Cybercriminals Exhibit Interest in Targeting Contactless Payments in Latin America

Unlike cash or traditional credit or debit cards, contactless payment methods enable users to make purchases by simply tapping or scanning their mobile device or payment card at a point-of-sale (POS) terminal. These methods have grown particularly popular in Latin America (LATAM) in recent years due largely to their ease-of-use, regional banking trends, and banking institutions’ global expansion efforts. However, this popularity is also attracting unwanted attention from cybercriminals in LATAM seeking to engage in various fraudulent schemes.

The cybercriminal appeal of contactless payment methods is fueled primarily by their convenience. Because these methods usually do not require users to submit a form of identification, input a PIN, or confirm a signature for low-value transactions, they enable cybercriminals to minimize their risk of exposure when making fraudulent in-store purchases.

Typically, if a fraudster is initially unsuccessful in using a traditional payment card to make a purchase at the checkout counter, they will attempt to use a backup credit card, often attracting the unwanted attention of store clerks to the suspicious transaction. But because contactless payment methods, in addition to their convenience, are also widely perceived to be relatively novel, the legitimacy of such a transaction is less likely to be questioned. As a result, these methods can enable fraudsters to use several stolen credit cards at once if necessary.

The recent abundance of cybercriminal chatter pertaining to these payment methods in LATAM has been primarily focused on whether the three types of contactless payment technology can be exploited to facilitate fraud. These technologies include:

Radio Frequency Identification (RFID)

Commonly used in airport baggage handling and asset tracking, RFID is a decades-old technology that enables one-way wireless communication at distances of up to 100 meters between an RFID reader and an RFID tag. The tag is typically implanted into an electronic device and has a unique number that identifies the specific device when transmitting its data to the reader. Many contactless payment cards utilize RFID tags, but concerns with electronic pickpocketing and other security issues have led to the development and adoption of more secure alternatives.

Chatter among cybercriminals in LATAM has included discussions of how to obtain and use RFID readers and related materials to modify the balances on RFID-based public-transit cards.

Near-Field Communication (NFC)

Underpinned by RFID technology, NFC is a short-range wireless connectivity standard that enables communication between devices via a peer-to-peer (P2P) network. NFC is widely considered to be more convenient and secure than its RFID predecessor for contactless payments for two reasons. First, NFC tags are automatically built-in to most smartphones today, so it’s easy for users to pay via digital wallets and similar applications; and second, NFC devices such as NFC-enabled card readers, POS terminals, and mobile devices can only transmit data when in close proximity with one another, thereby reducing the risk of electronic pickpocketing.

The majority of chatter pertaining to NFC technology among cybercriminals in LATAM has been focused on the extent that NFC can enable fraudsters to circumvent Europay, Mastercard, and Visa (EMV) security measures when conducting in-store carding. Such actors have also been known to share tools and tutorials demonstrating techniques for cloning NFC cards to support various fraudulent schemes.

Quick Response (QR)

QR is a contactless communication method that functions similarly to barcodes; the user scans the QR code with an application on their mobile device, which then prompts a specified action such as a website to open or payment to be sent. QR technology is widely used in contactless payments due to its convenience; Similar to NFC, QR is fast, easy, and requires no contact between the smartphone and the QR code.

However, NFC is considered more secure and versatile than QR because QR codes and their functions remain static once generated, whereas NFC tags can store dynamic information. Also, while NFC enables users to make near-instant payments simply by tapping their mobile device at a POS terminal, QR codes require the user to download and open a QR app on their smartphone, scan the QR code, and wait for the phone to react to the code.

The majority of contactless payment methods used in LATAM today rely on either NFC or QR technology. And as these technologies becomes even more widespread in the region, cybercriminals will likely continue to look for ways to take advantage of possible vulnerabilities or circumvent security measures within these newly adopted payment systems. As such, Flashpoint analysts assess that cybercriminal interest in NFC and QR technology, as well as tool-sharing related to abusing these systems, will likely increase.