Five ways hackers could rob you blind
As hackers steal close to $1bn in the world's biggest bank raid, here are five ways hackers are getting their hands on your cash
ou may think that shopping on your local high street or buying something online using 'Verified by Visa' is safe, but as far as cyber criminals are concerned, every transaction you make is an opportunity to steal money.
Retail crime reached an all-time high during 2014, according to a report by the British Retail Consortium. Fraud, including cyber-enabled fraud, increased by 12 per cent during the year, and the BRC has warned this poses the most significant threat to retailers over the next two years.
The report stated: “Unsurprisingly, given the growth in ecommerce, the majority of fraud is committed online and retailers remain concerned about the capacity of law enforcement to respond effectively."
According to cyber security firm Sophos, there is a significant gap between the perceived level of security held by UK retailers and consumers, and the level of security that is physically in place at retail establishments across the nation.
The majority of retailers rely primarily on barebones protection, such as firewalls and antivirus, and 72 per cent admit they have not implemented basic encryption to safeguard their customers' data.
According to James Lyne, global head of research at Sophos, there is complacency and a lack of awareness surrounding cyber security in the retail sector.
In order to drive home his point, he demonstrated five ways that hackers can steal money from shoppers, using a few hundred pounds worth of equipment that he bought on Amazon.
1. Traditional credit card cloning
The first method involved cloning a credit card by lifting the information from the magnetic stripe on the back.
Although most modern cards in the UK now use chip and pin, transactions in America are still carried out using the magstripe, so any transactions that are carried out in America, or use a payment processor in the United States, will use the magstripe.
Lyne showed how, by simply swiping a credit card through a magnetic stripe card reader/writer that he bought on Amazon for £30, he was able to copy the details and then write them onto another card, which he could then use to purchase goods.
"You can imagine if you had a miniature version of that device, you could capture thousands of swipes, replicate them onto some cards, and all of a sudden you’ve got a pretty substantial amount of money across a random base of customers that’s hard to correlate," he said.
2. Chip and PIN
Chip and PIN cards are harder to clone, because unlike the magstripe, which hands over all its information as soon as you swipe it, it only allows you to ask it questions.
"So you can’t say 'What’s the PIN?' And read it. But you can say 'Here is what I think the PIN is and how you modify it, is that right?'," Lyne explained.
For Chip and PIN crime, cyber criminals will therefore generally carry out a two-pronged attack, which involves inserting a card reader into an ATM and installing a small camera above the number pad, so they can record the digits as they are being pressed.
Lyne said that, if a criminal succeeds in cloning and Chip and PIN card, it can be very difficult for retailers to detect. However, it is a lot more difficult and dangerous than cloning a magstripe, so it is less common that other types of fraud.
3. POS terminals
For larger-scale cyber fraud, hackers have been known to target point of sale (POS) terminals in shops.
The best known example of this is the attack on the Target retail chain in the US, where malware was installed on the POS terminals, allowing criminals to siphon off card details.
Lyne showed how he could create a 'back door' into a computer running a POS system using a phishing attack, and then steal a copy of the computer's memory using a simple software tool.
Once he had a copy of the computer's memory, he could search through it for the transaction process executable file, and then extract a list of credit card numbers, with corresponding expiry dates and CVV numbers, that had been used on that terminal.
The list only went back as far as the computer's memory, but he said that it was very realistic for a cyber criminal to be able to gather a day’s worth of data in this way. The criminal could also sit in the background over an extended period of time and gather much more.
4. Spoof websites
If shoppers and retailers are at risk of fraud on the high street, they are even more at risk online. Lyne showed how cyber criminals can create clones of high-end brand websites that will allow attackers to bypass systems like Verified by Visa and MasterCard SecureCode.
He registered a domain called reallysecureretail.com, and used a tool called The Social-Engineer Toolkit, which is freely available online, to create a clone of verified.visa.com/aan. He even bought an SSL certificate for it, so that a padlock displayed in the address bar at the top of the page.
he explained that, when a victim lands on the page via a phishing attack, it looks exactly like the real site, and the padlock icon creates a false sense of security, so they enter their card details. Those details are then sent straight to the attacker over the internet before the victim knows what has happened.
"The point is that the padlock doesn’t mean safe, it just means encrypted. You could have an encrypted connection to a Russian cyber criminal gang, and rest assured, you are losing your data very securely," he said.
5. Stealing Bitcoins
You might think that you are better off using a virtual currency like Bitcoin to avoid fraud, but even these are vulnerable to theft if you fall victim to a phishing attack that gives hackers access to the computer or phone you're storing them on.
Lyne showed how he could again establish a backdoor by persuading the user to visit an infected website, click a link, open an attachment or plug in a USB key, and then use a tool called Bitcoin Jacker to search for a Bitcoin wallet and transfer the contents over the internet to his own wallet.
If the wallet is encrypted, he showed how he could intall a keylogger on the victim's computer and then watch as they typed the password in before stealing the wallet, decrypting it and stealing the Bitcoins.
"What this is really taking advantage of is that lost boundary of a physical separate device, and the fact we’ve blurred it with something that does internet browsing, email and everything else at the same time," said Lyne.