Las Vegas Review-Journal (Sunday)
Brazil’s hackers take gold in credit card crime
Criminals in digitally savvy country geared up for Olympic Games, experts say
RIO DE JANEIRO — Forget about Olympic medals. The gold and silver sought this year in Rio de Janeiro are the colors of credit and debit cards.
Brazil is arguably Latin America’s most digitally savvy nation, with more than half its 204 million population regularly using the internet.
As many arriving tourists have quickly discovered, Brazil is also a leader in the use of digital technologies for the hacking of credit and debit cards.
“When you have … something like the Olympic Games you have such a target-rich environment of rich targets,” said Alan Brill, senior managing director of the cybersecurity practice for Kroll Inc. in New York. They are “people in many cases with far higher limits on accounts than otherwise … with more accounts, and more likely to use ATMs.”
The U.S. cybersecurity research firm Fortinet, in a global report issued last week, warned that criminals have been ramping up for the Olympics, which run through Aug. 21.
That means they’ve been setting up malicious websites that unwary users will click on and unknowingly deliver their passwords and PIN numbers to criminals who will then use them to hack into the users’ credit and bank accounts.
“The volume of malicious and phishing artifacts (i.e. domain names and URLs) in Brazil is on the rise,” the company said, noting that the rate of increase in Brazil was several times higher than the rest of the world. “The highest percentage growth was in the malicious URL category, at 83 percent, compared to 16 percent for the rest of the world.”
URL fraud involves webpages that look like legitimate online-payment sites but that steal the money consumers think they are directing to purchases or payments. In an appendix, Fortinet warned that combating cybercrime is low on the list of Olympic security issues for Brazilian authorities.
Two McClatchy journalists covering the Olympics in Rio had their cards hacked and cloned soon after arrival, and a third was informed after making a remote purchase in Brazil even before arriving there that his card had been flagged as compromised.
Leila Lak, a British documentary filmmaker who works in Rio and depends on her debit card to withdraw cash for daily expenses, has been hacked repeatedly.
“Mine has been cloned several times, and my bank (in London) told me it’s very common in Brazil. They expect it,” Lak said in a telephone interview from England, adding that she had been hacked just three weeks ago.
Hacking has become such a problem in Brazil that the State Department’s Bureau of Diplomatic Security warns about it on its website.
“The use of credit card cloning devices and radio frequency interception (RFI) at restaurants, bars and public areas is epidemic in Rio,” the department’s Overseas Security Advisory Council warned in a February report published on its website.
Trend Micro, a Dallas-based IT security firm, has studied the underworld market of cybertheft in Brazil and concluded that much of it happens when hackers succeed in compromising the portable pointof-sale machines popular in restaurants and stores here.
The card-reading machines are brought to a diner’s table when the bill is paid, and after reading the chip, the cardholder must enter a four-digit personal identification number. This chip-and-PIN technology, long used in Europe, has been held out as fool proof but has quickly proved otherwise.
“The actual merchant may be wholly unaware of what’s going on,” said Christopher Budd, a global threat communications manager for Trend Micro.
Brill said: “The bad guys are able to cause malware to be downloaded onto the point-of-sale device so that every time the card is run an unencrypted version of the data is transferred to the bad guys. The good news, if there is any good news, is that banks have been using more and more sophisticated systems to … identify suspicious transactions.”