GS Logo
The Green Sheet, Inc

Please Log in

A Thing A Bigger Thing

Friday, December 14, 2018

Malware attacks PayPal, exploits Android

E SET researchers disclosed Dec. 11, 2018, that a Trojan attack vector is exploiting a weakness in the Android operating system. The internet security provider said the malware targets Android users who access the PayPal app and warned that it can override 2-factor authentication. The malicious app is designed to steal money from PayPal accounts and phish for credit card credentials by placing overlays on Google Play, WhatsApp, Skype, Viber, and Gmail.

In a blog post titled “Android Trojan steals money from PayPal accounts, even with 2FA on,” researchers observed that four of the five overlays phish for credit card details. They speculate the Gmail overlay is being used to identify PayPal email notifications, adding, “With access to the victim’s Gmail account, the attackers could delete such emails to remain unnoticed longer.”

Will LaSala, director of security solutions and security evangelist at OneSpan, observed that unlike typical malware strains, the new scheme appears to transfer money from PayPal to the attacker’s account. This underscores the risk of installing apps from unknown sources and the ease with which overlay attacks can hijack a strong application, he stated.

Far-reaching capabilities

“This starts with the user being tricked into downloading a simple utility app, which is in actuality a malware application,” LaSala said. “What is concerning is that this malware app can download other applications, so even though today’s attack is against PayPal, this attack could easily be repurposed to attack any other application on the users mobile device.”

Researchers cited the following additional capabilities and threats in the malicious code:

Accessibility permissions

ESET researchers noted that the authors of the PayPal-targeting attack exploited accessibility permission levels to obtain control of Android devices. Sam Bakken, senior product marketing manager at OneSpan, said accessibility permission levels can be extremely powerful, especially when they get into the wrong hands.

“[W]hen we download an app, we need to think hard about whether there's actually good reason to grant an app the permissions it asks for, and really, to be safest we should default to not granting those permissions even if it means you can't use that particular app,” Bakken said.

LaSala agreed, advising consumers to examine permission levels when installing third-party applications. “Permissions are not always clear cut, and if a user is questioning a permission it is better not to allow the permission and ask the developer for more information before allowing it,” he explained. “Open communication with the app developer and full clear understanding of how an app works are key objectives to any app developer for their users.”

Application shielding

Bakken advises consumers to fully vet apps, patronize official app stores and read consumer reviews, “especially the negative reviews, as miscreants are known to create fake positive reviews of their apps in order to hook more victims,” he said.

Both Bakken and LaSala would like to see mobile application developers and publishers use app shielding technology that can detect and shut down malicious behaviors, stopping mobile app fraud before it takes place.

“Solutions such as mobile application shielding prevent screen overlay attacks and can render this type of attack useless,” LaSala added. “Additionally, application providers should use application repackage prevention technologies and only publish their application on official app stores, as this will further strengthen the bond for their users and encourage them to also only get their applications from the trusted app stores.”

Pandora enters, Chatspin exits cryptocurrency's revolving door
Tuesday, December 11, 2018

N ew product offerings and fluctuating prices continue to roil the cryptocurrency ecosystem, most recently with the Dec. 3, 2018, launch of a new trading platform called Pandora (not to be confused with the jewelry merchant or music streaming service) followed by Chatspin's decision to stop accepting cryptocurrency three days later. Enthusiasts view these signs of market volatility as further evidence that cryptocurrency schemes are gaining public awareness.

Anton Kulikov, CEO at Pandora, described the service as a next-generation cryptocurrency trading platform, with forex trading technology designed to simplify cryptocurrency trading and portfolio management. "PANDORA is honored to usher in the next wave of cryptocurrency trading, with a complete solution for traders who want to leverage robust, professional tools to invest in the cryptocurrency market," he said. "Through PANDORA, investors will find managing their cryptocurrency portfolios easier than ever, using some of the same trading and analytical solutions that professional traders have relied upon for years."

Designed to bridge the gap between traditional currency and cryptocurrency exchanges, Pandora provides traders with a suite of digital tools. The all-in-one resource includes alert settings, trading bots and a social trading tool that reprises professional trading models. Company representatives said Pandora can synchronize with Binance, Bitfinex, Kucoin, and Poloniex and other trading platforms, using available APIs. The platform's advanced capabilities will improve cryptocurrency market access while enhancing its professional credibility, the company stated.

