Digital payment systems are quickly becoming the norm. The speed and convenience of apps like PayPal and Apple Pay have led businesses and consumers to move away from cash, but this efficiency comes at a cost. These digital platforms are also attractive to cybercriminals.
Mitigating any vulnerability starts with understanding how threat actors target it. With that in mind, here’s how cybercriminals take advantage of digital payment systems, and what you can do to stay safe.
The most straightforward, and one of the most popular ways cybercriminals target these platforms is through fraud. Just as email fraud and identity deception have risen, so too have social engineering attacks against digital payment clients.
Many apps feature advanced technical safeguards, so targeting people through phishing scams is often a more effective way to breach accounts. Fraudsters will pose as financial institutions, app developers, and other authority figures to trick people into clicking links or giving away information.
Cybercriminals sometimes trick people into authorizing a one-time payment instead of giving them full access to their accounts. Because payments on apps like Zelle are instant and irreversible, victims of these scams can’t get their money back once they send it. Consequently, posing as someone people feel comfortable paying is an easy way to make money.
Stealing Credentials to Access Accounts
Another way cybercriminals take advantage of digital payments is by stealing a person’s login credentials. In many cases, all it takes is a username and password to get into an account to send money elsewhere. Attackers can gain that information through several different means.
Phishing is the most prevalent way to steal credentials. Instead of posing as an authority figure to request a one-time payment, fraudsters trick people into revealing login information or clicking links that give them account access.
Another way attackers steal credentials is through malware. Mobile Trojans have become increasingly common, and cybercriminals can use these malicious programs to track users’ inputs and learn their passwords. They can then use that information to get into the accounts and send money to themselves without raising any alarms.
Compromising the Clouds
Some cybercriminals take advantage of digital payment systems by targeting the vendors, not the users. Breaking into a company’s cloud dashboard allows attackers to potentially jeopardize millions of accounts through a single incident.
Infiltrating these administrative systems may be more challenging than fooling a user, but it’s far from impossible and promises a larger payday. Once inside, cybercriminals may be able to access users’ wallets, and if not, they can still install malware or steal valuable personally identifiable information. A recent attack on payment terminal company Wiseasy potentially exposed names and phone numbers and granted the attackers control over access privileges.
Many vendors use tokenization to protect their client’s financial information, but some may still store credit card numbers and similar data in the cloud. Cybercriminals that breach these systems could cause widespread damage.
How to Stay Safe
Despite these vulnerabilities, digital payment systems can still be safe. Once vendors and users understand the risks they face, they can take the necessary measures to reduce and mitigate them.
Steps for Vendors
Digital payment system security starts on the developer’s side. Vendors must encrypt all data, both at rest and in transit, and use tokenization to prevent even insiders from seeing sensitive information.
It’s also important to recognize that human error is inevitable to some extent. Regular cybersecurity should be part of every employee’s responsibility, but protections must go further. Embracing zero trust architecture, and implementing the principle of least privilege will minimize risks from the mistakes that do occur.
Continuous activity monitoring is also crucial. Payment systems should use machine learning and similar automated tools to watch for suspicious activity and flag any unusual payments before they authorize them. Periodic penetration testing will also help.
Steps for Users
Users of digital payment systems can also take some steps to minimize their risks. Multifactor authentication (MFA) is the best protection against password attacks, as it ensures that even a breached username and password won’t grant fraudsters immediate access. Strong, unique passwords are also important, but they should always be accompanied by MFA on all digital payment accounts.
Learning how to spot and respond to phishing attempts is similarly crucial. As a rule, you shouldn’t respond to or click on any links in an unsolicited email, especially from an unknown source. You should also look for other signs, like unusual urgency, strange email domains, and spelling errors.
People that use these systems a lot or are particularly concerned about their security can also set up a separate bank account that contain only a limited amount of funds to use on these apps. That way, if a cybercriminal accesses their account, they won’t be able to drain all of the victim’s finances.
Digital Payment Systems Present Rising Security Concerns
Any digital alternative to anything will come with vulnerabilities. As instant payment platforms overtake cash as the go-to choice for daily transactions, vendors and consumers alike must recognize and adapt to these risks.
Cybercriminals can target digital payment systems through many vectors, but security is still possible. It starts with learning how these vulnerabilities may arise and taking the necessary steps to mitigate them.
About the Author:
Dylan Berger has several years of experience writing about cybercrime, cybersecurity, and similar topics. He’s passionate about fraud prevention and cybersecurity’s relationship with the supply chain. He’s a prolific blogger and regularly contributes to other tech, cybersecurity, and supply chain blogs across the web.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor and do not necessarily reflect those of Tripwire, Inc