Fraud in online payment systems: your personal information is worth more than you can imagine
"Identity theft is one of the oldest types of fraud out there, it is the old-time common scam with a twist of technology," says InfoSec expert Cristóbal del Pino. Find out about risks in online shopping, card cloning and what' next in that type of payment method, in this interview.
"Every service offered for free is paid for with your personal information, and that is worth much more than you think." This introductory sentence to talk about vulnerability in Internet payment systems reflects the thoughts of Cristóbal del Pino, Senior Security Specialist of Mkit, a leading global InfoSec services company.
We asked him some questions to get to know better this world in which we everyday say "OK, understood"; "I agree"; "I confirm"; "I have read all the conditions", trusting sites with our identity, bank account numbers or personal data without knowing what will happen to our information when we click on those compliance buttons in fine print that, let's face it, almost nobody reads.
"When using new applications, it is important to keep this in mind: the services we use will be entitled to handle the data we provide them without restrictions," stresses Del Pino.
To understand this subject better, we consulted this specialist who knew how to clarify our doubts one by one.
What type of risks is a person exposed to when giving their financial and/or banking information for online shopping?
The main risk is the way in which they handle and store this information in this type of entities or platforms. We, as users, are not aware of what is happening behind the website, for instance, we don't know how the credit card information or the banking data that is being provided is stored in the database. On the other hand, if the site does not keep its security policy updated, it may host vulnerabilities which may jeopardize the user's information.
The theft of financial and/or banking data exists in all areas. It is a risk contemplated by financial institutions because it is a real problem. Your credit or debit card may be cloned when you pay at any store. Recently, a scam of this nature was discovered with the Todo Pago application, which allowed to create an account and associate a debit card only validating the DNI of the card owner. The error in this case was that, unlike a credit card, a case in which you generate a surcharge with a verification code at registration, this initial surcharge is not made for debit cards. In this way, the attacker could make extractions from the victim's account.
In general, are e-commerce platforms and/or the financial system aware of the possible frauds that may affect their customers?
Yes, they are aware because it is a constant threat. However, scammers improve their tools and attacks continuously. For this reason, if your card has been cloned and you report it to the bank, they have their research methods and return the money, because it is something they have planned within the possible risks. The same happens if your data is stolen through a skimmer (a card cloner, which scammers usually place in ATMs). It is a latent risk, which is normally covered. However, the prestige of each of these companies and their customer care is at stake, so the recommended and expected action by them is to minimize the number of frauds which may affect their customers.
What advice would you give to any store or online store when choosing which payment method to use for customer purchases?
I do not think there is a big difference between payment methods, it all depends on what the store or the online store chooses for its customers. What I would definitely advise is a correct handling of information. Shops should advise themselves better about data security and have identity verification methodologies in place. After all, identity theft is one of the oldest types of fraud out there, it is the old-time common scam with a twist of technology.
Meanwhile, what kind of security should a payment system company have in order not to lose its credibility?
In my opinion, they must implement strong security policies and be certified with ISO 27001 standards accordingly. Apart from that, they must handle user data correctly, as mentioned above. Data is not always kept safe, either due to a system failure or because companies do not verify information correctly. They must also have a security team or hire expert companies to keep their systems as updated as possible.
On the other hand, they should have good customer care policies when scams happen. It is not information security itself, but customer security. There are companies, such as Mercado Pago, that have a money request service for users to be able to send money, a system similar to an electronic wallet. The problem with this system is when a seller uses this option to add money on the transaction, since once the amount is transferred, the user who receives it can make a withdrawal right then. There is a possibility of fraud open, in which a seller makes money requests to a buyer, and once received and withdrawn, the money disappears.
What is the latest breakthrough we can find in terms of information security and payment markets?
In terms of traditional payment markets, I do not see any important improvements or updates in terms of security, but with the introduction of facial recognition in cellphones and computers, we may see a relevant change towards this new paradigm.
Another important breakthrough is the introduction of Bitcoin. Many sellers opt for the cryptocurrency due to its current growth, as well as to the fact that no commissions are charged for its use and that users can operate anonymously. This method also provides decentralization with respect to financial entities.
Finally, are there physical spaces where people interested in these types of topics can be educated more, know better about information security? I'm talking about face-to-face meetings, not forums or virtual communities.
Of course. It is good to spread the word, since everyone believes that information security specialists are only virtual entities. They can also they associate the word hacker with an anonymous figure intended to make cyberattacks, when in fact we are doing the opposite. I could mention many meeting spaces. One that will be very important and will be held in Buenos Aires is Andsec 2018. It will be an excellent opportunity for those interested in these types of issues, which are as diverse as you can imagine, to meet. In conferences like these, you will find defensive and offensive perspectives around hacking, in which these topics are approached from technical perspectives but also philosophical and theoretical. They are really interesting spaces open to the public.