Too unstable for subscription billing

Cryptocurrency naysayers continue to express disillusionment with cryptocurrency pricing and question if these decentralized currency schemes will achieve widespread public acceptance. Chatspin, a live video streaming app, disclosed Dec. 6, 2018, that it will no longer accept cryptocurrency payments. Chatspin Press Manager, Shay Robin, cited falling prices of bitcoin and other cryptocurrencies in the fourth quarter of 2018 as a contributing factor in the decision.

"Just a few months ago, the idea of accepting Bitcoin, Litecoin, and other cryptocurrencies as forms of payment seemed like a no-brainer," Robin said. "But, having closely followed the cryptocurrency markets, we can see no value to accepting these digital coins and feel the risk far outweighs the reward. Therefore we have ceased plans to accept any form of cryptocurrency as a method of payment."

Chatspin, a multiplatform video chat app, uses a webcam and Internet connection to randomly connect thousands of people around the world via their connected devices. Users can use a variety of filters to adjust audio and video settings. Chatspin does not charge subscribers for basic filters and makes additional premium features available through a paid subscription model.

Robin mentioned that Chatspin's payment platform had been recently updated, at considerable expense, to enable premium feature users to pay for subscriptions in bitcoin, litecoin, and other cryptocurrencies. Subsequent market volatility in the fourth quarter of 2018 led the company to curtail support of these payment methods, deeming them too risky and unstable to support recurring billing.

Fraud, ID theft on sale this holiday season
Saturday, December 8, 2018

T o celebrate the 2018 holidays, the Dark Web is having a clearance sale on personally identifiable information, offering criminals a generous inventory of names, addresses, dates of birth and Social Security numbers, at prices as low as $2 per record. Bryan Lewis, president and CEO at Intellicheck, a security technology provider, said much of the stolen data has been vetted for accuracy during a lengthy incubation period.

"Bad guys are building a product, packaging it and getting it ready for sale," Lewis said. "Before these records go on the Dark Web, they are cross-referenced and confirmed with other data."

The 2017 Equifax breach compromised 145 million civilian records, Lewis noted. This event and increasingly complex, sophisticated identity theft schemes make the 2018 holiday season a dangerous time for holiday shoppers and retailers. "Javelin Strategy and Research puts the total value of identity theft at nearly $17 billion dollars last year," he added. "On average, an identity was stolen every 1.88 seconds in the United States in 2017. More than 57 million records have been exposed this year according to the Identity Theft Resource Center."

Bad Santa

Chris Marchand, vice president, business development at Verifi, a risk mitigation company, has seen increased friendly fraud, also known as chargeback fraud, throughout the holiday season. These events increase merchant headaches and costs. They occur when consumers make purchases with their own credit cards but then, after receiving the goods or services, ask their credit card issuers to reverse charges. These false chargebacks are often triggered by credit card statement sticker shock. Some issuers would rather process a chargeback than risk losing a customer, he stated.

"Adding fuel to the fire, some customers dispute legitimate transactions due to billing confusion, such as the merchant's name not matching their trading name or forgetting about a purchase made," Marchand said. "Consequently, merchants face loss of revenue and merchandise, plus fines and fees applied by acquiring banks."

Merchants and card issuers should collaborate and share transaction information to resolve issues at the earliest possible stage, Marchand advised, adding that merchants "need to ensure they deliver the best customer experience while arming themselves against chargebacks at an already frantic time of year."

Forewarned, forearmed

Lewis said Intellicheck recently found a news organization's contact email and password for sale on the Dark Web. Intellicheck had been working with the company but does not use the same password on multiple sites. "Fortunately, our corporate policy is they have to use different passwords [on different websites], so we weren't at risk," he said. "You open yourself up to security threats when you do that."

Javelin Strategy provided additional protections against identity theft in the whitepaper titled 2018 Identity Fraud: Fraud Enters a New Era of Complexity, as follows:

"There is enough data on every one of us; it's far too easy to steal identities," Lewis said. "Cybercriminals used to be able to steal a little bit about you, but Equifax had all the information about you in one place and for the first time, Social Security numbers are more prevalent than credit card numbers on the Dark Web."

Walmart accepting cash for in-store online ordering
Wednesday, December 5, 2018

J ust in time for holiday shoppers, Walmart introduced Order and Pay. It's a new in-store ordering option that enables shoppers in physical store locations to order and pay for items that aren't available in the store. Consumers work with Walmart associates on the floor to process online orders from Walmart's Dotcom store and then pay for the items at the physical POS, along with other items selected from the shelves (if any).

