

Attacks against Boletos: Stealing money from offline users - MichaelAza
http://securelist.com/analysis/publications/66591/attacks-against-boletos/

======
tzs
I found the explanation of Boletos a bit confusing. I think I've finally
figured it out. Here's how I think a transaction works when you pay by
Boletos. I'll do this for an online merchant, but it works for in-person
transactions too.

1\. When you check out and elect to pay by Boletos, you are given a document
to print. (For an in-person transaction at a store, the store would print the
document). The document contains information that describes the debt you owe
for your purchase. In particular, it has the merchant's bank account number,
the amount you owe, the due date, and presumably an order number or something
that will let the merchant know later which particular sale this document is
describing. This document is the Boletos. Although it is typically printed,
you only actually need the long number printed at the top or the barcode at
the bottom (which encodes that number).

2\. You have several ways to actually pay the merchant.

• You can go to your bank's online banking site, and show them the Boletos
(perhaps by scanning the bar code if you are using their app, which commonly
includes a barcode scanner for this purpose, or by entering the number from
the Boletos). Your bank then transfers the money to the merchant along with
the necessary information to allow the merchant to match this up with your
order.

• You can go to an ATM and scan the Boletos. Your bank pays the merchant.

• You can go the post office, a lottery agent, or some supermarkets, and pay
there. They collect the money from you, and send it to the merchant.

Fees go up each day after a Boletos is issued, so there is encouragement to
pay a Boletos quickly. If you miss the due date, you can still pay but only at
a branch of the merchant's bank.

It seems like an interesting system--something kind of between cash and
checks. If used for buying online, the merchant never has any of your payment
information such as a credit card number or debit card number. On the other
hand, there are none of the protections that a credit card provides. Once you
pay a Boletos, the money is gone. If you want it back, you have to convince
the merchant to return it.

The attacks mentioned in the article mostly consist of interfering with the
printing of Boletos. You go to an online site and order something. The site
generates a Boletos for you to print. Malware running in your browser modifies
this to substitute the bad guy's account, and you then go off and pay the bad
guy instead of paying the merchant. The bad guys are getting the malware in by
various tricks, including hacking into people's DSL modems and changing them
to use compromised DNS servers so they can hijack attempted visits to popular
sites.

Even people who never go online are being hit, because the bad guys have also
compromised the POS systems in brick-and-mortar stores, so even those can
print misdirected Boletos.

