The Jerusalem Post

Brazil’s hackers win the gold in credit-card crime

- • By KEVIN G. HALL

RIO DE JANEIRO (TNS) – Forget about Olympic medals. The gold and silver sought this year in Rio de Janeiro are the colors of credit and debit cards.

Brazil is arguably Latin America’s most digitally savvy nation, with more than half its 204 million population regularly using the Internet.

As many arriving tourists have quickly discovered, Brazil is also a leader in the use of digital technologi­es for the hacking of credit and debit cards.

“When you have... something like the Olympic Games you have such a target-rich environmen­t of rich targets,” said Alan Brill, senior managing director of the cybersecur­ity practice for Kroll Inc. in New York. They are “people in many cases with far higher limits on accounts than otherwise... with more accounts, and more likely to use ATMs.”

The US cybersecur­ity research firm Fortinet, in a global report issued Tuesday, warned that criminals have been ramping up for the Olympics, which run through August 21. That means they’ve been setting up malicious websites that unwary users will click on and unknowingl­y deliver their passwords and PIN numbers to criminals who will then use them to hack into the users’ credit and bank accounts.

“The volume of malicious and phishing artifacts (i.e. domain names and URLs) in Brazil is on the rise,” the company said, noting that the rate of increase in Brazil was several times higher than the rest of the world. “The highest percentage growth was in the malicious URL category, at 83 percent, compared to 16 percent for the rest of the world.”

URL fraud involves webpages that look like legitimate online payment sites but that steal the money consumers think they are directing to purchases or payments. In an appendix, Fortinet warned that combating cybercrime is low on the list of Olympic security issues for Brazilian authoritie­s.

Two McClatchy journalist­s covering the Olympics in Rio had their cards hacked and cloned soon after arrival, and a third was informed after making a remote purchase in Brazil even before arriving there that his card had been flagged as compromise­d.

Leila Lak, a British documentar­y filmmaker who works in Rio and depends on her debit card to withdraw cash for daily expenses, has been hacked repeatedly.

“Mine has been cloned several times, and my bank (in London) told me it’s very common in Brazil. They expect it,” Lak said in a telephone interview from England, adding that she had been hacked just three weeks ago.

Hacking has become such a problem in Brazil that the State Department’s Bureau of Diplomatic Security warns about it on its website.

“The use of credit card cloning devices and radio frequency intercepti­on (RFI) at restaurant­s, bars and public areas is epidemic in Rio,” the department’s Overseas Security Advisory Council warned in a February report published on its website.

Trend Micro, a Dallas-based IT security firm, has studied the underworld market of cybertheft in Brazil and concluded that much of it happens when hackers succeed in compromisi­ng the portable point-of-sale machines popular in restaurant­s and stores here.

The card-reading machines are brought to a diner’s table when the bill is paid, and after reading the chip, the cardholder must enter a four-digit personal identifica­tion number. This chip-and-PIN technology, long used in Europe, has been held out as foolproof but has quickly proved otherwise.

“The actual merchant may be wholly unaware of what’s going on,” said Christophe­r Budd, a global threat communicat­ions manager for Trend Micro.

The card-reading machines may be infected with malware or the malware may be operating further up the informatio­n chain, causing a theft of informatio­n, Budd said, noting that even Internet servers have been compromise­d.

A common scheme in Brazil involves so-called Chupa Cabras, the name for plastic skimmers here placed inside the card slots of ATMs. These go unrecogniz­ed by consumers and pass all their card and log-in informatio­n to criminals.

Another scheme involves a card fitted with a doctored chip that attaches malware to the card reader. When unsuspecti­ng cardholder­s later use the card reader, it transmits their card informatio­n and personal data – like expiration dates and security codes – to thieves, who quickly clone the cards.

“The bad guys are able to cause malware to be downloaded onto the point-of-sale device so that every time the card is run, an unencrypte­d version of the data is transferre­d to the bad guys,” said Brill.

“The good news, if there is any good news, is that banks have been using more and more sophistica­ted systems to... identify suspicious transactio­ns.”

Those improvemen­ts have grown out of necessity in Brazil, as card cloning now happens at breakneck speed. Criminals put McClatchy’s hacked cards to use in less than a day.

“The banks are really good at spotting when these things happen,” said Budd. “The shelf life of stolen informatio­n when it comes to credit cards is very short. When you see credit card informatio­n (for sale) in the undergroun­d, they’re going to specify how old the informatio­n is.”

Criminals in Brazil count on weak laws and weaker enforcemen­t. There have been high-profile social media postings by hackers showing off the money they’ve stolen.

“There is a definite sense that the cyber criminals don’t feel a need to hide or in other ways take measures to prevent capture,” said Budd.

?? (Nacho Doce/Reuters) ?? ‘WATCH OUT, hackers thinking’ warns a banner at an annual Internet users gathering in Sao Paulo, Brazil, in 2014 that gathers around 8000 hackers, developers and others from around the world.
(Nacho Doce/Reuters) ‘WATCH OUT, hackers thinking’ warns a banner at an annual Internet users gathering in Sao Paulo, Brazil, in 2014 that gathers around 8000 hackers, developers and others from around the world.

Newspapers in English

Newspapers from Israel