Hacker shows how to steal someone`s payment card details and buy a tank of petrol

2024-05-20 -

Frontend engineer Herman Stander recently fell victim to a phishing attack, losing his entire month`s salary to a cybercriminal. Stander was taken aback as the attacker had used one of his FNB Virtual Cards to make several R4,998 purchases and his bank had not sent him a single transaction notification. First National Bank (FNB) promotes its Virtual Card product as a way to protect yourself from card fraud. `No more stressing over card fraud. It`s safe, simple and intelligent enough to change its 3-digit CVV regularly Link your personal or business account for secure online shopping,` FNB`s website states. After FNB informed Stander that his money was gone through his own fault and it wouldn`t be paying him back, he set about building a proof-of-concept to see if he could replicate the attack. To his horror, he discovered that building a phishing attack that lets you empty someone`s bank account or max out their credit card is extremely simple. The rotating CVV of FNB`s Virtual Card provided no protection, and the bank`s failure to send notifications of the transactions meant he didn`t realise the fraud was happening until it was too late. In Stander`s case, he was taken in by a phishing attack masquerading as a South African Post Office customs clearance message

He received an SMS stating that he needed to pay R30 for customs clearance within 24 hours or his parcel would be returned to sender. Although he acknowledged he should`ve known better, Stander said he was expecting a parcel, and the link and webpage it pointed to looked exactly like one you might receive from the Post Office. Stander`s proof-of-concept attack shows what such an attack site might look like and how easy it is for cybercriminals to harvest the information needed to hijack someone`s payment card. He demonstrated how the attack works between two willing participants - him and his wife. Screenshots from Stander`s proof-of-concept: Example phishing SMS (left), attack site (middle), and card details loaded into Google Wallet (right) The attack begins by querying your card information and then slyly asks for a one-time PIN (OTP) to `verify the payment`. This is a huge red flag, but someone in a rush or unfamiliar with online payment systems might not register that the OTP request is out of place. In reality, the OTP is not used to verify a payment, but to register the card with a digital wallet platform like Google Pay. Stander showed how he could register his wife`s FNB Virtual Card in a Google Wallet using the details harvested using the attack site. He then waited a few hours before performing several transactions, including filling up his bakkie, buying groceries, and picking up a can of paint. None of these transactions generated notifications on his wife`s phone.