Winnipeg Free Press - PRINT EDITION

App attack

Cybercrime expert warns against financial crime wave by tech-savvy fraudsters targeting smartphones

  • Print

Pickpocketing is an old criminal art few people fall victim to these days, but that's likely about to change.

Thanks to advances in mobile-phone technology, where our phone is increasingly our wallet, 21st-century pickpockets can now use a smartphone to steal credit card information from a victim's wallet.

"You can have a person using a phone to scan people's credit cards on the subway or a bus, and he can send the credit card information to someone who is sitting in a store anywhere in the world, who can then complete a legitimate transaction," says Michael Legary, one of Canada's leading experts on network security.

"Technology has created a whole new field of theft that can occur, and from a policy and security perspective, we're way behind."

March is Fraud Prevention Month in Canada, and while malware, phishing and even SMShishing (texting fraud) are an everyday hazard of living in a wired world, Legary says tech-savvy young criminals are just getting started.

He knows a lot about the cutting edge of cybercrime. As founder and chief strategy officer at Seccuris, a firm based in Winnipeg's Exchange District, he helps government and Fortune 500 firms protect their networks from cyberattacks.

A former teenage hacker, Legary now hires young talent before they are tempted to go to the dark side.

"We hire nothing but Skywalkers -- whether it's a Luke or an Anakin, I don't know until later."

Whether talented young hackers end up using their skills for good or evil, they didn't go to university to learn their craft. They learned on their own and from other hackers, often starting in their pre-teen years.

In fact, tweens are often revolutionizing the way the online world works.

"In my industry, it's all about understanding what the 11- and 12-year-olds are inspired by," Legary says. They're often the ones at the cutting edge of IT security innovations and related problems. Having been born into a wired world, they are often more adept reading and writing code than reading and writing in their native language.

"At 33 years old, I'm a very old man in this industry," he says. "Using these technologies ( such as a new Android phone) helps me understand what inspires them, and from that, we can figure out what we need to protect against."

Electronic pickpocketing using near-field communication (NFC) technology is an example of their ingenuity. Calling it a "parlour trick," Legary says it was developed by a student who ran out of money at college. The student calls his mother's smartphone. She taps her credit card to the phone and the card information gets transferred to his phone, so he can pay using her credit card hundreds of kilometres away.

"Did he do that for fraudulent reasons? No. He wanted an ingenious way of solving his young person's problem."

But these technological stunts don't stay out of the hands of criminal organizations for long.

"He may have had nothing but great intentions in mind, but the guy right beside him may not. There's a yin and yang to all of this."

In a YouTube video, Legary demonstrates how an NFC-enabled phone -- a Samsung Galaxy S III -- can download an app that allows it to steal the pertinent information from a credit card in someone's wallet or purse within less than a half-metre.

In tests at his work, using his own card, he was able to download credit card information to a phone, then go to the Apple store to buy a $5,000 computer. Normally, financial institutions' security picks up on fraudulent large purchases, but this kind of theft is so new, it evades detection.

"Kids are doing this right now, and it's only going to be a brief period before the next set of Romanian-organized criminals use this technology to their advantage."

In the meantime, a new type of organized crime has sprung up across Eastern Europe and Asia, and it's not the stereotypical mobsters who commonly come to mind.

"When we think of organized crime, we think of all the stereotypes we've been led to believe through watching TV," Legary says. "We are in the midst of a new generation of a new type of organized crime coming to be, and it's very much focused on online fraud."

Indeed, nations such as Romania have become hotbeds of cybercrime because local authorities do not have much interest in prosecuting fraud and theft originating from their jurisdictions, especially when the victims are overseas in North America, he says.

While most online criminal organizations have yet to exploit NFC technology, they're already making good use of smartphone technologies. In fact, smartphone fraud is becoming the primary way for these overseas criminals -- who are mostly under age 30 -- to build their multimillion-dollar empires.

"The newest and quickly becoming one of the most popular forms of financial fraud is using Trojan applications on a mobile phone," Legary says. "Ten years ago, we weren't supposed to be opening executable files from our email, but it has come full circle."

Today, people are downloading apps for their mobile phones, and as many as 40 per cent of the applications available for Google's Android phones and Apple's iPhone contain undocumented functions.

"That means these applications are doing something that Apple or Google don't understand or know about, and of that, a smaller percentage of those apps do collect personal information or even steal your financial information without you knowing about it."

Increasingly, network security firms such as Seccuris are coming across the end result: card-not-present fraud

"These are situations where a person's credit card information has been stolen from their phone," he says.

A year and a half ago, this kind of fraud was novel, an interesting twist for IT security sleuths. Now, it's a common occurrence.

But the victims' bank accounts aren't cleaned out -- that kind of theft draws attention.

"The hacker is trying to take just a little bit of money from a whole lot of people."

Few victims notice transactions of 50 cents to $2 on their card, nor do the IT security teams of financial institutions.

"They're going to get the one coffee a week off of you," Legary says. "On the opposite side of the world, it's being monetized to the tune of hundreds of thousands of dollars per month."

