Financial technology, or fintech, has banks on edge because of its potential to disrupt core means of doing business. Services are being delivered in ways unimaginable a decade ago, and technology such as near-field communication, digital wallets, and other mobile-based payment and banking options are elevating many new players to heights previously reserved for a staunch few in financial services.
Cybercriminals are adding to that pressure with some taking advantage of new fintech to supplement fraudulent activity and facilitate cashing out compromised bank accounts and stolen payment cards. The weak link appears to be a familiar hangup common to any relatively new and quickly adopted technology: a rush to market has come at the expense of adequate controls.
“Often times it’s not actually the [fintech] company and technology being targeted, but rather it’s just being abused to accomplish fraud,” said Liv Rowley, intelligence analyst with Flashpoint. “Cybercriminals are using the technology in ways to facilitate these types of crimes. The technology is getting built, and no one is thinking how this might help cash out stolen cards or accounts.”
Flashpoint analysts identified a number of fintech gaining traction that are in criminals’ crosshairs, including digital wallets such as Apple Pay and Android Pay, peer-to-peer payment platforms such as Venmo and Zelle, free credit reporting services, and financial management and data aggregation platforms such as Mint and Power Wallet.
Underlying technology powering some of these services, things such as NFC, present low barriers to entry for criminals and can result in a relatively high reward. After a 2016 rampant with mega-password dumps and tens of millions of viable credentials available on the Deep & Dark Web (DDW), for example, it’s fairly straightforward for criminals to abuse stolen logins and card data to access accounts and use them in wallets such as Apple Pay.
“A lot of the hype around NFC with people bumping up against you and stealing your card number [cloning the card] is not what you see,” Rowley said. “What they tend to do is buy track data online from a card shop and take the data stolen by someone else, put it into a digital wallet app and go to a store and make purchases. It’s more about in-store carding.”
Peer-to-peer payment platforms such as PayPal-owned Venmo that allow consumers to share cash or make payments and other similar apps and wallets such as Zelle and are also being abused for cash-outs and even money laundering.
“Peer-to-peer is a big thing and a lot of financials are getting slammed with fraud,” Rowley said. “Criminals are cashing out stolen cards and accounts and sending the money to an account they control.”
Banks, meanwhile, in a rush to compete with these third-party services are starting to introduce similar apps of their own.
“There may be a lot of growing pains,” Rowley said.
Cryptocurrency exchanges have perhaps endured the most pain. Most that have been victimized were targeted by cybercriminals who find exploitable vulnerabilities in the respective platforms resulting in millions in losses, or decide to DDoS them out of business.
A number of South Korea-based exchanges were targeted in 2017, most recently Youbit which filed for bankruptcy after hackers drained $35 million USD from the exchange.
These attacks aren’t limited to criminals either; nation-states such as North Korea are alleged to have been behind a handful of these robberies, reportedly in order to fund state-sponsored hacking efforts targeting South Korea and western interests. Flashpoint assesses that these attacks are financially motivated, and likely to continue on both the criminal and nation-state fronts.