**The Evolution of Payment Technology: A Vulnerability to Scams**
The way we make payments has undergone significant changes over the years, with technology playing a vital role in facilitating transactions. However, this technological advancement has also brought about new vulnerabilities that scammers can exploit. In recent times, there has been an increase in phishing attacks mixed with malware, which have become increasingly sophisticated and difficult to detect.
**Phishing Attacks: A Simple yet Effective Scam**
Scams are a classic form of cybercrime that involves tricking people into divulging sensitive information such as passwords or financial details. Phishing attacks, in particular, have become an effective way for scammers to gain access to victims' personal and financial information. These attacks typically involve sending fake emails or messages that appear to be from a legitimate source, such as a bank or online retailer. The message may ask the recipient to click on a link or provide sensitive information to "complete" the transaction.
**The Rise of Malware: A New Dimension in Scams**
Malware is malicious software that can be installed on a device without the user's knowledge or consent. This type of software can be used to steal sensitive information, disrupt operations, and even take control of devices. In recent times, malware has become an increasingly popular tool for scammers, allowing them to gain access to victims' financial information and steal their money.
**Three Broad Categories of Payment Devices**
Payment devices are designed to facilitate transactions between the payer and the payee. These devices come in different forms, including those that require a physical card or device to complete the transaction. There are three broad categories of payment devices: those that require a physical card, those that use a small keypad or button to enter information, and those that use a camera to scan a 2D barcode.
**Card Reader Devices: A Common Vulnerability**
Card reader devices are widely used in the UK to facilitate transactions. These devices typically have a keypad and a few buttons, which are used to input the recipient's account number or last four digits of the account number. The downside of these devices is that they require the recipient to enter the account number or last four digits of the account number, making them vulnerable to phishing attacks.
**Device with Key Pad: A Bigger and Chunkier Option**
A device with a keypad is a larger and more chunky option compared to card reader devices. This type of device has limited uses due to its size, but it can be used by customers who require the extra space. The use of this device comes with several limitations, including the need for physical access to the account information.
**Device without Key Pad: A Thinner and Smaller Option**
A device without a keypad is smaller and thinner compared to the traditional card reader devices. This type of device uses technology to generate passwords, making it faster and more convenient for customers to use. However, this convenience comes with a price, as the customer must be linked to their account in order to use the device.
**Camera-Based Devices: A More Convenient Option**
In recent times, camera-based devices have become increasingly popular due to their ease of use. These devices use cameras to scan 2D barcodes displayed on bank websites or mobile apps. This technology allows customers to quickly and securely complete transactions without having to enter sensitive information manually.
**Two-Factor Authentication: A Layer of Security**
To combat the rise of phishing attacks, banks have implemented two-factor authentication systems that require both a physical token and a password to complete transactions. These systems use traditional methods such as SMS or voice calls to send a unique code to the customer's registered phone number. However, some devices such as those with keypads also implement this feature.
**The Domain Generation Algorithm: A New Approach**
Researchers have recently developed domain generation algorithms (DGAs) that can automatically generate domains for command and control servers used by botnets. These algorithms allow the botnet to quickly switch between different domains to evade detection by security software. This development marks a new approach in the evolution of payment technology scams.
**The Future of Payment Technology**
The future of payment technology is uncertain, but one thing is clear: scammers will continue to find ways to exploit vulnerabilities in payment systems. As technology advances, so too must our methods for detecting and preventing these attacks. The key to success lies in staying vigilant and adapting quickly to emerging threats.
