Cyber attack: Brazilian hackers win the gold in credit card crime

PUBLISHED : Sunday, 07 August, 2016, 2:31pm
UPDATED : Sunday, 07 August, 2016, 9:21pm

Forget about Olympic medals. The gold and silver sought this year in Rio de Janeiro are the colours of credit and debit cards.

Brazil is arguably Latin America’s most digitally savvy nation, with more than half its 204 million population regularly using the internet.

When you have … something like the Olympic Games you have such a target-rich environment of rich targets
Alan Brill of Kroll

As many arriving tourists have quickly discovered, Brazil is also a leader in the use of digital technologies for the hacking of credit and debit cards.

“When you have … something like the Olympic Games you have such a target-rich environment of rich targets,” said Alan Brill, senior managing director of the cybersecurity practice for Kroll in New York. They are “people in many cases with far higher limits on accounts than otherwise … with more accounts, and more likely to use ATMs”.

The US cybersecurity research firm Fortinet, in a global report issued on Tuesday, warned that criminals have been ramping up for the Olympics, which run through August 21. That means they’ve been setting up malicious websites that unwary users will click on and unknowingly deliver their passwords and PIN numbers to criminals who will then use them to hack into the users’ credit and bank accounts.

“The volume of malicious and phishing artefacts (domain names and URLs) in Brazil is on the rise,” the company said, noting that the rate of increase in Brazil was several times higher than the rest of the world. “The highest percentage growth was in the malicious URL category, at 83 per cent, compared to 16 per cent for the rest of the world.”

URL fraud involves webpages that look like legitimate online-payment sites but that steal the money consumers think they are directing to purchases or payments. In an appendix, Fortinet warned that combating cybercrime is low on the list of Olympic security issues for Brazilian authorities.

Two McClatchy journalists covering the Olympics in Rio had their cards hacked and cloned soon after arrival, and a third was informed after making a remote purchase in Brazil even before arriving there that his card had been flagged as compromised.

Leila Lak, a British documentary filmmaker who works in Rio and depends on her debit card to withdraw cash for daily expenses, has been hacked repeatedly.

“Mine has been cloned several times, and my bank [in London] told me it’s very common in Brazil. They expect it,” Lak said in a telephone interview from England, adding that she had been hacked just three weeks ago.

Hacking has become such a problem in Brazil that the State Department’s Bureau of Diplomatic Security warns about it on its website.

“The use of credit card cloning devices and radio frequency interception (RFI) at restaurants, bars and public areas is epidemic in Rio,” the department’s Overseas Security Advisory Council warned in a February report published on its website.

Trend Micro, a Dallas-based IT security firm, has studied the underworld market of cybertheft in Brazil and concluded that much of it happens when hackers succeed in compromising the portable point-of-sale machines popular in restaurants and stores here.

The card-reading machines are brought to a diner’s table when the bill is paid, and after reading the chip, the cardholder must enter a four-digit personal identification number. This chip-and-PIN technology, long used in Europe, has been held out as fool proof but has quickly proved otherwise.

“The actual merchant may be wholly unaware of what’s going on,” said Christopher Budd, a global threat communications manager for Trend Micro.

The card-reading machines may be infected with malware or the malware may be operating further up the information chain, causing a theft of information, Budd said, noting that even internet servers have been compromised.

A common scheme in Brazil involves so-called Chupa Cabras, the name for plastic skimmers here placed inside the card slots of ATMs. These go unrecognised by consumers and pass all their card and log-in information to criminals.

Another scheme involves a card fitted with a doctored chip that attaches malware to the card reader. When unsuspecting cardholders later use the card reader, it transmits their card information and personal data – like expiration dates and security codes – to thieves, who quickly clone the cards.

“The bad guys are able to cause malware to be downloaded onto the point-of-sale device so that every time the card is run an unencrypted version of the data is transferred to the bad guys,” said Brill. “The good news, if there is any good news, is that banks have been using more and more sophisticated systems to … identify suspicious transactions.”

The Pokemon Go frenzy could benefit cybercriminals

Those improvements have grown out of necessity in Brazil, as card cloning now happens at breakneck speed. Criminals put McClatchy’s hacked cards to use in less than a day.

“The banks are really good at spotting when these things happen,” said Budd. “The shelf life of stolen information when it comes to credit cards is very short. When you see credit card information [for sale] in the underground, they’re going to specify how old the information is.”

Criminals in Brazil count on weak laws and weaker enforcement. There have been high-profile social media postings by hackers showing off the money they’ve stolen.

“There is a definite sense that the cybercriminals don’t feel a need to hide or in other ways take measures to prevent capture,” said Budd.