As we move to a world where our phones are a progressively more important part of our financial lives, crime relating to their use will only become more problematic.

"The speed at which fraud will occur will grow exponentially," Legary says.

But few of us would want to go back. Potential pitfalls aside, consumers like the convenience of easy transactions online and with their smartphones.

"The challenge is that five years ago, you would have never expected your phone to be secure," he says. "But today, the phone is now more computer than phone and needs to be secured, just as we would any other computer."

Quick facts

Don't forget computer security, too: TD Canada Trust security expert Scott Gamble says phishing is still a problem for online fraud these days, so it's important to do a couple of things to protect yourself. Make sure you have updated antivirus and anti-malware software on your computer. Antivirus alone no longer cuts the electronic mustard when it comes to securing your computer. In fact, malware, or spyware, is much more common than viruses. Malware stands for malicious software you unknowingly download onto your computer, and it steals your personal information and sends it to criminals somewhere far away. The best way to avoid infection is to never put yourself at risk in the first place. For example, never log into your bank account from links in emails sent to you by your financial institution or any other organization or company. It's very likely the email link will take you to a fake website that looks like your bank's site. You log in with your password and give criminals the keys to your online bank account.

Does your financial institution have your back? What happens if you do get hacked and your money disappears? All financial institutions have security teams that monitor transactions looking for unusual transfers, says Gamble, vice-president of account recovery and fraud management at TD Canada Trust. If a customer is victimized, they will be reimbursed in most instances, he says. "We do have a commitment to our customers," Gamble says. "All the banks in Canada feel a responsibility around prevention."

An expert's guide to protecting yourself online: IT security expert Michael Legary says he takes the following measures to protect himself from falling victim to online crime:

-- Use a low-limit credit card for online transactions, including those done with your smartphone. "I have a separate card for using my phone to make near-field-communication transactions," Legary says. "If someone does a regular transaction that's small, I'll know because I only use it to pay with gas and a couple basic things, so when I look at my credit card statement, I'm familiar with the transactions on it."

-- Choose a card with insurance against fraud. Legary says he is responsible for only the first $20 of charges if his card information is stolen.

-- Check your finances regularly and monitor your transactions on your credit card statements. Look for unusual transactions for small amounts of money.

-- Be knowledgeable about the information you're handing over online before accepting those agreements. "If you're doing a transaction on your mobile phone, tablet or computer, when you type in your information, do you know where it's going and how long it's being stored?" Legary cautions. The only way to know is to actually read the agreements rather than skipping through to click "accept." "If you're worried about your finances and your online presence, you do need to take the time to read these, because they're legal contracts."

Android, iPhone or Blackberry... What does a security pro use? Legary says he has three phones. He has a BlackBerry for work because it's the most secure. A savvy hacker needs a few minutes to break into a BlackBerry. But when it comes to fun, he has an iPhone because of its plentiful apps and user-friendly interface. But an iPhone can be hacked in a few seconds, he says. His third phone is a Samsung Galaxy S III, which is Android-based. He uses it for test hacking because it is open-source, making it an ideal platform for hackers to create malicious apps. Android phones are also the least secure. Breaking into one "takes about a second," he says.

Republished from the Winnipeg Free Press print edition March 23, 2013 B10

Fact Check

Fact Check

Have you found an error, or know of something we’ve missed in one of our stories?
Please use the form below and let us know.

* Required
  • Please post the headline of the story or the title of the video with the error.

  • Please post exactly what was wrong with the story.

  • Please indicate your source for the correct information.

  • Yes


  • This will only be used to contact you if we have a question about your submission, it will not be used to identify you or be published.

  • Cancel

Having problems with the form?

Contact Us Directly
  • Print

You can comment on most stories on You can also agree or disagree with other comments. All you need to do is be a Winnipeg Free Press print or e-edition subscriber to join the conversation and give your feedback.

You can comment on most stories on You can also agree or disagree with other comments. All you need to do is be a Winnipeg Free Press print or e-edition subscriber to join the conversation and give your feedback.

Have Your Say

New to commenting? Check out our Frequently Asked Questions.

Have Your Say

Comments are open to Winnipeg Free Press print or e-edition subscribers only. why?

Have Your Say

Comments are open to Winnipeg Free Press Subscribers only. why?

The Winnipeg Free Press does not necessarily endorse any of the views posted. By submitting your comment, you agree to our Terms and Conditions. These terms were revised effective April 16, 2010.


Make text: Larger | Smaller


Key of Bart - Four Little Games

View more like this

Photo Store Gallery

  • A young gosling prepares to eat dandelions on King Edward St Thursday morning-See Bryksa 30 Day goose challenge- Day 17- bonus - May 24, 2012   (JOE BRYKSA / WINNIPEG FREE PRESS)
  • Water lilys are reflected in the pond at the Leo Mol Sculpture Garden Tuesday afternoon. Standup photo. Sept 11,  2012 (Ruth Bonneville/Winnipeg Free Press)

View More Gallery Photos


Are you concerned about the number of homicides so far this year?

View Results

Ads by Google