"WEBVTTKind: captionsLanguage: enSo i'm going to talk about one of my areas of research which is and banking fraud and the technology, that's used to prevent itBut, alsoUnderstanding how it actually happens because unless you understand that it's not going to be possible to come up with techniques that will actuallyPrevent it effectively probably start, by looking at howYou the most common are more sophisticated frauds happen, and that will help us understand about, whyThe, banks designed the defenses the way that they, do and then, we can, maybe look a bit more about howThe defenses actually work in a bit more detailThe a problematic situation for bank customers is something called the the man-in-the-browser attack so it's not very good nameit comes fromTerminology in banking or computer security more broadly called man-in-the-middle and this is where the adversary is?somewhere between the personWho is legitimately doing the transaction, and then the person who's receiving the transaction so in this case the bankBut the reasons called man-in-the-browser rather than man-in-the-middle is it's not like the adversary's just out on the network somewhereThe adversary has actually put software onto the victims computerthroughmalware or howeverAnd then that malware is interfering with what the person sees if we think about this is the?Victims, web browser, you'd put in the account number youWon't send money to you put in the amount and then you'd put in a one-time passwordhow, about used to work, is that banks would send a sheet of paper with lots of passwords that people taped inNo, these people have got mobile phones but, they type in a one thing, password this looks kind of secure but the problemIs that if there is a man in the browserInvolved this is not actually the real banking website this is just a peek screenThat is set up?By the malware what's really happeningIs that the criminal is booting in the criminals account number andA much larger about and this is a detail that is being?Sent to the bank the bank will only accept the transaction if the one-time password is correctThat's fine because the customer is going to put in the one-timePassword here the malware will receive it and then the one tank password in there and then the bank will get the transactionBut the bank will see the criminals transactionnot the one that the customer actually intended so the customer is logged on to online banking andThe, details that the tape in are or something like ping, they'll just email, whereGas bill but actually there could be transferring 100,000 to the criminals account, andbecause theTransaction is actually coming fromThe, victims, own computer and is coming from their own web browser i hope yet a hikeWeb browser from the bank's perspective that's perfectly legitimateso this was a big problem for the banking industry in lots of countries so the banks inMost of europe have now moved over toNot only having a one-time, password but, making that one-timePassword linked to the transaction so it's not just i thinkIi think, who someone is it's a think eating transaction it's called transaction authentication, from my experience we've been usingThese little devices at home for a long time i know, you've brought a, few, along, yeah although, any?Place is still using this straight one-timePassword and system in the world so in generalEven though, america is quite sophisticated most circumstances for banking and banking security they're quite behind soIn america is actually quite unusual to do online banking for moving money around stopChecks are still being used even though in most of europe they're gone and in the uk the banks are trying to get rid of?them soThe in general don't really have any particularly sophisticated banking securityBut in some ways, that's actually better for the customerBecause the banking laws in the us are very much consumer focused so essentially if anything goes wrongThe, bank will give your money back evenIf the bank believes that you've acted negligently, you've done something that, no one could reasonably expect it to do they'reStill legally obliged to give most of your money money back and in practice they're actually give all of your money backThe europe and the ukdoes have better banking technologyBut when it goes wrong often the customer actually pays the cost soone of the other things i've been doing is talking to regulators andTelling them that when they're looking at banking technologyAnd when that banking technology is being used to shift the cost of fraud to the customer they should looktosee if theSecurity technology is actually working properlyAnd whether it's reasonable to meet customers lie or for fraud when they, don't really have any choice about howthesystem works or how it's designed certainly in europe the more simplistic systems are either gone or they're going to beEliminated because there's a new european law?Called the payment services directive - which actually mandates the more secure transaction authenticationHowever it like most laws doesn't actually see the technical details about, howThings are going to work, and that's probablyGood, because politicians are not very good in developing technology it just says whatWhat criteria the system should meet and so there's a. Huge diversityAcross all of europe, and even within countries has to have these technologies work and in terms of cryptographyThey're all basically okay, they, may not use the most modern of cryptography so for exampleBanking systems often use there's the data encryption standard rather than the more modern aes encryptionBlock, cipher but that's essentially irrelevant for most purposesWhere they