The number of fraudulent operations with payment cards over the past year amounted to 77.6 thousand cases. For comparison, in 2016 there were 95 thousand. The decrease in activity is described by the fact that banks tirelessly fight with technological methods of fraud, the most popular of which are skimming and cash trapping. Banks are introducing more modern and secure technologies more actively, such as chip cards, contactless reading technologies, and mobile banking applications for smartphones and other gadgets.
According to the National Bank of Ukraine research, the share of non-cash payments in Ukraine in the first half of 2018 increased to 44.1%. This is by 5.8 percentage points more compared to the results of the first half of 2017 (38.3%). The total number of transactions using bank payment cards for the first six months of 2018 was 1,835.0 million units, and their volume was 1,298.5 billion UAH. These indicators compared with the first half of 2017 increased by 28.2 and 41.0% respectively.
At the same time, it should be noted that the rate of fraudulent transactions performed via the Internet has significantly increased. Experts say that the fraudsters “switched” from technological methods to psychological ones. The so-called “social engineering” is a complex of methods for managing human actions using features of the human psyche.
The easiest and the most effective way is a fake online store. “Customer” comes for big discounts, cheap goods. But certainly with the condition of prepayment. After all, the goods are “quickly bought up”. Or scammers create a site-clone, which is designed to transfer money from card to card. At the same time, fraudsters generously pay for contextual advertising and raise a fake website in the top search ranking, organize fake positive reviews. Users, unfortunately, consider these tools as a guarantee of the popularity and security of the site.
Another common method is fishing. This is when scammers in any way force the client to provide data for the card account. For example, sending a text message on the phone that the bank card is locked and in order to unlock it you need to call the specified phone number. As a rule, the victim immediately calls back without thinking. The attackers are picking up the phone. They appear to be employees of the bank and are very likely asking for all confidential information, allegedly for going through the identification procedure. The method is so effective that card users manage to dictate even card data, CVV2 / CVC2 and PIN codes by phone.
The leader of the popularity of fraudsters is also the script “purchase by ad.” A fraudster, playing the role of a “buyer”, agrees with the seller about the purchase and asks for the card number to transfer money. Next, the second fraudster calls back to the seller, in the role of a “bank employee”, who states that the payment cannot be made without additional data: PIN, CVV2 / CVC2 code, expiration date.
The next way of “social engineering” is computer virus, banking Trojans. The so-called spyware that steals the data of bank cards and applications works with these cards. After activation, they either block the interface of the banking application with an identical copy of their own, or intercept SMS from banks with confirmation and debit codes.
Returning to the methods of protection, first of all it is necessary to talk about contactless cards. This is a higher level of plastic protection. After all, in addition to multi-level protection and the latest technology, these cards always remain with the owner. They do not need to be transferred anywhere, there is no need to read the card. But a weak spot lies therein. If the card is stolen or lost, the attacker can easily pay for the goods in any store without having any information about the card and its owner, until, of course, the owner blocks the card. Now in Ukraine, the PIN code must be entered for payments over 100 UAH via PayPass from MasterCard and for payments over 500 UAH when using PayWave from Visa.
Contactless cards are RFID technology (Radio Frequency IDentification, “radio frequency identification”). That is, a method for automatically identifying objects in which radio signals are read or data stored in so-called transponders (RFID tags) are written. RFID tags, in turn, integrate the chip and antenna for receiving and transmitting the signal. When the antenna enters the reader field, an electrical current is generated that feeds the chip. The range of the reader depends on its type and can range from a few centimeters to 30 meters (long-distance identification readers). For data transmission, NFC (Near field communication,) technology is used, which operates at a distance of no more than 10 centimeters at a frequency of 13.56 MHz.
The range of data transmission via NFC is in fact the first barrier of protection. When the card is brought close to the terminal, it is impossible to read the information. But, if the transaction takes place at a distance, then the fraudsters have already invented a non-standard reader, which “works” at a distance. Also, Spanish hackers Ricardo Rodriguez and Jose Villa have already come up with the concept of the Trojan. It turns the user’s smartphone into something like an NFC-signal repeater. This happens when the phone and the card lie together. Through NFC, you can steal not the “transaction itself”, it is reliably protected by encryption with a one-time code, but information about a bank card.
The EMV standard allows storage in the data card chip in unencrypted form. Such data may include the card number, its validity period, several recent transactions, etc. The kind of information and how it is stored in the chip is determined by the payment system and the issuing bank. This data can be read even with the help of a regular smartphone, by installing a completely legal application on it (for example, Bank card reader NFC). Despite the fact that this seemingly open information does not jeopardize the security of the card, the reality is that, increasingly, many online retailers have ceased to require the CVV2 / CVC2 card code required for online purchase.
Today, the reality is that even despite the technology with good multifactor protection, no one will give a 100% guarantee of money protection. Too much all depends on the additional settings of the outlets, as well as on the staff who accepts cards for payments, not observing the safety instructions.
Smartphone as a means of payment is another way to protect against NFC-fraud. This is when instead of a card they use a telephone, that is, a mobile software application tied to a card account. With its help, a mobile device with contactless payment support transmits data about a payment transaction through a channel protected by encryption. Data is stored in the memory of a smartphone or tablet. This model significantly reduces the likelihood of simulating an NFC payment and data interception by hackers. If the user has not unlocked the smartphone and has not activated the mobile application to which the card is attached, an attack using the relay is impossible. Although NFC carriers are also vulnerable, the gadgets themselves are not protected. Receiving devices also do not guarantee 100% security: POS-terminals, ATMs may also be infected with malicious software. All of these threats are not only about the most popular card NFC technologies PayWave and PayPass from the Visa and MasterCard payment systems, but also systems issued on the market by mobile operators such as Vodafone Pay and Smart Groshi (Kyivstar), as well as software solutions Apple Pay and Google Pay (G Pay), which became widespread recently.
Summing up, we can conclude that modern technology is more often prevail over the fraudsters. Also, the percentage of users’ illiteracy has significantly decreased; however, experts say that this is a merit of gadgets and installed applications. It is the laziness of users who have become the engine of progress in this matter, because it is much easier to attach a smartphone to a reader than to search for a card, enter data, and double-check details.
In turn, bank employees do not cease to remind about the rules for using payment cards, the need to be circumspect, and the importance of non-disclosure of information. So, still the most common misconception among cardholders are the myths that if a card is used less, then the risk of fraud is zero, or if the money is withdrawn from the card at once and the whole amount, then they will be more In safety.
Unfortunately, users do not understand that even if you store the card under the mattress, you can successfully find out its data via e-mail, “an unexpected call from the bank”, false sites, etc. Even if there is absolutely no money on the card, an attacker can withdraw funds for the amount of the credit limit. After all, the majority of fraudulent transactions arise precisely on ignorance, illiteracy or user uncertainty.