Visa has announced new rules for contactless payment. Now, without a PIN code, you can pay for purchases up to 1000 rubles with an NFC card. But from mid-April the limit will increase to a respectable 3,000 rubles. Contactless payments are always convenient. But it's not always safe. Life talks about the vulnerabilities of contactless payment, as well as how to protect yourself from carders.
In general, cybersecurity experts have long agreed that, in general, PayPass and its analogues have serious shortcomings. Some people do not write off the described scenario in the subway at all. Several years ago, Kaspersky Lab employee Oleg Gorobets photographed a suspicious person in the Moscow subway with a POS terminal in his hand. On Facebook, Gorobets thickly hinted that the guy was stealing money from people from NFC cards, leaning the terminal against their pockets and bags. The public reaction was stormy, but the wave of indignation subsided quickly, since many questions arose about the rationality of the method under discussion.
The bankers were the first to speak. They explained that the money stolen in this way does not go into a black hole, but into a specific bank account registered to a specific legal entity. In their opinion, fleecing people with a terminal is a short-sighted decision. They say it’s like leaving your passport at the scene of a crime.
Experts familiar with the technical side of the issue helped overcome the fear of this type of fraud. They said that even if an attacker is not afraid to reveal his identity, it is incredibly difficult to steal a couple of hundred or thousand rubles in a crowd using a terminal. Too many factors must coincide. At a minimum, the card the thief is targeting must be in a container without other NFC tags. That is, even if the payment “plastic” is in the same pocket, for example, with “Troika”, there is a high probability that the thief will not succeed. Two different sensors will simply prevent each other from working correctly.
— There is a possibility that terminals will be used in a crowd. But its danger is exaggerated. First, the terminal must be registered. After several illegal write-offs, such a device will be blocked, which will require replacing the device with a new one, which is not easy and expensive. Secondly, attackers have simpler and more profitable ways to steal money from cards, says information security specialist Alexey Lukatsky. As an example of a more profitable fraud, Lukatsky named skimming - an old technique, like credit cards themselves, using overlays on the keyboard or ATM card reader.
Since legal and normal POS terminals are relatively expensive - thousands and even tens of thousands of rubles - hackers often use custom readers for pennies. Such devices consist of at least an antenna, a controller board and an interface for connecting to a PC. Outwardly, they are similar to legal devices, but can be several times smaller. This, in turn, allows the thief to remain undetected in the crowd longer and make more attempts to capture information. A very inexpensive way to get a reader is to configure your own smartphone with NFC using special software. And in this case the costs are minimal.
Example of a custom device
Many will ask how a stolen card number and expiration date can help a hacker. It turns out that there are a number of trading platforms on the Internet where such information is sufficient to carry out a transaction. They don’t even need a three-digit CVV or an SMS with a confirmation code. Moreover, these are not some shops with drugs and weapons on the Darknet, but completely legal Amazon, eBay or AliExpress.
The easiest way to prevent virtual theft of funds is to call the bank and ask that they ask you for confirmation of all payments without the physical presence of the card. Popular payment systems - Visa and MasterCard - have this option called 3D-Secure. In general, as in most cases, do not underestimate the vulnerabilities of default settings.
- You can use special - shielded - covers for cards. Some banks even give them to clients on holidays. It would also be a good idea to purchase a wallet with secure compartments for credit cards, says Alexey Lukatsky. By the way, today there are enough manufacturers of special wallets. You can find both very budget options - for a few hundred rubles, and luxurious accessories for tens of thousands of rubles.
However, if your old wallet is very dear to you and you don’t want to part with it, you can purchase a special gadget in the form of a regular credit card that blocks the emissions of NFC beacons. They are usually inexpensive - up to 1000 rubles.
The head of the Positive Technologies banking systems security research group, Yaroslav Babin, in a conversation with Life, noted that the operating principles of contactless payments already contain restrictions on the maneuvers of attackers. For example, some terminals are capable of reading information from only one card that is leaning against it.
— In most cases, the user carries a bank card in a wallet or a special holder in which other bank cards are usually stored. Writing off funds at lightning speed in such situations is quite problematic,” Babin noted.
(c) Roman Kildyushkin
life.ru
They can even steal money from a card in the subway, but thieves prefer not to do that
Mentally, many pay tribute to technological progress by presenting a bank card to a payment terminal, for example, in Pyaterochka. No inconvenience with cash or entering a PIN code. However, once you think that anyone can withdraw 3,000 rubles from your card using a wireless terminal, just by touching your handbag in the subway, you immediately begin to mistrust modern technologies. However, should you worry about this?In general, cybersecurity experts have long agreed that, in general, PayPass and its analogues have serious shortcomings. Some people do not write off the described scenario in the subway at all. Several years ago, Kaspersky Lab employee Oleg Gorobets photographed a suspicious person in the Moscow subway with a POS terminal in his hand. On Facebook, Gorobets thickly hinted that the guy was stealing money from people from NFC cards, leaning the terminal against their pockets and bags. The public reaction was stormy, but the wave of indignation subsided quickly, since many questions arose about the rationality of the method under discussion.
