\u201cCriminal groups are migrating from physical to virtual crimes because it is a better, more lucrative and less risky business.\u201d\u00a0<\/p>\n
It is gradually becoming clear that the trend away from cash and toward digital-only payment systems may not be quite as smooth or as seamless as some may have wished or expected. In May, we posted the article, World\u2019s Oldest Central Bank Keeps Sounding Alarm on Fragility of Cashless Economies. Are Other Central Banks Listening?, in which we explored the growing concerns among central bankers in Sweden, one of Europe\u2019s most cashless economies, about the unintended consequences of driving cash out of the economy.<\/p>\n
There are \u201cserious fraud problems that could undermine trust in the payment system,\u201d Sweden\u2019s central bank, the Riksbank, cautioned in its 2024 payments report. Digitalization also makes payments \u201cmore vulnerable to cyber attacks and disruptions to the power grid and data communication,\u201d the bank points out. These developments suggested \u201cthat we should concentrate more than before on the challenges of digitalization.\u201d*<\/p>\n
A month after we posted that piece, a spate of articles appeared in the English-language press warning about the recent explosion of digital fraud in Sweden. The Daily Telegraph reported that criminals were \u201chaving a field day\u201d after Sweden has more or less stopped using cash:<\/p>\n
Criminals profited to the tune of \u00a3543m (SEK 7.5bn) in 2023 from fraud, according to the Swedish police. Online fraud and digital crimes have proved lucrative, with organised gangs stealing \u00a389m (SEK 1.2bn) in 2023, double the loss in 2021.<\/p>\n
Common frauds focus on the personal ID code used by most Swedish citizens, BankID. It is so trusted that if it has been inputted correctly, transactions will take place immediately. If fraudsters can harvest this number, then they can easily empty accounts. In combination with some basic personal data, fraudsters can even take out loans in the victims\u2019 name.<\/p>\n
It is apparently not quite as simple as The Daily Telegraph suggests. As long-time Naked Capitalism commenter fjallstrom points out in the comments thread below, you also need the hardware on which a time-limited file has been downloaded and installed in the program as well as the person\u2019s password.<\/p>\n
\u201cThus scams tend to involve tricking the person being scammed into signing (and ignoring all the red flags like the name of the recipient not matching the stated purpose) then both stealing their hardware and getting your hands on \u2014 or guessing \u2014 their password.\u201d<\/p>\n
In its report \u201cGoing cashless Has Turned Sweden from One of the Safest Countries into a High-Crime Nation\u201c, Fortune magazine provided an example:<\/p>\n
Ellen Bagley was delighted when she made her first sale on a popular second-hand clothing app, but just a few minutes later, the thrill turned to shock as the 20-year-old from Link\u00f6ping in Sweden discovered she\u2019d been robbed.<\/p>\n
Everything seemed normal when Bagley received a direct message on the platform, which asked her to verify personal details to complete the deal. She clicked the link, which fired up BankID \u2014 the ubiquitous digital authorization system used by nearly all Swedish adults.<\/p>\n
After receiving a couple of error messages, she started thinking something was wrong, but it was already too late. Over 10,000 Swedish kronor ($1,000) had been siphoned from her account and the thieves disappeared into the digital shadows.<\/p>\n
\u201cThe fraudsters are so skilled at making things look legitimate,\u201d said Bagley, who was born after BankID was created. \u201cIt\u2019s not easy\u201d to identify scams\u2026<\/p>\n
Law-enforcement agencies estimate that the size of Sweden\u2019s criminal economy could amount to as high as 2.5% of the country\u2019s gross domestic product.<\/p>\n
To counter the digital crime spree, Swedish authorities have put pressure on banks to tighten security measures and make it harder on tech-savvy criminals, but it\u2019s a delicate balancing act. Going too far could slow down the economy, while doing too little erodes trust and damages legitimate businesses in the process.<\/p>\n
Sweden\u2019s recent explosion in digital fraud needs to be set against the rash of bank robberies the country was suffering roughly a decade ago, which have apparently fallen to zero in the last couple of years. However, as fjallstrom points out, while bank robberies by definition impact banks, the recent digital scams are mostly affecting bank customers. As such, an argument can be made that banks, having pushed for digital transactions for everything, no longer have to take responsibility for bank robberies while at the same time foisting the new risks onto their customers.<\/p>\n
A $34 Billion Problem<\/p>\n
Sweden is not the only largely cash-free economy that is grappling with a surge in digital theft. Brazil, one of Latin America\u2019s most cashless economies, is suffering \u201can epidemic of cell phone theft and cyberfraud,\u201d reports El Pa\u00eds:<\/p>\n
One in ten Brazilians have had their mobile phone stolen in the last year, according to a survey, while cybercrime skyrockets and the economic cost is estimated at $34 billion.<\/p>\n
It happens in the blink of an eye. You take out your cell phone, which was well protected in your fanny pack, stretch your arms to take a quick photo in the middle of the carnival crowd and bam! someone grabs it from you and disappears with it into the crowd. It also happens while you\u2019re talking from your car. At a traffic light, the motorcyclist next to you suddenly smashes the car window, grabs the device and drives off with it. Or on a quiet backstreet while you look at how long it will take for your Uber to arrive. Suddenly a guy on a bike appears and snatches it from your hand while you watch, dumbfounded, as he rides away, dodging pedestrians and cars. The kind of non-violent crime is the order of the day in the epidemic of cell phone theft that Brazil is experiencing. One in ten Brazilians has had at least ome smartphone stolen in the past year, according to a survey commissioned by the NGO Forum Brasileiro de Seguran\u00e7a P\u00fablica to Datafolha and published on Tuesday.<\/p>\n
These days, the thieves are less interested in the phones themselves than they are in the possibility of emptying the digital wallets on them.<\/p>\n
\u201cA Cyberfraud Paradise\u201d<\/p>\n
\u201cBrazilians are adopting digital payments faster than anyone else,\u201d trumpeted an\u00a0article by the World Economic Forum last year. In 2020, 44% of bank customers had a digital-only account, compared with less than 20% in the US and Canada, according to the consultancy firm Accenture. But its success as a \u201cfintech hub\u201d has attracted hordes of cyber criminals, as The Economist reported in January:<\/p>\n
Their main weapon has been the \u201cbanking trojan\u201d, a programme that steals users\u2019 account information. According to Kaspersky Lab, a cyber-security firm, Brazil is the top country for attacks by banking trojans, with 1.8m attempted infections from June 2022 to July 2023 (the latest data available). Globally eight of the 13 most popular types of trojans are made in Brazil\u2026<\/p>\n
Cyber-criminals initially focused on trojans as they require little skill to use. However, as banks developed better defences, criminals were forced to branch out into more complex and lucrative attacks. Brazil\u2019s underworld has developed the most advanced \u201cpoint of sale\u201d malware, which scammers use to filch bank details from card readers, according to Kaspersky Lab. Known as Prilex, this application can block contactless payments by stopping the short-range connection between a credit card and the payment terminal. The terminal reads: \u201cError. Please Insert.\u201d When a customer inserts her card and\u00a0PIN, the malware uses the credentials to authorise a fraudulent transaction. During Rio\u2019s carnival in 2016, a hacker used a basic version of this software to remotely take over 1,000\u00a0ATMs.<\/p>\n
This trend was turbocharged in November 2020, when Brazil\u2019s central bank launched the Pix protocol, an instant-payments platform, forcing the country\u2019s commercial banks to integrate their accounts with instant and free digital transfers for individuals. Carrying zero fees for individual customers and relatively low costs for businesses (at least for now), the instant payment scheme was an instant success, and has done nothing but grow since.<\/p>\n
As of June this year, Pix boasted 165.8 million users, 151.8 million of them individuals (close to three-quarters of the population) and 14.63 million, companies. Given the success of Pix, some lawmakers are calling for the phasing out of cash. As Reuters reported in April, in the space of just over three years, \u201cBrazil\u2019s hugely popular Pix system has become the country\u2019s favourite form of payment, in many cases replacing cash and bank transfers and now threatening the dominance of credit cards in the booming e-commerce sector\u201d:<\/p>\n
Instant payments designed by Brazil\u2019s central bank are a boon for online retailers, helping with cash flow in a sector with small margins, while also eroding the business of banks and fintechs built on existing credit card infrastructure.<\/p>\n
\u201cI think credit cards will cease to exist soon,\u201d central bank chief Roberto Campos said nearly two years ago, speaking of the potential of open finance and the Pix platform. \u201cThis system eliminates the need to have a credit card.\u201d<\/p>\n
Whether that is true, time will tell. Banks and card processing firms are presumably terrified at the prospect, given that the fees they charge on Pix are significantly lower than typical credit card fees. But one thing is clear: Pix is fuelling an epidemic of digital crime, with 1,640 mobile phones stolen every hour, according to the El Pa\u00eds article. The target, of course, is not the device itself but its applications, contacts and passwords, possession of which has helped Brazil\u2019s criminal gangs to exponentially increase their profits. Each victim loses an average of 1,500 reais ($275, a little more than the monthly minimum wage) in addition to the smartphone.<\/p>\n
In August 2021, UOL reported an explosion in the incidence of \u201cexpress kidnappings\u201d in Sao Paulo following the launch of the instant payments solution. In March 2023, the global tech blog Rest of World published an article on a worrying new trend sweeping many of Brazil\u2019s cities \u2014 \u201cTinder robberies,\u201d which involve criminal gangs luring affluent men on dating apps to secluded places where their phones can be seized and their digital wallets emptied. Police statistics reveal that nine out of 10 kidnappings in S\u00e3o Paulo in 2022 occurred after a date was arranged through Tinder and similar apps.<\/p>\n
As the Rest of World article notes, the rise in these scams \u201chas coincided with the widespread adoption of two forms of technology: dating apps and mobile payments\u201d:<\/p>\n
