Payments Fraud, Via Apps?

App-loopholes-could-be-fraud-targets

Symantec has discovered vulnerabilities in two popular messaging and media apps, WhatsApp and Telegram, which can be hijacked to commit payments fraud.  Separately, phishing scams are targeted American Express commercial and consumer cardholders. 

Apps with a possible security flaw, a malware phishing scheme and possibly, payments fraud, all done in the blink of an eye?

Security firm Symantec said this past week that it found a security flaw in Android apps for WhatsApp and Telegram, which can allow hackers to manipulate data that flows between users.

Reports say that the hacks, which are known as Media File Jacking, allow media that spans photos to documents to be compromised in “real time” and that means intercepting data between when it is written to disk and when they are loaded onto user interfaces. The apps have, cumulatively over 1.5 billion users.

In reference to payments, a hacker could conceivably change an invoice to help divert funds into different accounts.

“WhatsApp has looked closely at this issue, and it’s similar to previous questions about mobile device storage impacting the app ecosystem,” WhatsApp said in a statement. “WhatsApp follows current best practices provided by operating systems for media storage, and looks forward to providing updates in line with Android’s ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared.”

American Express, Targeted?

News came this week that a phishing campaign has targeted American Express customers  The site TechNadu reported that victims are being prompted to load login credentials, under the guise that the online system is going through maintenance. As the site noted, no card issuer would send an email with such prompts.

The phishing campaign targets consumers and also commercial users.

The scam also warns users that if they do not verify their credentials immediately they risk temporary suspension of their accounts.  The scams ask for PINs and mothers’ names, among other sensitive information.

This is not the first time American Express cardholders have been targeted.  In March of this year, the same site reported that a separate phishing campaign had asked holders to provide their login credentials — telling them that they had to re-authenticate credentials.  The site said that the sophisticated emails had sported the American Express icons, official colors of the brand and also had asked for specific and personal data.

Separately in Australia, The Standard reports that the Warrnambool City Council is reviewing “all purchases” that have been made on its 81 corporate credit cards.  The review comes in the wake of the council’s order that a senior officer was asked to repay an undisclosed amount for what were deemed inappropriate transactions.