Hackers use legitimate sites to steal payment card information

Advancements in digital payment technologies have made payment processes simple and rapid, but hackers now appear to be using sophisticated new tactics to take online control of payment cards and manipulate them for their benefit.

Local banks have recently received multiple complaints from customers who fell victim to an unconventional type of bank card hacking. Customers reported that after making purchases on local websites, they were later surprised by unauthorized withdrawals from their accounts— for purchases made from abroad, in particular from Italy, despite them being in Kuwait at the time.

Details reveal that when victims made legitimate payments on a Kuwaiti website, compromised platforms displayed an option for contactless smart payments. However, during the transaction, they were prompted to enter a one-time password (OTP). After doing so, they were informed that the transaction had failed and were asked to retry using their card number, which they did. Days later, they received their purchased items as expected, but were then notified of multiple unauthorized withdrawals from their accounts for purchases made overseas.

Hackers are reportedly manipulating contactless payment requests to capture customers’ card data stored on their phones. This stolen information is then used to make unauthorized withdrawals from their accounts, repeatedly draining funds up to the maximum limit of each compromised card.

By the time customers realize their data has been hijacked, hackers have already gained full access to their electronic payment details, allowing them to withdraw funds as if making legitimate transactions from abroad. As a result, customers are forced to request their banks to block the hacked cards. However, banks say the best they can do under these circumstances is make attempts to recover the stolen funds, without any promise of success.

The banks state that customers are responsible for the security of their own card, and point out that the victim entered the OTP willingly, which led to their accounts being compromised. Since the Central Bank of Kuwait functions only as a regulatory body, neither banks nor the central bank are obligated to compensate victims or guarantee refunds.

Correspondent banks, which process the international transactions, have also stated their inability to reverse the payments, as they were completed correctly with the required OTP verification. Consequently, customers bear full responsibility for the theft, while banks are only responsible for attempting, but not guaranteeing, the recovery of stolen funds.

However, the victims argue that they are not responsible for these thefts, claiming that hackers injected malicious code into well-known Kuwaiti websites. This allowed them to copy card data during legitimate transactions. They insist that they followed the correct protocols for using contactless smart payments, which absolves them of any negligence in protecting their data.

Additionally, they discovered from the website owners that their platforms do not officially support payment methods like Apple Pay, Google Pay, or Samsung Pay, despite these options appearing available to customers on the compromised sites.

Unlike traditional phishing attacks that use fake or lookalike websites, hackers in this case are infiltrating legitimate websites and using them as a gateway to gain control over customers’ smart cards.

Reports indicate that this type of fraud has been ongoing in Kuwait for some time, with no effective solutions implemented by the relevant authorities. While website owners have attempted to patch vulnerabilities through specialized cybersecurity firms, the exact weak points enabling these fraudulent transactions remain unidentified.

Banks advise card owners to set relatively low spending limits on cards used for everyday purchases. If possible, a separate minimum limit can be set specifically for contactless smart card payments. Of course, these limits can be quickly increased if needed.

Additionally, a virtual card with a minimum spending limit can be issued and linked to Google Pay, Apple Pay, or Samsung Pay. Customers are also advised to be extra cautious when asked for data without justification, especially during payments via Google Pay, Apple Pay, or Samsung Pay.

Since withdrawals are made through these services without requiring an OTP, any request for it from another party should raise concern. If you notice any suspicious transactions, you should contact your bank immediately.