Skip to main content

Be Careful With ID Selfies: New Android Trojan Steals Info

By October 29, 2016May 25th, 2021Blog, Cybersecurity

carefulxwhoSome credit card companies have begun using selfies as an alternative to traditional, text-based passwords in order to provide enhanced security. No system is perfect, though, and hackers have already begun experimenting with various exploits to the new paradigm.

Far and away, the most successful exploit so far has been the Acecard Trojan. This malware masquerades as a standard video plugin. But once installed on a device, it will insert itself between the user and a trusted site on which the user is about to make a credit card purchase, creating a screen that overlays that of the valid merchant perfectly, causing the user to enter all relevant credit card information into the malware window rather than the merchant site.

Once entered, Acecard seeks to gain additional information “for verification purposes” such as addresses, telephone numbers, birthdates, etc. The software also goes a step beyond even this and asks that the user take a photo of the front and back of the card in question, generally disguising this request in the context of a selfie (i.e., “take a picture of yourself holding the card, with its front showing, then take a second one showing the back.”).

Given that users are already familiar with the selfie-as-password paradigm, many people comply with the request.

Unfortunately, with the plethora of information the malware’s owners and controllers collect, they have more than enough information to make bogus purchases using your card, and possibly hack into your accounts.

As with most attacks that rely on social engineering tricks, there’s no good way to defend against this, save for education. Very few companies will ever legitimately ask for a selfie with you holding your actual credit card in hand, and fewer still will ask for the level of “verification information” that Acecard demands when a user attempts to make a purchase. That’s the tell, and observant users will seldom be caught unaware.

Although this malware has only impacted users in Singapore and Hong Kong, it’s only a matter of time before we see something similar here.

Jason Manteiga

Jason J. Manteiga, Vice President of Olmec Systems, has been part of the company for over the past 20 years. He believes that having a great work environment and supportive team, is the ultimate key to success. Since being in the IT realm for over 25 years, Jason, along with Olmec Systems, has been on the Inc. 5000 “List of America’s Fastest Growing Private Companies” and Channel Futures MSP 501 “Top Managed Service Providers in North America,” along with other awards and nominations. Jason earned his Bachelor Degree in Information Systems from the New Jersey Institute of Technology. He also holds certifications in Microsoft MCSE, VMWare VCP, and Cisco CCNA. In his spare time, Jason is a contributor for The Center for Social & Legal Research (Privacy Exchange) and a member of the Morris County Chamber of Commerce. His hobbies include cycling and kayaking. He currently lives in New Jersey with his wife, two daughters and son.