Approximation card is safe, but requires care; understand how it works

“Is it inserting or approaching?” it may become a more difficult issue now that a gang of cybercriminals has created malware capable of bypassing the security of contactless payments.

But there are still not enough reasons to abandon this means of payment. The Prilex group managed to circumvent, and not break, its security.

The new malicious program blocks the machine’s approach payment processing, forcing the buyer to insert the card into the reader. The malware then connects with the criminals and sends the payment information to them, not the financial institution.

“Contactless” payments have become popular during the pandemic and have proven to be as secure an alternative as chip card payments.

According to Fabio Assolini, head of research at Kaspersky in Latin America, the company that identified the program, the number of detections is not high, which may indicate that it is still being tested. “Prilex is well targeted. They are not going to install the virus in the bakery on the corner. They prefer companies that move expressive values”, he said.

In a note, Abecs (Brazilian Association of Credit Card and Services Companies) said it did not detect evidence of this malware in action. “[A associação] will continue to monitor and seek information from the market about the alleged scam to prevent payment by approximation, an extremely safe payment method”, he said.

In contactless payments, each transaction has a unique encrypted code. That is, even if the information is captured by criminals, it is of no use. When paying using the chip, there is a direct transmission of card data, which are always the same.

“Knowing this, the criminals behind Prilex do not want people to pay by approximation. They want to force people to insert the card. The machine, connected to an infected system, will be able to capture the data of that card, because the data transacted will be the real card data”, explains Fabio Assolini, from Kaspersky, the cybersecurity company that identified the malware.

Criminals manage to gain access to information because, through social engineering, they have infected computers connected to the points of sale and the software that processes the payment made. The card machine that is connected to that computer at the point of sale is not affected.

According to Abecs, 3 billion approximation payments were made in the third quarter of 2022, a growth of 157.7% compared to the same quarter of the previous year.

Participation in total face-to-face transactions jumped from 3.9% in September 2020 to 37.7% in September 2022. The entity’s expectation is that half of face-to-face transactions in 2022 will have been carried out by approximation.

Despite being secure in terms of encryption, contactless cards are not immune to other types of fraud.

For example, the method allows purchases of up to BRL 200 without the need to enter a password, so if the customer is stolen or loses his card, he runs the risk of purchases being made without his authorization.

To protect themselves, consumers can deactivate the “contactless” option in bank applications when attending crowded events, such as concerts or Carnival. Or use cash.

• Check the value shown on the display before paying by approximation;
• Register the sending of messages of all purchases made to your cell phone;
• Track app notifications and your bank statement;
• Do not approach the card ahead of time;
• Be careful with the card. If you lose it, block it immediately;
• If you have fallen into a scam, notify your bank and contest undue charges;

Approaching with a cell phone can be safer

Another way to use contactless payment is by registering your credit or debit card in the payment services available on smartphones and smartwatches. The main ones are Samsung Pay, Google Pay and Apple Pay.

These apps use NFC (Near Field Connection) technology in devices, analogous to RFID (Radio Frequency Identification) present in physical cards.

The use of proximity through cell phones can be even safer, since, to activate it, it is necessary to unlock the cell phone (PIN, biometrics or FaceID) and open the application.