Consumers can pay with cash, credit and debit cards, checks, and Walmart Pay. The ability to pay with cash is expected to appeal to the unbanked and underbanked, who may not have access to other payment methods or who simply prefer to use cash.

"We've known for some time that the future of the retail store will mean blurring the lines between online and offline stores, and leaders like Walmart are making this more and more into a permanent reality," stated Gavin Bisdee, Vice President of Global Marketing at Zynstra Ltd., a provider of intelligent infrastructure for retailers. "This new service from Walmart will enhance the in-store experience for consumers, making the buying process even more convenient and frictionless. It also tees up the ability to improve the productivity of Walmart store associates, giving them more cross-sell and upsell opportunities."

Online-offline blend a growing trend

Walmart isn't the only retailer to provide sales associates apps that facilitate blending of online an offline channels. Since October 2017, Target associates have been able to use their in-store devices to create online orders for customers. Associates have mobile card readers for shoppers who want to pay quickly on the floor and avoid waiting in line at the POS. Amazon operates its Whole Foods subsidiary stores, as well as its own brick-and-mortar locations, including the cashierless Amazon Go and Amazon 4-star stores, where online and offline services are both in the mix. "At its core, this move from Walmart is one step further in seamlessly merging its online and offline experiences to ensure that the brand is present in all the channels the customer wants to shop in," said Danielle Roberts, Senior Product Manager at Kibo, a provider of omnichannel commerce software. "With this move, when a consumer says, 'I saw this product on your website,' the Walmart associate will have one more digital tool within his/her arsenal to not only save the sale but instantly improve the experience for the shopper."

Roberts also pointed out that the initiative provides an easier way for associates to find merchandise consumers are looking for. "If you rely only on in-store inventory to save the sale, you run the risk of a product not being where it should be which is in the hands of the shopper – especially with the added chaos of the holidays," she noted. "All in all, the primary competitive advantage Walmart and other traditional retailers have over Amazon is leveraging their many stores to provide a better consumer experience. At least for now, Amazon does not have that option."

The Order and Pay service is now available year-round at 4,700 Walmart stores. It includes items featured on, but not yet its marketplace fare.

PCI SSC updates guidance for phone-based payments
Tuesday, December 4, 2018

U pdated PCI Security Standards Council (PCI SSC) guidance, published Nov. 28, 2018, addresses the increasingly complex landscape of accepting payments by phone. Spearheaded by a PCI SSC Special Interest Group of call center and technology experts, Protecting Telephone-based Payment Card Data outlines best practices for mitigating fraud by removing sensitive data from scope.

Ben Rafferty, global solutions director at Semafone and Special Interest Group member, said the council last issued call center guidance in 2011, and the landscape has evolved significantly in recent years. The new guidance pertains to a new set of risks posed by Voice over Internet Protocol (VoIP), softphones and chatbots, he said, noting that these emerging technologies are potential targets for card-not-present fraud.

"Because protecting payment card data within contacts centers is the core of Semafone's business, we invested our time to share our expertise for the new guidance," Rafferty said. "Drawing from our experience descoping enterprise contact centers around the globe, we hope to provide clarity on securing these critical payment channels."

Simplifying call center compliance

Recommended scope reduction techniques include masking technologies that make payment card data indecipherable to call center agents or advanced routing schemes that send card data directly to processors. These techniques have been shown to simplify compliance, safeguard data and build customer trust, experts noted.

Following are additional areas, identified by the council, in need of scope reduction:

Telephony, network segmentation

Michael Simpson, security analyst at SecurityMetrics, said phone-based payments are widely used by call centers, universities and fundraisers. These companies should not be storing cardholder data and sensitive authentication data and CVV codes; merchants that accept credit card payments over the phone need to implement solutions that stop recording when data is entered, he noted.

"Unfortunately, any time you have human intervention, you'll make mistakes," he said. "Systems designed to pause when sensitive data is transmitted may still contain sensitive data because the agents forget to use the feature."

Simpson went on to say that merchants must submit annual risk assessments to their acquiring banks to get buy-off on storing sensitive data. However, not all large call centers are merchants; some are just service providers, he stated. In these cases, service providers should ask their merchant bank and merchant service provider for a copy of their annual risk assessment to make sure their storage methods are approved and compliant, he added.

View prior breaking news

Spotlight Innovators:

North American Bancard | USAePay | Impact Paysystems | Electronic Merchant Systems | Board Studios