Brazilian Prilex Hackers Resurfaced With Sophisticated Point-of-Sale Malware

A Brazilian threat actor known as Prilex has resurfaced after a year-long operational hiatus with an advanced and complex malware to steal money by means of fraudulent transactions. "The Prilex group has shown a high level of knowledge about credit and debit card transactions, and how software us...

Apple Pay vulnerable to wireless pickpockets

Researchers have shown that it is possible for attackers to bypass an Apple iPhones lock screen to access payment services and make contactless transactions. The issue, which only applies to Apple Pay and Visa, is caused by the use of so-called magic bytes, a unique code used to unlock Apple Pay...

Apple Pay Can be Abused to Make Contactless Payments From Locked iPhones

Cybersecurity researchers have disclosed an unpatched flaw in Apple Pay that attackers could abuse to make an unauthorized Visa payment with a locked iPhone by taking advantage of the Express Travel mode set up in the device's wallet. "An attacker only needs a stolen, powered on iPhone. The...

Apple Pay with Visa Hacked to Make Payments via Unlocked iPhones

An attacker who steals a locked iPhone can use a stored Visa card to make contactless payments worth up to thousands of dollars without unlocking the phone, researchers are warning. The problem is due to unpatched vulnerabilities in both the Apple Pay and Visa systems, according to an academic te...

[Security Nation] Craig Williams of Cisco Talos on Proxyware

!\Security Nation\ Craig Williams of Cisco Talos on Proxywarehttps://blog.rapid7.com/content/images/2021/09/securitynationlogo.jpg In this episode of Security Nation, Jen and Tod chat with Craig Williams, recently of Cisco Talos, about proxyware and integrating security acquisitions the right way...

New Hack Lets Attackers Bypass MasterCard PIN by Using Them As Visa Card

Cybersecurity researchers have disclosed a novel attack that could allow criminals to trick a point of sale terminal into transacting with a victim's Mastercard contactless card while believing it to be a Visa card. The research, published by a group of academics from ETH Zurich, builds on a stud...

PT-2021-05: Lack of Amount/CVMResults fields checking for Public Transport Schemes

Mobile wallets allow to charge one amount within the Public Transport Scheme' cryptogram and charge a different amount using any payment terminal in the end. This is due to EMV standards and is a requirement for modern payments when the price shown on the terminal is different from the actual...

PT-2021-07: GPay payments above NoCVM limits, CryptoATC out of order

EMV standards which are used as a predecessor of mobile wallets, do not put some mandatory fields as a cryptogram input. These fields are crucial for risk management steps, and their tampering can bypass payment restrictions. During the transaction authorisation, MDES does not decline payments wi...

Dickey's BBQ Breach: Meaty 3M Payment Card Upload Drops on Joker's Stash

Popular U.S. smoked-meat franchise Dickey’s Barbecue Pit has been hit with a data breach, with cybercriminals posting the fat cap of the compromised data – 3 million payment cards – on the popular Joker’s Stash underground marketplace this week. The Dallas-based franchise, which is a subsidiary o...

Interesting Attack on the EMV Smartcard Payment Standard

Its complicated, but its basically a man-in-the-middle attack that involves two smartphones. The first phone reads the actual smartcard, and then forwards the required information to a second phone. That second phone actually conducts the transaction on the POS terminal. That second phone is able...

New PIN Verification Bypass Flaw Affects Visa Contactless Payments

Even as Visa issued a warning about a new JavaScript web skimmer known as Baka, cybersecurity researchers have uncovered an authentication flaw in the company's EMV enabled payment cards that permits cybercriminals to obtain funds and defraud cardholders as well as merchants illicitly. The...

New vulnerability lets hackers use your credit card without pin code

By Sudais Asif The vulnerability was revealed in a report called "The EMV Standard: Break, Fix, Verify." Every time we make a payment using credit/debit cards, the EMV communication protocol is used for processing payments. Having been developed by Europay, Mastercard and Visa, etc. it is used fo...

Is Your Chip Card Secure? Much Depends on Where You Bank

Chip-based credit and debit cards are designed to make it infeasible for skimming devices or malware to clone your card when you pay for something by dipping the chip instead of swiping the stripe. But a recent series of malware attacks on U.S.-based merchants suggest thieves are exploiting...

QIWI: PIN OK attack

PIN OK attack is an attack when a wedge-device created for MiTM is used to substitute the response from the card during an offline-PIN check and say that PIN was correct. Reproduction steps: An attacker with a stolen card without the correct PIN knowledge can use either a so-called wedge device f...

Cybercriminals Fill Up on Gas Pump Transaction Scams Ahead of Oct. Deadline

Gas stations are gearing up for a major change in credit-card fraud liability in October, when they will find themselves on the hook for card-skimming attacks at the pump. In the meantime though, cybercriminals will be targeting pay-at-the-pump point-of-sale mechanisms with a vengeance, researche...

PCI Announces Coming Qualified PIN Assessor (QPA) Program

Second only to protecting sensitive credit card account information, safeguarding the cardholders personal identification number PIN is one of the most important tasks for prevention of card-present fraud in retail and banking. With the continued movement toward chip-and-PIN EMV the technology...

U.S. Chip Cards Are Being Compromised in the Millions

Chip-and-PIN technology has become the de-facto standard for in-person credit- and debit-card transactions in the U.S. – but a lack of merchant compliance means that cards are still being compromised in the millions. Chip cards, which contain an embedded microprocessor that encrypts the card data...

Liar, liar, pants on fire! Barclays phish claims cards explode

We feel compelled to relay the dire warning from this Barclays snail-mail letter, which we acquired through social media, therefore it must be true. Warning: Barclays debit cards may catch fire! The letter reads as follows: Dear costumer, Many of our bank costumers have reported that their debit...

BrilliantTS FUZE card (MCU firmware 0.1.73, BLE firmware 0.7.4)Vulnerability

Description of FUZE Card FUZE is an IoT device the size, shape, and thickness of a normal credit card. You program credit cards into it via Bluetooth BLE using a smart phone app. When you go to pay, you use the buttons and e-Paper display to select which card to emulate. The magnetic stripe...

Goodfellas, the Brazilian carding scene is after you

There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile...