NGate can steal your debit card info and PIN without your knowledge
The contactless payment cards like your Visa or Mastercard debit and credit cards will generate a one-time use code (OTU) that can only be used once which you might think as a way to stop the attackers from stealing your debit card data. But where there’s a will, there’s a way. The attackers infect your phone, possibly by having you install a malicious app, and then trick you into doing a tap-to-pay verification action which includes typing in your PIN. All of this info is sent to the attacker’s device.
The NGate attack can use an ATM to wipe out your bank account. | Image credit-Cybersecurity News
Remember, these OTU cards are only good for a limited time, which means that once the attacker has this data, he uses them immediately by accessing an ATM and using a card-emulating device such as a phone, smartwatch, or custom hardware.
Follow these suggestions to keep you from becoming a victim
To infect your device, the attackers use phishing emails or SMS messages in an attempt to get their malicious app installed on your phone. This phishing email or text message might pretend to come from your bank, internet or mobile provider claiming that you have an issue with your account. The goal is to make you so nervous that you do whatever you are told including installing a special app that is supposed to help clear up your issue. These apps are downloaded via a direct link and avoid the Google Play Store.
Once the app is installed, it asks for certain permissions to be enabled and asks you to verify the new card by having you perform a tap-to-pay action on the fake app that was sent by the attackers. While this is going on, an “accomplice” is hanging out at an ATM ready to drain your account.
The victim doesn’t know he’s a victim until it’s too late
It’s a scary scenario and it has worked. To prevent it from happening to you, Malware Bytes suggests that you listen to these tips:
- Only download apps from trusted sources such as the App Store and Google Play Store. A bank will never ask you to use a different source.
- Use an up-to-date real-time anti-malware solution for Android.
- If someone calls claiming to be from your bank, tell them you’ll call back and do so using a phone number you have on file.
- Never respond to unsolicited text messages no matter how harmless they appear to be.
The above are outstanding recommendations that you should follow at all times. The attackers are counting on you getting so nervous after receiving a text stating that your bank account has irregularities, or you’re about to lose your electric, water, wireless or other essential services, that you are willing to install anything without giving it a second thought.
The problem is that with this attack, the victim isn’t aware that his phone has been loaded with malware and that his bank account is being drained until it is well too late. So make sure that you follow the tips in this article to avoid being wiped out.