do vary a lot is in the way that they work and the wayThat people interact with them and that actually causes a, huge difference in terms of their security because if someone is confused about howThey workThen they could be quite easily tricked into doing something wrong andwe've seen that criminals actually are doing that so one traditional trick by criminals isAssuming the technology, works what they will see is they'll take, over your, web browser and they know, tell youSome story and story normally goes along the lines off there's beenSome error money has appeared in your account and your accountIs going to be locked until you send this money back toThe legitimate order and if you log on to your online banking and look at your statement thenThis, fake, transaction will be there your balance will be far larger than it normally will be andThere will be instructions about transferring, this money back to the right person but actuallyThat's all fake, the money has not appeared in your accountAnd the so-called legitimate owner of the money is actually the criminals accountant so you use one of these devices toAuthorize a transaction to move this money but actually, you're sendingYour, own money to the criminals and it could be a long time before you notice that this has been going onAnd that sort of?Scam works because people were too distractedBy trying to make the technology work in any way whatsoever that they?Don't actually have the time to think about whether they really should be using thisTechnology, to do that transaction so essentially the more obvious and the easier you, make the technology the less likelyIs that criminals are going to be able to get people to act and in secure ways it seems to me that's kind of aPhishing attack mixed with mal water so what's going, on with the devices themselves, why, have they, had to resort to that yeah so there'sthree broad categoriessothere's theDevices that you put your card into it like this one these are very common in the uk this isn't aUk, device this is from the netherlands it's got aKeypads it's got a few buttons and it got like hardThat goes into it really theDevice is not doing very much in this case all the work is actually being done by the card and that's, whyPeople can actually, use someone else's deviceIn the uk even a device from a different bank and it will still work provided. They're, using their cardBut because it's using a card it's got some limitations so the first one is going to be actually quite big and chunkybecause it's got to be large enough to have batteries that parish the card andIt's got to be large enough to physically have the card inside it and that's one reason they'reUnpopular so the alternative is device like this so this is still got aKeypad, it's much smaller much thinner smaller batteries and it canDo that because there's no card at least. Be put into it some customers like thisbut the downsideIs that this device is no linked to you so this is the one that's linked to your account so it's not likeYou can, borrow more someone else's deviceit's not like you can haveOne device home and when the vase of work letYou can, with the card reader devices like, these but with, both of these devices there's got to be some way forlinking thepassword that it generates to the transaction details and the way that this works is you type inSomething, like either the account number you're sending the money to or the last four digits of the account. You're sending the money toAnd that's a bit i mean inconvenient particularly if you have to do it a lot so that's, whyThere's other, devices this has a little camera on the back you use that camera to scan a 2d barcodeThat the bank shows. You, and that's much much easier for customers to use andIt means that you'reNot just authorizing the last four digits of the account, number the bank can actually send a lot, more details about the transaction soFirstly, that reduces the amount of effort the customer needs to go to because they just scanned something rather and type something and also itGives them, more details which hopefully gives them a, better chance at trying to spot whether there's one of these scams at workThen we've got yet another one this one also has a pin with all these devices you, want to check firstlywhether the transaction has been authorized but, also whether the right customer is doing the transaction, andthe traditional way to, do that isTwo factors so something the customer has and something they knowso for the card reader devices like this one it's do they actually have the card andDo they know the pin it's a four digit pin this is got a four digit pin asWell this you can have a pin this one doesn't but the way that the banks use that is that they, askThe customer to enter a password into the website but the password has got to be much longer than a four digit pinBecause when you're typing a?Password into a website a criminal can tried lots and lots and lots of passwords but with all of these devicesWhere you type a pin into it the device itself actuallyChecks, that the pin has not been entered too many times so in the case of the card reader card has got aYour counter on it and then once that goes about three the card locks out and it's similar withThese two devices once the pen has been entered too many times and these devicesThey, lock and you got to talk to the bank to unlock them, againThe topic botnet, was the first one or one of the first at leastIntroducing the domain generation algorithms in order to find the domain, where they would have found a command control server in a dynamicAway, during the infection but, what has been done by researchers in 2009\n"
