Contactless payment with a smartphone or smartwatch is a practical thing. Now, however, scammers have found a way to digitally clone credit cards. This will prevent someone else from shopping with your card on the phone.
Admittedly, a lot has to happen for fraudsters to be able to steal a digital image of someone else’s credit or debit card, store it on their mobile device and use the cloned card to make contactless payments in shops.
LKA warns of fraud with cloned credit cards
But the recent accumulation of cases shows that the attempts by criminals to store stolen credit card clones on smartphones and smartwatches are sometimes quite successful, warns the Lower Saxony State Criminal Police Office (LKA). Anyone who knows how the scam works can protect themselves better.
Fraudsters get hold of the card data via phishing
The potential victim uses a search engine to search for the online banking page of his or her bank, but then clicks on a link in the results that opens a phishing page and enters his or her online banking and card details there. Therefore, the following applies: Always type the bank address into the browser yourself.
The way to such fake bank sites can also lead via links in phishing emails. The criminals disguise these messages as official bank mail. It says something fictional: A sudden blocking, a necessary verification or a change in the legal situation that allegedly requires the entry of banking access data and card data.
Warning: Banks would never ask you to do something like that. If in doubt, it is best to contact the bank’s customer service.
Social engineering to get the TAN
The next day the phone rings. It is the scammers who pretend to be bank employees. Because in order to be able to pay with the digital card image on a smartphone or smartwatch, it is not enough to simply enter the card data at the respective payment service.
As a rule, confirmation from the card-issuing bank is also required. This is done partly by entering a TAN in online banking, which is displayed in the bank’s TAN app (push TAN), but partly also by a fingerprint or PIN release within the banking app.
That’s why the fake bank employees ask their victims for the push TAN or ask them for biometric release in the app with flimsy justifications. In fact, they are setting up a cloned debit or credit card on their smartphone or smartwatch. Attention: Never disclose such sensitive data.
An employee of the savings banks confirmed to TECHBOOK that the group is becoming aware of more and more cases of this scam. The fraudsters pretend to be Sparkasse employees and the bank’s phone number even appears on the display. The false employees claim that someone in another city (e.g. Frankfurt or Vienna) tried to withdraw money with the Sparkasse card. They ask customers to block online banking and cards. In order to receive new access data, they should confirm the order via TAN and send this TAN via WhatsApp. As the Sparkasse employee tells us, this is the moment when “the scammers have access to online banking”. Next: “A digital card (savings bank card or credit card) is applied for in online banking. This digital card is the access to the account. Since the perpetrators are bold and often have online banking blocked by blocking hotlines such as 116116, the customer does not know about these bookings.”
Read more: How to protect yourself from cyber attacks when working from home
Fraudsters can make contactless payments with a cloned credit card
If TANs are disclosed or authorizations are granted in conversations with the criminals, one must assume that the perpetrator’s device is now activated for payment. This allows the criminals to go shopping without actually having the physical credit or debit card.
Then the following applies: to limit the damage, contact the bank immediately and check the devices stored for the account in online banking. In the event of unauthorized debits, also inform the bank and report it to the police.
source
Lower Saxony State Criminal Police Office: Payment by smartphone and smartwatch – The digital card can also be set up by perpetrators (accessed November 11, 2022)