The bankers were the first to speak. They explained that the money stolen in this way does not go into a black hole, but into a specific bank account registered to a specific legal entity. In their opinion, fleecing people with a terminal is a short-sighted decision. They say it’s like leaving your passport at the scene of a crime.
Experts familiar with the technical side of the issue helped overcome the fear of this type of fraud. They said that even if an attacker is not afraid to reveal his identity, it is incredibly difficult to steal a couple of hundred or thousand rubles in a crowd using a terminal. Too many factors must coincide. At a minimum, the card the thief is targeting must be in a container without other NFC tags. That is, even if the payment “plastic” is in the same pocket, for example, with “Troika”, there is a high probability that the thief will not succeed. Two different sensors will simply prevent each other from working correctly.
— There is a possibility that terminals will be used in a crowd. But its danger is exaggerated. First, the terminal must be registered. After several illegal write-offs, such a device will be blocked, which will require replacing the device with a new one, which is not easy and expensive. Secondly, attackers have simpler and more profitable ways to steal money from cards, says information security specialist Alexey Lukatsky. As an example of a more profitable fraud, Lukatsky named skimming - an old technique, like credit cards themselves, using overlays on the keyboard or ATM card reader.
Thieves aren't after money, they're after personal data.
However, this does not mean that you can relax and breathe out. The fact is that in order to make a profit, an attacker does not necessarily have to steal money - sometimes just the card data is enough: the number and expiration date. And it’s precisely at capturing this information that hackers do a better job.Since legal and normal POS terminals are relatively expensive - thousands and even tens of thousands of rubles - hackers often use custom readers for pennies. Such devices consist of at least an antenna, a controller board and an interface for connecting to a PC. Outwardly, they are similar to legal devices, but can be several times smaller. This, in turn, allows the thief to remain undetected in the crowd longer and make more attempts to capture information. A very inexpensive way to get a reader is to configure your own smartphone with NFC using special software. And in this case the costs are minimal.
Example of a custom device
Many will ask how a stolen card number and expiration date can help a hacker. It turns out that there are a number of trading platforms on the Internet where such information is sufficient to carry out a transaction. They don’t even need a three-digit CVV or an SMS with a confirmation code. Moreover, these are not some shops with drugs and weapons on the Darknet, but completely legal Amazon, eBay or AliExpress.
The easiest way to prevent virtual theft of funds is to call the bank and ask that they ask you for confirmation of all payments without the physical presence of the card. Popular payment systems - Visa and MasterCard - have this option called 3D-Secure. In general, as in most cases, do not underestimate the vulnerabilities of default settings.
There is little theft by air, but every year the earnings of scammers are growing
In the UK, according to Financial Fraud Action UK analysts, in 2024, fraudsters stole £2.8 million over the air, and in 2024 the amount was close to 7 million. Nonsense compared to the total turnover of contactless payments (25.5 billion pounds in 2024), however, it is clear that criminals are increasingly interested in the vulnerabilities of PayPass and its analogues. For Russia, by the way, there are also some statistics: in 2024, according to the Zecurion company, approximately 2 million rubles were stolen from Russians using homemade terminals.It's easy to protect yourself, but you'll have to spend a little money
Changing settings in the bank is useful. However, it is more important to physically protect yourself from theft at the first stage.- You can use special - shielded - covers for cards. Some banks even give them to clients on holidays. It would also be a good idea to purchase a wallet with secure compartments for credit cards, says Alexey Lukatsky. By the way, today there are enough manufacturers of special wallets. You can find both very budget options - for a few hundred rubles, and luxurious accessories for tens of thousands of rubles.
However, if your old wallet is very dear to you and you don’t want to part with it, you can purchase a special gadget in the form of a regular credit card that blocks the emissions of NFC beacons. They are usually inexpensive - up to 1000 rubles.
The head of the Positive Technologies banking systems security research group, Yaroslav Babin, in a conversation with Life, noted that the operating principles of contactless payments already contain restrictions on the maneuvers of attackers. For example, some terminals are capable of reading information from only one card that is leaning against it.
— In most cases, the user carries a bank card in a wallet or a special holder in which other bank cards are usually stored. Writing off funds at lightning speed in such situations is quite problematic,” Babin noted.
(c) Roman Kildyushkin
Карманники ХХI века. Хакеры воруют деньги с карт в общественном транспорте
Visa анонсировала новые правила бесконтактной оплаты. Сейчас без PIN-кода картой с NFC можно оплатить покупку до 1000 рублей. Но уже с середины апреля лимит увеличится до солидных 3000 рублей. Бесконтактные платежи — это всегда удобно. Но не всегда безопасно. Лайф рассказывает об уязвимостях...
life.ru