Criminals use fake dating app profiles to lure unsuspecting targets to a private place with ease, and then take their money using PIX \u2014 an instant QR payment method used by 67% of Brazilians. Criminals have found they can use PIX to extract large quantities of cash from the victims they scam using apps like Tinder\u2026<\/p>\n
For many Brazilians, the popular PIX app is a fast and efficient mode of payment. It is this very efficiency and ease of use that have made it the perfect tool for these sorts of scams.<\/p>\n
The costs to the public are spiralling. The Brazilian Forum of Public Security estimates that losses resulting from digital fraud amounted to $34 billion last year. According to the NGO\u2019s calculations, this is more than the total sum of money spent each year on public security by Brazil\u2019s central administration, states and municipalities. As El Pa\u00eds puts it, Brazil has become a cyber fraud paradise:<\/p>\n
Gangs of pickpockets on the hunt for mobile phones are omnipresent in the large crowds that Brazilians are so fond of, whether at a free Madonna gig in Copacabana or Carnival time on the streets of any big city. The social networks and media are filled with detailed instructions on how to minimize risks.<\/p>\n
For the criminal gangs, the goal is no longer just to empty the victim\u2019s accounts or buy things on credit; some criminals are taking advantage of the stolen cell phone by applying for instant loans in the owner\u2019s name. They then create accounts to transfer the money or send it to front men until all trace of the money is lost. The First Capital Command (PCC), a brotherhood of criminals that is the most powerful organised crime group, has created an entire structure of safe houses with hackers in the centre of S\u00e3o Paulo. As Renato Sergio de Lima, [a public security expert], recently explained, criminal groups are migrating from physical to virtual crimes because it is a better, more lucrative and less risky business:<\/p>\n
\u201cThe cost-benefit ratio of virtual crimes is much higher than car theft, bank robberies or the theft of truck cargoes.\u201d<\/p>\n
All of which is kind of ironic given that one of the most frequent arguments for replacing cash with digital money alternatives is to help reduce crime, rather than making it easier and a lot more lucrative.<\/p>\n
There is one advantage to Brazil\u2019s digital crime wave, however: it allows banks, tech firms and the central bank to tweak and refine the security features of their digital wallets. Brazil is the first country where Google has trialled the so-called thief mode on its android phones, which blocks a phone\u2019s screen if the operating system detects that it has been abruptly ripped out of the owner\u2019s hand. Also, Brazil\u2019s Lula government recently launched a \u201csafe phone\u201d app to block any device and banking apps in the event of theft, thus limiting potential losses for the victims and reducing the incentive for criminals.<\/p>\n
That is the goal at least. But are these merely teething problems that need ironing out by creating better security protocols? Or will today\u2019s cyber-criminal masterminds continue to stay one step ahead of the digital curve as digital wallets gain traction around the world \u2014 not just for payments, but also identity verification and access control?<\/p>\n
QR code scams have become so ubiquitous \u2014 offering cyber criminals rich opportunities to steal people\u2019s identities or hack into their bank accounts and make off with their money \u2014 that the US Federal Trade Commission recently issued a consumer alert about the dangers of the technology.<\/p>\n
In India, Aadhaar-enabled Payment System (AePS) fraud via cloned fingerprints is on the rise. According to the Ministry of Home Affairs, fraudsters are using \u201cdummy fingers or rubber fingers\u201d to illegally withdraw money from AePS accounts. In the US, researchers from the University of Massachusetts Amherst and Pennsylvania State University recently warned that the quick payment systems offered by ApplePay, GPay, and PayPal are not safe, and that changes in authentication methods are needed to avoid identity theft and fraud.<\/p>\n
As digital fraud mushrooms, we are being urged to \u201cthink before we scan.\u201d A recent op-ed in The Guardian reminds readers to \u201cnever forget the late Intel chief executive Andy Grove\u2019s celebrated injunction: in the digital world, only the paranoid survive.\u201d In the closing paragraph of its article on the digital fraud in Brazil, The Economist provides cover for Brazil\u2019s banking industry, noting that it has doubled its spending on cyber security in the past four years, while citing a fraud specialist who essentially blames the victims of fraud for their gullibility:<\/p>\n
The bigger problem is naive customers who fall for scams, says Eduardo M\u00f4naco of ClearSale, a Brazilian fraud-management company. Until they fully know the risks, there will be plenty more phish in the sea.<\/p>\n
Not exactly comforting.<\/p>\n
\u00a0<\/p>\n
* This warning could not have been more prescient, coming just months before the world suffered its biggest ever IT outage, allegedly caused by a botched content update by cybersecurity giant CrowdStrike. The resulting outage briefly crippled the operating systems of banks, card companies, airlines, hospitals, NHS clinics, retailers and hospitality businesses, leaving many businesses with a stark choice: stick to cash payments or close until systems were up and running again.<\/p>\n
![\"Print](\"https:\/\/cdn.printfriendly.com\/buttons\/print-button-gray.png\")
<\/div>\n<\/div>\n