Cyberwars: The Credit Card Info Stealing App

theft_creditcard1Want to steal someone’s credit card information? There’s an App for that! Yes, it seems that smartphones are the latest tool in the identity and info thief’s arsenal, just a few years after it was reported that laptops were being used for to read people’s passports. And the worst part of it is, it can be done using a technology that is perfectly legal, and worse, was designed to make the life of consumers that much easier.

MasterCard calls the App PayPass, while Visa calls it payWave. Simply wave your credit card over a sensor and you’ve made a transaction, without the hassle of having to remember or enter a PIN number. But one of the unintended downsides is that it also makes it that much easier for a third party to steal your credit card information, and just as quickly and conveniently.

theft_creditcard3An investigative report was recently performed by CBC News and Mandy Woodland, a St. John’s lawyer who specializes in technology and privacy law. Using a Samsung Galaxy SIII, one of the most popular on the market today, the team downloaded a free app from the Google Play store to read information such as a card number, expiry date and cardholder name simply holding the smartphone over a debit or credit card.

According to their report, a thief can simply walk by, pause and read the information through an unwitting person’s coat and wallet, and then the information can be sent to another phone. The entire process only takes five minutes to download the App, and just seconds to obtain the credit card info. After conducting the process with a team members credit card, they used the stolen information to buy a coke.

??????????????Naturally, the process could be used to pay for gas, a new computer, or plane tickets to a vacation paradise! And as Woodlands said in an interview with CBC:

It’s always a concern when a stranger could obtain my personal information and my banking and financial information just from a simple walk by, particularly the fact that that worked so quickly.

Furthermore, Michael Legary, who runs a security company called Seccuris Inc., claims they have investigated cases where phones paired with these apps were used to commit credit card fraud. Legary also claims that the app has become a tool for organized crime in Europe:

They don’t even need to talk to you or touch you, they can get information about who you are. That may make you more of a target for certain types of crime.

theft_creditcardBut of course, credit card companies would like their clients not to worry. In a written statement, Visa claimed that there have been no reports of fraud perpetrated by reading its payWave cards, in the manner shown by the CBC. Citing the many layers of protection and identity security, Visa points to its record, which it claims shows historic lows of fraud. Mastercard similarly claimed that its customers are protected, specifically their MasterCard’s Zero Liability Policy. My only answer to that is, wait a while…

At the same time, Google has announced, in response to this investigation, that it would remove any app that violated Google’s developer distribution agreement or content policies. However, the app in question is still available on Google’s download site.

In conjunction with other forms of identity theft and RFID skimming, this latest revelation only adds to the growing concern that technologies which are designed for convenience are being abused to make our lives more harassed and insecure. It also raises an important issue about corporate security in the digital age.

Much like with internet security and hackers, there appears to be a constant back and forth between thieves and credit card companies, the one erecting more and more barriers of security and the other coming up with more elaborate ways to beat them. As for the rest of us, it seems we can only be vigilant. But if possible, it might be smart to purchase an Faraday pouch for your personal effects!

In the meantime, here is a demonstration of the credit card “skimming” at work.


Sources: CBC.ca, huffingtonpost.ca

The Boston Manhunt: A Victory for Technology?

boston-marathon-bombing-suspects-2013It was announced yesterday that after an intense manhunt, a prolonged shootout, and the death of an MIT police officer, that the second and final suspect in the Boston bombing was finally captured. Identified as Tamerlan and Dzhokhar A. Tsarnaev, the eldest brother was killed during the shoot out in Watertown and the latter who was captured while in hiding under an overtunred boat in a nearby residence.

Naturally, there are still many questions about the two brothers when it comes to their motives and whether or not they had any help in the commission of this crime. But in the meantime, one can’t help but acknowledge the swiftness with which the suspects were identified and the case resolved. Considering the fact that the police had no leads and no one had come forward to take credit, the fact that the men responsible were captured and killed within four days is nothing short of astounding.

boston-marathon-bombing2So compared to past instances of terrorist acts – where the incident took place in a mass gathering and the perpetrators were mixed in with the crowd – what was different here? For one, the sheer amount of information that was provided by people who were on the scene. From torrents of photography to cell-tower information to locals’ memories, the police, FBI, and other investigators opened their investigation to spectator surveillance in a way like never before.

And in return, they received a mountain of data, which surprisingly proved quite helpful. Between the images submitted to the police from those who took pictures and video with their smartphones, PDAs and video cameras, and tips provided via Twitter and other social media, the police were quickly able to determine who the likely suspects were and how the bombing took place. After making their findings public, the suspects then fled, and committed the monumentally stupid mistake of drawing attention to themselves.

boston_bombing_manhuntAll this represented a modern twist on the age-old policy where law enforcement agencies consider the public’s eyes and ears as the crucial investigative asset. Just like with all cases, authorities opened their inquiry to account for what people saw and heard. The only real difference was that this time around, the Internet rapidly compressed the time it took for tips to arrive and get analyzed.

Mike Rolince, a retired FBI special agent who set up Boston’s first Joint Terrorism Task Force, recalls a time in the 90’s when the FBI was much more reticent about accepting information from the public and local police:

If law enforcement didn’t share any information — [as with bombers] Terry Nichols, Ted Kaczynski — if your intel is shared with no one, that is the consummate investigative challenge.

However, he acknowledges that things have since changed:

The great advantage here is the number of cameras out there. Without the cameras, I don’t know where we are.

boston-marathon-bombing-watertownBut of course, those cameras went way beyond the surveillance cameras that were in place downtown. They included every mobile camera in the hands of every person who happened to bring one. All of the information thus provided allowed the FBI and local police to turn a crime scene trampled by thousands and no leads into a solid case against two suspects and an active manhunt that led to their death and capture in four days time.

This was a victory for not only modern technology but the very democratic powers it is making possible. Much like crowdsourcing, crowdfunding, DIY research and biohacking, public surveillance is something which could very well turn the tables on terrorism. It could also go a long way to undermining fears about a surveillance-based Big Brother state, ushering in instead an era of public-government cooperation that provides for the common good.

Might sound a bit utopian, but it is a first and represents a big victory for all those who were fighting on the side of good in the midst of a heinous act of evil.

Source: Wired.com