NewsNational

'Most of the attacks start with email': One click can put financials on your phone at risk

NerdWallet-Millennial Money-Contactless Payment
Posted at 9:25 AM, Apr 21, 2022
and last updated 2022-04-21 13:15:52-04

BROOKFIELD, Wis. — For many of us, our cell phones can serve as wallets as long as we have mobile payment apps connected to our banks or other accounts.

There are a lot of services to choose from, like Venmo, Apple Pay, Cash App, Google Pay, Samsung Pay, and Paypal, to name some. According to a report by Allied Market Research, the global mobile payment market is expected to reach more than $12 trillion by the year 2027.

For anything financial, keeping our confidential information secure has to be a top priority.

Earlier this month, more than 8 million current and former customers of Cash App found out they could be affected by a data breach where their investment information was exposed. In that case, the company announced it was a former employee who is to blame. But the breach brings up an important subject: security surrounding mobile payment apps.

"It's actually surprisingly hard to hack into the phones nowadays. They are locked down. They've got layers of security," said Kevin Bong, a cyber security expert with tech company, Sikich.

Bong explains while even your cell phone's payment app may come with its own security in place, one slip-up on your part can put financials on your phone at risk.

"Most of the attacks start with email. The attacker finds a way to get into your inbox, and once they're in there, they've got a lot of power," he said. "So, that's really what these attackers are going after. They're not going after the apps on the phone, they're going after the accounts."

Without showing their tools, we asked Bong and his Sikich colleague, Thomas Freeman, to demonstrate how email phishing attacks can easily compromise your virtual wallet.

They sent a fake email that stated it came from a customer service rep with a popular email application. The email encouraged the user to click on a link so that they could send and receive digital payments.

For the sake of the experiment, TMJ4 reporter Kristin Byrne clicked on the link and was prompted to provide her email and the password she uses for her email.

"So, now on my screen I'm going to hit refresh and on the campaign screen I can see where you clicked and I have your password now," Freeman said.

"So, now we'll switch into your email account and log into it with your password," he said.

The Sikich team explained that by logging into my email, hackers can hit the search bar to see what mobile payment apps Byrne has registered for in the past.

They then go on the mobile payment app's website, hit forgot password, a temporary one is sent, and the bad actors are in and can do whatever they want with the funds.

"Is this kind of common knowledge of how hackers get in?" Byrne asked.

"Yeah, this is pretty obvious, very common. Very obvious how a lot of attackers are stealing passwords nowadays through a phishing attack, and then use a password reset function to get into other sites," Bong answered.

"They can see what all banking apps you're getting notifications from or what other money transfer apps you are using. But they also have the ability to do password resets on a lot of these apps. If you go to your bank and say, 'I forgot my password,' they email you a link to reset your password."

To prevent it from happening in the first place, Bong says to be wary of links in emails. If you do click on one and there's some type of sign-in, stop there.

But also he says you should enable two-factor authentication on your email account.

"All the providers out there, Gmail, Microsoft, have that capability. A lot of people just don't turn it on. So, enable that second factor, so you get that code on your phone or something to get in."

"The second thing, if you're really concerned, is look for second factors other than the text message. There are so many attacks against the text message stuff today. But a lot of providers have where you are going through the Google App to get the code, rather than getting a text message, and that's definitely more secure."

Even if our account's security measures try and protect us, we may be our biggest threat.

"People are starting to get tired of the repeated log-ins. So if the attacker goes through and tries to log in and you get a prompt on your phone that says, 'Did you just try to log in?' A lot of people are just blindly saying yes now because they get that two to three times a day and they've just got used to saying yes."

Bong also suggests using different passwords for each account you have. He says instead of choosing a password with 8 characters, choose one with 16. If you're concerned you won't remember them, you can always download a password management app.

This story was first reported by Kristin Byrne at TMJ4 in Milwaukee.