In this week's issue, a strain of "Cherry Picker" malware has been discovered, the FB has issued another warning surrounding EMV cards, thousands of mobile apps are leaking millions of credentials, MetroPCS exposes its customer's sensitive information and in this week's Rippleshot content, we look at the types of gift card fraud that can affect financial institutions and merchants.
A new strain of malware with the capability to target point-of-sale applications has been recently discovered. Information security company Trustwave have dubbed the new malware “Cherry Picker,” which is classified as a POS memory-scraper malware. While recently discovered, this strain has gone undetected by antivirus systems and security companies since 2011. According to Trustwave’s analysis, the malware searches through an infected system to identify which processes will allow the theft of payment card data. This form of malware has specifically targeted the food and beverage industry, but Trustwave warns that any business that processes payment cards are targets for this malware.
The Federal Bureau of Investigations (FBI) have issued a warning through The Washington Times, that there are security concerns surrounding chip-embedded payment cards that cardholders in the U.S. have begun to receive. A representative from the FBI stated that while the EMV chip will help reduce payment card fraud, there are still security vulnerabilities with the technology. As it becomes more difficult for fraudsters to duplicate EMV cards, expect to see an increase in card-not-present fraud to increase.
We are approaching the two-month mark since EMV adoption has begun here in the United States. See where the payments ecosystem stands following the shift to the chip-enabled cards.
Thousands of mobile applications have been identified as potential threat to leaking back-end credentials, compromising millions of sensitive user records. Security researchers from the Technical University and the Fraunhofer Institute for Secure Information Technology in Germany have discovered that mobile applications that use Backend-as-a-Serivce (BaaS) frameworks from providers like Amazon Web Services, CloudMine or Parse are susceptible to this type exploit. When tested on over two million Android and iOS apps, 1,000 back-end credentials and associated database table names were extracted.
Due to many of the credentials being reused in multiple apps, this security flaw provided access to over 18.5 million records.
Wireless service provider MetroPCS may have inadvertently compromised the personal information of more than 10 million of its subscribers after a bug was uncovered. Security researchers Eric Taylor and Blake Walsh found a security flaw on MetroPCS’ payment page that would allow access to MetroPCS customer information. With just a customer’s phone number, sensitive information including home address, type of plan and even the phone’s serial number could be accessed.
MetroPCS now joins a list of wireless service providers to be victim of a data breach this year, including AT&T, TalkTalk and T-Mobile.
The holiday shopping season is approaching and consumers across the country are getting ready to make their purchases both in-store and online. For this week's Rippleshot content, we dive into a specifc section of payment fraud affecting purchases using gift cards. In December of 2014, digital gift cards accounted for more than two-thirds of total gift card sales and will be a highly desired target for hackers this holiday season. The cost of fraud for merchants has been steadily rising, for both brick-and-mortar and online merchants, with online merchants losing $3.10 for every $1 in fraud in a 2013 study.
Click here for more info and to learn more about the types of gift card fraud that you should keep any eye out for.