When was the last time you paid for a transaction in cash?
We all use electronic forms of payment these days, and in some cases people just don’t carry cash anymore. So, what are the various forms of electronic payments we use? The following are the usual examples:
- Credit/Debit Cards (in person or online)
- Direct Debit and Standing Orders through our Banks
- Online Payments (e.g. PayPal)
- Contact-less Payments using our credit/debit cards and our smart phones/watches
- Pre-paid debit cards.
These are more emerging every day, but what are the risks associated with these forms of payments?
Most people won’t consider the risks associated with paying electronically, and for this I will assume any form of payment that doesn’t involve handing over bank notes and/or coins in the relevant currency. The following are some of the risks we should be considering:
- Payment details being disclosed as part of Data Breaches on Websites
- Card Skimming
- Unauthorized contact-less payments
- Direct Debit abuse
- Card theft.
Let’s look at some of these in a little more detail.
Every day we are hearing of new data breaches where hackers have obtained unauthorised access to systems operated by companies. These data breaches often include personal information that can be used in frauds and to gain access to other accounts. This can include:
- Names, Addresses, Telephone Numbers
- Transaction histories
- Social Security Numbers, Tax details
- Financial Records
- Login details, including your Id and Password
- Credit/Debit Card details.
All of this information can be used to attack other websites (see also my blog on Credential Stuffing Attacks for more details) as well as other forms of cyber attacks and identity theft.
All this personal information should be stored on the website’s systems in an encrypted form and if this was the case 100% then we would be protected to some degree. However, a lot of websites do not encrypt your personal details when they store them (encryption at rest), even though they do encrypt them when they transmit them over https (encryption in Transit). Even when data is encrypted at rest, it is not impossible to decrypt this data especially when weak encryption is employed by the website.
A lot of this information is sold on the dark web to cyber criminals as well as the traditional sort of criminal. The ‘ ‘;–have i been pwned?‘ website is a very good source of information on data breaches as well as a checking service to see if your email/password has been disclosed.
You don’t really have much power here, except by not using a credit card and instead using a service like PayPal which masks the actual credit card and should be protected by a strong password and 2-Factor authentication. Another way is to select the option not to store your credit card details on the website. In this case all the website should be retaining is the payment token and authorisation provided by the payment service and not your credit card details. However, ensure you are using a https connection to ensure this information is encrypted in transit to the website.
This is where the credit/debit card details are read from your card and stored. This will include the long 16 digit credit card number and expiry dates of the card in question. What isn’t normally taken by this method is the 3 digit CVV number that is normally printed in the signature strip on the back of your card.
Skimming often works by scanning the magnetic stripe on the back of your card, which in the past wasn’t encrypted. Today, with modern Chip and Pin cards, the credit card data encoded into the chip and is encrypted. Any would be skimmer would need to be able to decrypt the card details, and this is by no means impossible if they can be read at all.
If someone has the full details from the front of your card and the CVV number, they can use that information to make payments on your card and this could be very easily done using a smartphone camera.
The best defence here is never to let your credit/debit card out of your sight. If someone looks like they are doing something with your card, treat it as suspicious and possibly have the card cancelled and replaced.
Unauthorized Contact-less Payments
You will see an icon on your card that looks like a radio wave. This indicates that the card can be used for contact-less payments. Depending on the country you are in, the limit for a contact-less payment can be set at £30 (UK) and other values in other countries. Recent changes in legislation in some countries allows you to exceed this limit if you enter your credit card PIN. If you want to see the limits by country, there is a very good Wikipedia page on Contact-less Payments.
It should be noted that some countries do not impose any limit on how much you can pay via contact-less means and you should be aware of the limits when traveling (see the Wikipedia page above for more info).
It is very easy to process a contact-less payment without your knowledge. Take a look at this rather amusing video on YouTube:
It is literally that easy. It wouldn’t take much to implement a contact-less card reader in the form of a wearable that could be used by criminals. However, this is unlikely since this is a risky practice. There are a lot of safer/easier ways to get your credit card details and use them to defraud you.
In researching this topic I found a number of articles that stated there has never been a fraud perpetrated in this manner, but seriously how are you going to know?
This can also be done using your phone if you have Near Field Communication (NFC) active and a payment app setup using one of the various mobile payment options. Some protect transactions by enforcing a security measure (e.g, a fingerprint Id, PIN). However, if you have a contact-less payment method on your mobile phone, it is best to switch off the NFC function unless you are using it for a payment or exchanging other data.
You can also purchase a wallet for your credit/debit cards that blocks Radio Frequency Identification (RFID) which are the radio frequencies used by NFC and the contact-less credit/debit cards. These can be purchased readily online as well as in shops.
If you want to check this out, take an old expired credit card and install an app on your smart phone that reads RFID sources (e.g. NFC Tools on the Google PlayStore for Android users – others exist for IOS users). Try reading your old credit card from your smart phone and you should get back some info from the card – but not the payment information since this is secured. Put the same credit card in the RFID secured wallet and repeat – nothing should be read.
If you want more info on how RFID works, Wikipedia has a very good article on this.
Direct Debit abuse
This is somewhat harder to achieve since you have to provide various banking details to a website. However, if that website is fraudulent, or a phishing website, it is very easy to be fooled into setting up a malicious direct debit. The best way to secure yourself here is to be very careful when setting up these types of mandates.
We all use electronic methods of payment, and I hope the above has explained some of the risks associated with these methods.
I would recommend the following precautions:
- Examine your bank and credit card statements for unsuspected/unknown transactions and where indicated dispute them with your bank or credit card company
- Get your credit/debit card cancelled and replaced if:
- It has been disclosed in some way (e.g. skimming, data breach) or you see unknown payments on your statement
- Your card has been lost or stolen as soon as you notice it
- You suspect a credit/debit card has been tampered with
- You have payment cards programmed into your phone and it is lost or stolen
- Turn off NFC on your smart phone/smart watch unless you are using it
- Don’t put all your credit/debit cards into your phone
- Limit what credit cards you allow to be stored on websites
- Use non-payment card services like PayPal when paying online wherever possible.
Another precaution is to have a dedicated credit card for online transactions and another for use in person. If the online credit card is disclosed in a data breach, then at least you have the other card you can use.
When you are on holiday you can always use a pre-paid debit card, which will limit your liability to what is on the card.
When you are setting up Direct Debit Mandates, these should be thoroughly vetted and authenticated.
Don’t carry all your credit/debit cards when on holiday or when in a place where there is a high risk of theft when you are distracted (e.g. in a club, concert).
When you are on holiday (or traveling on business) make sure you lock away any unused credit cards in the hotel safe. Most hotels have a safe in the room, or a safekeeping facility. If this is not available, the only recourse you have is to lock them in you suitcase, but that is very insecure and not recommended.