DEVICES

Appropriating money via payment card even though the card is still in the wallet, experts warn

Bùi Đăng MinhMonday, June 22, 202618 min read
Appropriating money via payment card even though the card is still in the wallet, experts warn
Appropriating money via payment card even though the card is still in the wallet, experts warn - 1
Some types of bank cards (Photo: Vi Quang).

New sophisticated tricks

Recently, many banks in Vietnam have issued warnings about a scam called "token relay" or "ghost tapping".

This method can cause users to lose money or incur unauthorized transactions even when the physical card is still in the wallet.

Fraud scenarios often start with the crook impersonating a bank employee or an authority, sending a link, a malicious QR code to lure the victim into providing card information such as card number, expiration date, CVV/CVC security code and OTP authentication code.

After obtaining this data, the attacker can link the victim's card to digital payment services such as Apple Pay, Google Pay or Samsung Wallet on devices under their control.

This process creates a digital payment identifier (payment token) that is used in place of physical card information in contactless transactions.

From that point on, the crook's device can perform payment transactions at the POS machine similar to the cardholder.

In some cases, subjects can link the same card to many different devices if they pass the necessary authentication steps, thereby increasing the number of fraudulent transactions in a short time to quickly disperse assets.

Because the physical card remains in the wallet, many people do not realize that the card information has been leaked or has been illegally linked to another device until they receive a transaction notification or discover that their account has been charged.

Need to set up biometric authentication when adding cards

Cyber ​​security expert Ngo Minh Hieu (Anti-Fraud Project) said: "The nature of the incident is not that Apple Pay, Google Pay or Samsung Wallet were "hacked", but that the crooks captured the card information and OTP code to register the victim's card on their device. Once the card has been successfully linked, the bank will issue a payment token to that device.

From this point on, thieves can use their phone to make contactless payments, even though the physical card is still in the victim's wallet. The dangerous point is that the OTP that the victim provides is not actually to "verify the account" as the crooks say, but is a confirmation code for the action of adding a card to the digital wallet. Therefore, the system can understand this as a valid request from the cardholder."

According to Mr. Hieu, the OTP code via SMS is not enough for sensitive operations such as adding a card to a digital wallet. Banks should switch to authentication within the home banking app, with biometrics, clear information about the device the card is being added to, wallet type, time, relative location, and a prominent warning: “You are adding a card to Apple Pay/Google Pay on a new device.”

In high-risk cases, enhanced authentication steps are required such as confirming with a banking app, liveness/biometrics, calling back via an official switchboard, or applying a waiting time. In addition, newly linked wallets should be limited in the first 24-48 hours to reduce losses if they are scammed.

"Banks need to look at risk in a chain, not just in individual transactions. For example, a card has just been added to a new device, then multiple consecutive transactions of high value such as phones, gold, luxury goods, or transactions at unusual geographical locations must be scored as high risk.

Signs such as a card linking multiple devices in a short time, multiple transactions, splitting the amount of money, unusual country/city changes, or the first transaction right after adding a wallet should trigger an automatic mechanism: Temporarily lock the digital wallet token, request re-verification in the banking app, or block the transaction before the money is withdrawn," Mr. Hieu expressed.

To protect assets against this form of fraud, experts advise card users to strictly follow the following security principles:

- Do not provide card number, expiration date, CVV/CVC and especially OTP to anyone, including people claiming to be bank employees, police or authorities.

When receiving OTP, you must read the message content carefully to see what the code is used for. If the content has the words "wallet link", "Apple Pay", "Google Pay", "Samsung Wallet" and the user does not do it themselves, absolutely do not enter or read the code to others.

- Users should only add cards to their digital wallet from the official banking or wallet app on their device. You should turn on balance change notifications, set card limits, check the list of linked devices/wallets and lock the card as soon as you see strange transactions.

If you accidentally provide OTP or card information, you need to immediately call the bank hotline to lock the card, lock the digital wallet token and save evidence to report to the authorities.

- Users should add the card to Apple Pay/Google Pay to be able to use the card more safely, avoid giving physical credit cards to anyone suspicious, and if they must give the card, they should always keep it under safe observation.

Nguồn / Original source: Dân trí