· 2 min read

More Payment Vulnerability Than You Might Think

John Winchcombe
John Winchcombe · Editor
More Payment Vulnerability Than You Might Think

One-time passwords (OTP) are a central part of payment security. It is a concern, therefore, to read about hackers hijacking OTPs sent via SMS by Singapore banks to their customers, resulting in fraudulent credit card transaction worth S$500,000, as recently reported by the Monetary Authority of Singapore. To be fair, this happened late 2020 and only affected 75 bank customers.

The hack was possible because criminals gained unauthorised access to the systems of overseas telecommunication companies and modified the location data of the victims’ mobile phones. Armed with the card details, the criminals could make fraudulent online transactions and authenticate them with the diverted OTPs.


Apple Pay vulnerability. A researcher at the University of Birmingham in the UK has demonstrated a vulnerability of Apply Pay to what is known as ‘man-in-the-middle’ attacks. It only applies to a Visa Card within Apple Pay. The attack modifies transactions so that they appear to have been authenticated by the user using Apple biometric or PIN. It exploits the express transit model, launched by Apple in May 2019, which allows payments to be initiated at a transit terminal without unlocking the phone.

No evidence of this vulnerability being exploited in real life has been put forward.


Exploiting PIX. Brazil seems to be suffering from an outbreak of kidnappings where people are picked up and forced to transfer money in order to be set free. São Paulo saw 40% more of these in the first half of 2021 than previously.

The police believe the central bank’s new PIX instant payment platform is responsible because it allows instant payments via mobile phones, online banking and ATMs at any time. PIX was launched in November 2020.

As a result, the central bank has put in a person-to-person transfer limit of $200 between 8pm and 6am, which is when most attacks happen. In case criminals try to force people to change their transfer limits, a minimum waiting time between asking for a change in limit and the change happening has been put in place. People can also set different limits for day and night.


Malicious Apps. Hackernews.com has also reported the discovery in April 2021 of two malicious Android applications on Google Play Store that target users of PIX. The aim seems to be to entice victims to transfer their entire account balances into an account controlled by the criminal.

One app was called PixStealer and was presented as a fake PagBank Cashback service App. The other, MalRhino, presented itself as a mobile token app for Brazil’s Inter Bank. This allowed the criminals to collect a list of other apps installed on the phone and to retrieve PINs for specific banks.

Subscriber content

Read the full article

Full access to Cash & Payment News articles, newsletters and archives.

Sign Up to Cash & Payment News Weekly

Receive regular updates on the latest news and articles posted on our website.