ePaymentMarketingMobile Appsmobile OSMobilitySmartphones

Europol Warns Of Gangs Making Fake Android Mobile Payments

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Google + Linkedin Subscribe to our newsletter Write a comment

Euro cops warn of criminal gangs said to be using Android smartphones to conduct fraudulent transactions

Europol has warned of an emerging threat from Android-based smartphones because criminal gangs are said to be able to carry out fraudulent mobile payments on the mobile operating system.

The increasing use of contactless NFC based payment systems on smartphones has prompted many experts over the years to warn of their potential security risks. And now it seems that the criminal underground has caught up.

Cyber Risks

The warning came in Europol’s annual Internet Organised Crime Threat Assessment report, which highlighted a raft of cyber threats at the moment.

The report said that NFC-based payment fraud was a growing problem.

“EMV (i.e. chip and PIN), geo-blocking and other industry measures continue to erode card-present fraud within the EU, but logical and malware attacks directly against ATMs continue to evolve and proliferate,” it said. “Organised crime groups are starting to manipulate or compromise payments involving contactless (NFC) cards.”

“The relentless growth of cybercrime remains a real and significant threat to our collective security in Europe,” said Europol’s Director Rob Wainwright. “Europol is concerned about how an expanding cybercriminal community has been able to further exploit our increasing dependence on technology and the Internet.”

“2016 has seen the further evolution of established cybercrime trends,” said the head of the European Cybercrime Centre, Steven Wilson. “The threat from ransomware has continued to grow and has now expanded into sectors such as healthcare. Europol has also seen the development of malware targeting the ATM network, impacting cash services worldwide.”

Android NFC

Aside from the usual cyber threats, the report also highlighted the risks to financial transactions, particularly those involving Android smartphones.

“As the financial institutions increasingly issue EMV cards to their respective card bases, we can expect US merchants to be fully EMV compliant within two years,” said the report. “This will likely push card-present fraud to other jurisdictions or make criminals turn to CNP in search of the path of least resistance. However, this also increases the risk of attacks on the EMV technology,
so further innovations are needed to keep that platform secure.”

Android Pay 2It then highlighted the problem with NFC transactions.

“The possibility of compromising NFC transactions was explored by academia years ago and it appears that fraudsters have finally made progress in the area,” said Europol. “Several vendors in the Darknet offer software that uploads compromised card data onto Android phones in order to make payments at any stores accepting NFC payments.”

“Moreover, at least one Member State reports instances of organised criminal gangs using contactless cards purchased from individuals who then report the card as lost,” said the report.

Android Pay

The criminals were able to reset the cards once they had reached the purchase limit thereby allowing continued spending,” said Europol. “Fraudulent use of NFC payments would have a number of unexpected consequences including the inability of merchants to confiscate the compromised card.”

“Currently, when merchants detect a fraudulent transaction they are requested to seize the card,” it said. “However, the confiscation may not be feasible when the compromised card data are recorded on the buyer’s smartphone.”

Europol’s concern at Android-based NFC fraud comes because Android handsets allow third-party apps to use its NFC chip.

Apple on the other hand prevents other apps from using its NFC chip, as it wants iPhone users to be locked into only using its Apple Pay system.

And the problem could only get worse, with research pointing out that the use of mobile contactless payments is set to surge in the UK.

Earlier this month Android Pay was adopted by NatWest, Santander, RBS and Ulster Bank. Indeed, aside from TSB and Barclays, all of the UK’s major banks now accept Android Pay.

Are you a mobile payments aficionado? Take our quiz!