October 29, 2016
Be Careful With ID Selfies: New Android Trojan Steals Info
Some credit card companies have begun using selfies as an alternative to traditional, text-based passwords in order to provide enhanced security. No system is perfect, though, and hackers have already begun experimenting with various exploits to the new paradigm.
Far and away, the most successful exploit so far has been the Acecard Trojan. This malware masquerades as a standard video plugin. But once installed on a device, it will insert itself between the user and a trusted site on which the user is about to make a credit card purchase, creating a screen that overlays that of the valid merchant perfectly, causing the user to enter all relevant credit card information into the malware window rather than the merchant site.
Once entered, Acecard seeks to gain additional information “for verification purposes” such as addresses, telephone numbers, birthdates, etc. The software also goes a step beyond even this and asks that the user take a photo of the front and back of the card in question, generally disguising this request in the context of a selfie (i.e., “take a picture of yourself holding the card, with its front showing, then take a second one showing the back.”).
Given that users are already familiar with the selfie-as-password paradigm, many people comply with the request.
Unfortunately, with the plethora of information the malware’s owners and controllers collect, they have more than enough information to make bogus purchases using your card, and possibly hack into your accounts.
As with most attacks that rely on social engineering tricks, there’s no good way to defend against this, save for education. Very few companies will ever legitimately ask for a selfie with you holding your actual credit card in hand, and fewer still will ask for the level of “verification information” that Acecard demands when a user attempts to make a purchase. That’s the tell, and observant users will seldom be caught unaware.
Although this malware has only impacted users in Singapore and Hong Kong, it’s only a matter of time before we see something similar here.