphones will make it a lot easier for small-time fraudsters to use stolen data that can be picked up with relative ease on the dark web and from card data dump sites on the regular internet.
While it is likely that more serious criminals will only be involved in the selling of the software to facilitate this type of fraud, the new technique will mean those further down the food chain will be able to use stolen card details in-store that they might only otherwise have been able to use online.
The discovery does not mean that it is now less safe for consumers to use mobile payment platforms, as smartphone wallets use a system of tokenisation that means a user’s card details are never shared with the vendor. What it does mean is that card details that are stolen from consumers can be more easily used or sold on by fraudsters, highlighting the importance of protecting banking information.