BrianKrebs on Nostr: I keep getting financial industry people reaching out about this story to say how ...
I keep getting financial industry people reaching out about this story to say how much fraud they are now seeing from peoples' payment card data being phished and loaded onto mobile wallets just by also phishing a one-time code out of victims.
One thing I think a lot of people are missing with this type of fraud is that while it is ideal for the phishers to coax that one-time code out of victims at the same time they are phishing the card data, it doesn't have to be that way.
What I'm getting at here is that this method of turning phished data into mobile wallets essentially allows card data that was previously only good for online transactions (i.e. it was stolen from an ecommerce vendor) to be "enriched" at any point going forward and turned into a mobile wallet.
In other words, the phishing of the one-time code sent by the victim's bank in response to a request to link their card to a mobile wallet can happen out of band, well after the fact, and under any pretext.
One thing I think a lot of people are missing with this type of fraud is that while it is ideal for the phishers to coax that one-time code out of victims at the same time they are phishing the card data, it doesn't have to be that way.
What I'm getting at here is that this method of turning phished data into mobile wallets essentially allows card data that was previously only good for online transactions (i.e. it was stolen from an ecommerce vendor) to be "enriched" at any point going forward and turned into a mobile wallet.
In other words, the phishing of the one-time code sent by the victim's bank in response to a request to link their card to a mobile wallet can happen out of band, well after the fact, and under any pretext.