Part 2. Tips for using ATMs and avoiding credit card cloning
Are you planning to visit Brazil during the World Cup? Welcome! Hope you enjoy your stay! How are you planning to pay your bills while you're here? Cash or credit card? Are you worried about credit card cloning? You should be.
Brazil has some of the most creative and active criminals specializing in credit card cloning - and, unfortunately, they love to target foreigners who don't know how to protect their credit cards when withdrawing money from an ATM or paying for their churrasco and caipirinha drinks in a restaurant.
In this second part of our series we explain the most common attacks on ATMs and PoS (Point of Sales) devices in Brazil. These are out to clone your credit card using skimmer devices, fake signage and, of course, a lot of malware.
Credit card usage, the Brazilian way
Point of Sales devices are very common inside the country; you'll find them in restaurants, supermarkets, gas stations and so on. In fact credit cards are the preferred way to buy goods and pay bills - according to the Brazilian Central Bank credit and debit cards account for 70% of all payments in the country:
Credit cards with CHIP and PIN are accepted by almost all businesses, even by cab drivers - despite some recent news about security flaws in this protocol, CHIP and PIN cards are still more secure and harder to clone than magnetic swipe cards. If you don't already have this type of card, ask your bank if it's possible to get one before you travel.
In Europe and North America, many people are in the habit of handing over their cards to the staff in restaurants and stores. In Brazil, this is a dangerous habit. Please don't do this - you're presenting fraudsters with a golden opportunity to clone the card, and the temptation is inevitably too strong to resist. I have foreign friends who have reported their cards were cloned on a trip to Brazil - it happened in exactly this situation, so you should keep your card in sight at all times.
Forget your European habits: in Brazil it's normal to ask the staff to bring the electronic payment terminal to you. This is far more secure because the transaction happens right in front of you. Be careful of chance encounters or accidents which might take your card out of reach for a moment. If it happens, check that the card you get back is really yours. If you have any doubts, report them immediately to the bank.
PoS and PIN pad malware
Brazilian cybercriminals are exporting PoS malware from Eastern Europe and using it locally, infecting machines and sniffing credit card numbers. We wrote about an interesting attack using the so-called "Chupa Cabra malware", Trojan-Spy.Win32.SPSniffer, a malware family with several variants developed in Brazil and seen in the wild since 2010.
This Trojan affects PoS and PIN pad devices, both of which are very common in the country. These devices are connected to a computer via a USB or serial port to communicate with electronic funds transfer (EFT) software. The Trojan infects the computer and sniffs the data transmitted through these ports.
These PIN pads are equipped with security features to ensure that security keys are erased if someone tries to tamper with the device. The PIN is encrypted as soon as it is entered, most commonly using triple DES encryption. But Track 1 data (your credit card number, expiration date, service code and CVV) and the public CHIP data aren't encrypted in the hardware of old and outdated devices. These are sent in plain text to the PC via USB or serial ports. Capturing this data is enough to clone your credit card.
Operators were aware of the problem and promoted a massive firmware update in these devices, aiming to stop the attacks, but the continued emergence of new variants of this malware proves that these attacks remain effective.
There is not much you can do to avoid falling victim to this, so please keep a close eye on your credit card statement to check all transactions and inform your bank immediately if you see something suspicious. Wherever possible try to pay using a wireless PoS device - they're a bit more secure than the older ones connected to serial or USB ports.
ATM skimmers, fake fascia and jackpot malware
Brazil is among the countries that has most ATMs worldwide, according to the World Bank. So there's more than 160,000 opportunities for fraudsters to install a skimmer (also known as "Chupa Cabra devices"); they do this all the time, even during the day you can see them hanging out, wearing flip-flops and beachwear in a very relaxed mood, while installing skimmers in a crowded bank:
Using your hand to cover the key pad while you enter your PIN is a great way to foil most skimmers, which tend to rely on hidden cameras. But there are some who take skimming to a whole new level and install an entirely fake ATM:
Some banks have implemented biometric authentication, and Brazilian banks have been pioneers in the implementation of this technology. But as a foreigner it's not likely to help you much - it requires prior registration with local banks, and tends to be available only for Brazilians and long-term residents.
As suggested by Brian Krebs, your best protection in this case is a keen eye - if you see something that doesn't look right, notify the bank or owner of the machine, and go somewhere else to withdraw your cash.
The Brazilian Federation of Banks has some other very useful tips about using ATMs in Brazil:
- Never accept or ask for help from strangers when using ATMs, even if they don't look suspicious;
- Be aware of the presence of suspicious or curious people nearby. When in doubt, do not start an operation; take special care when exiting the bank branch, you could fall victim to the "saidinha de banco";
- If your credit or debit card is retained in an ATM, press the "Cancela" or "Anula" buttons to cancel the operation and get in touch with the bank immediately. Try calling from the helpline phone in the bank. If it isn't working, it may well be an attempt to rob customers. In these cases never accept help from strangers, even if they say they work in the bank. Don't enter your PIN into the machine either;
Another interesting trend in Brazil and Latin America is "jackpot" malware. Recently we saw Ploutus in Mexico and some cases were reported in Brazil as well. In these cases cybercriminals infect the ATM using a USB stick - almost all of them still run an unsupported OS such as Windows XP. The malware makes it possible to remove all the money from the ATM. It doesn't affect you directly, but it can mean the ATM has no money to dispense to you when you need it.
These are some tips from a local resident, hoping to help you enjoy our hospitality during your visit to Brazil. While using ATMs or paying with your credit card, be secure and enjoy your stay.šAs a final tip, let me show you this link, a very good list of suggestions on how to stay safe and sound during the World Cup.
In our next blog my colleague Dmitry Bestuzhev will explain the risks of using free Wi-Fi networks and chargers, and how to connect to the Internet securely.