National

Brazil’s hackers win the gold in credit card crime

Point of sale electronic credit card readers in Rio de Janeiro have been the target of hackers inserting malware into the machines’ software. Inside the Rio de Janeiro Olympic Megastore in Copacabana, chip machines unaffected by the malware complete each transaction for shoppers at the Summer Olympic Games.
Point of sale electronic credit card readers in Rio de Janeiro have been the target of hackers inserting malware into the machines’ software. Inside the Rio de Janeiro Olympic Megastore in Copacabana, chip machines unaffected by the malware complete each transaction for shoppers at the Summer Olympic Games. The Kansas City Star

Forget about Olympic medals. The gold and silver sought this year in Rio de Janeiro are the colors of credit and debit cards.

Brazil is arguably Latin America’s most digitally savvy nation, with more than half its 204 million population regularly using the internet.

As many arriving tourists have quickly discovered, Brazil is also a leader in the use of digital technologies for the hacking of credit and debit cards.

“When you have . . . something like the Olympic Games you have such a target-rich environment of rich targets,” said Alan Brill, senior managing director of the cybersecurity practice for Kroll Inc. in New York. They are “people in many cases with far higher limits on accounts than otherwise . . . with more accounts, and more likely to use ATMs.”

The U.S. cybersecurity research firm Fortinet, in a global report issued Tuesday, warned that criminals have been ramping up for the Olympics, which run through Aug. 21. That means they’ve been setting up malicious websites that unwary users will click on and unknowingly deliver their passwords and PIN numbers to criminals who will then use them to hack into the users’ credit and bank accounts.

“The volume of malicious and phishing artifacts (i.e. domain names and URLs) in Brazil is on the rise,” the company said, noting that the rate of increase in Brazil was several times higher than the rest of the world. “The highest percentage growth was in the malicious URL category, at 83 percent, compared to 16 percent for the rest of the world.”

The good news, if there is any good news, is that banks have been using more and more sophisticated systems to . . . identify suspicious transactions.

Alan Brill, Kroll Inc.

URL fraud involves webpages that look like legitimate online-payment sites but that steal the money consumers think they are directing to purchases or payments. In an appendix, Fortinet warned that combating cybercrime is low on the list of Olympic security issues for Brazilian authorities.

Two McClatchy journalists covering the Olympics in Rio had their cards hacked and cloned soon after arrival, and a third was informed after making a remote purchase in Brazil even before arriving there that his card had been flagged as compromised.

Leila Lak, a British documentary filmmaker who works in Rio and depends on her debit card to withdraw cash for daily expenses, has been hacked repeatedly.

“Mine has been cloned several times, and my bank (in London) told me it’s very common in Brazil. They expect it,” Lak said in a telephone interview from England, adding that she had been hacked just three weeks ago.

Hacking has become such a problem in Brazil that the State Department’s Bureau of Diplomatic Security warns about it on its website.

“The use of credit card cloning devices and radio frequency interception (RFI) at restaurants, bars and public areas is epidemic in Rio,” the department’s Overseas Security Advisory Council warned in a February report published on its website.

Trend Micro, a Dallas-based IT security firm, has studied the underworld market of cybertheft in Brazil and concluded that much of it happens when hackers succeed in compromising the portable point-of-sale machines popular in restaurants and stores here.

The card-reading machines are brought to a diner’s table when the bill is paid, and after reading the chip, the cardholder must enter a four-digit personal identification number. This chip-and-PIN technology, long used in Europe, has been held out as fool proof but has quickly proved otherwise.

The actual merchant may be wholly unaware of what’s going on.

Christopher Budd, Trend Micro

“The actual merchant may be wholly unaware of what’s going on,” said Christopher Budd, a global threat communications manager for Trend Micro.

The card-reading machines may be infected with malware or the malware may be operating further up the information chain, causing a theft of information, Budd said, noting that even internet servers have been compromised.

A common scheme in Brazil involves so-called Chupa Cabras, the name for plastic skimmers here placed inside the card slots of ATMs. These go unrecognized by consumers and pass all their card and log-in information to criminals.

Another scheme involves a card fitted with a doctored chip that attaches malware to the card reader. When unsuspecting cardholders later use the card reader, it transmits their card information and personal data – like expiration dates and security codes – to thieves, who quickly clone the cards.

“The bad guys are able to cause malware to be downloaded onto the point-of-sale device so that every time the card is run an unencrypted version of the data is transferred to the bad guys,” said Brill. “The good news, if there is any good news, is that banks have been using more and more sophisticated systems to . . . identify suspicious transactions.”

Those improvements have grown out of necessity in Brazil, as card cloning now happens at breakneck speed. Criminals put McClatchy’s hacked cards to use in less than a day.

“The banks are really good at spotting when these things happen,” said Budd. “The shelf life of stolen information when it comes to credit cards is very short. When you see credit card information (for sale) in the underground, they’re going to specify how old the information is.”

Criminals in Brazil count on weak laws and weaker enforcement. There have been high-profile social media postings by hackers showing off the money they’ve stolen.

“There is a definite sense that the cybercriminals don’t feel a need to hide or in other ways take measures to prevent capture,” said Budd.

Cybersecurity is serious business, not least of all for FBI director James B. Comey. At a speech to Kenyon College students in April, Comey divulged some of the measures he takes to avoid hacking and spying, including taping over his laptop webcam

Kevin G. Hall: 202-383-6038, @KevinGHall

  Comments