Logical weakness enables customers to get money from Israel largest credit card company “Isracard”
Imagine that the credit card company will give you money (no no no I’m not talking about cashback), completely by mistake and just like that for no reason, now stop imagining because it’s happening! By using the option to transfer funds and payments through the credit card, a malicious party can fraudulently receive funds from the Israeli largest credit card company “Isracard” and take advantage of an error that causes “Isracard” to deposit more money by mistake instead of charging.
Today, it is possible to transfer funds and payments through credit cards, just as you make a deposit to the credit card when canceling a transaction, so it is also possible to deposit funds to a credit card for the purpose of withdrawing and transferring funds and actually transfer money to the customers bank account, using a method called “Quasi-cash” or “Cash advance”, this method is widely used in making payments throughout the world, in which money is actually deposited into the credit card and the credit company deposits it into the customer’s bank account.
During the execution of money transfers in the aforementioned way, a very serious logical loophole was discovered that causes “Isracard” company large financial losses, the loss is caused by the fact that as a result of depositing funds to cards in foreign currency (dollars and euros for example) the company actually *pays a commission to customers* instead of charging a commission for currency conversion, The 2.9% commission is paid as a “bonus” to the customer in every transaction!, a return you won’t get anywhere in the world 😊. When withdrawing funds to the credit card, “Isracard” mistakenly credits the conversion fee as well, as happens in cases of cancellation of a transaction, even though there is no source transaction that was canceled and thus loses twice, both the profit it was supposed to achieve and the money it pays to customers as a commission in a deposit that comes out of the company’s “pocket” For those who didn’t know, when we buy, for example, from “Ebay” or “Aliexpress” and pay in dollars for a product that cost 1,000 NIS, we actually pay 1,029 NIS because of that commission.
You can see in the following example two withdrawals day after day, in each of which “Isracard” transferred to the bank account 220 NIS more than the amount of the withdrawal (“bonus” for the customer) and lost an additional 220 NIS, which it was supposed to charge as a conversion commission, a total of 880 NIS loss to Isracard and a profit for the customer of 440 NIS In two small transactions! (it also works for much larger amounts and it can be done again and again)
Due to the deposits of the commission, 7828 NIS were deposited. instead of NIS 7388 in each transaction.
Of course, a malicious party can in this way withdraw money to the card and then transfer the money and withdraw it again and again, thereby making a profit at the expense of the company, “Isracard” got reported on the issue and are aware of the issue and decided to leave it that way, despite a large amount of transactions that are carried out this way.
The issue was checked at another competing credit company and it seems that in other credit companies this is carried out correctly and the system recognizes that this is a depositing operation without a source transaction and not a cancellation of a transaction and they charge the customer the fee and do not give him a “bonus”, the following wording that appears in the statement “Credit without a source transaction on XX.XX XX was converted to NIS at the current exchange rate and this amount was offset by a 2.8% foreign exchange transaction fee”, an example of such a transaction in another company is attached.
The breach was reported to “Isracard” directly and has been tested several times over a very long period of time and has not been corrected until this moment in a conscious way.
This can be corrected by changing the marking of the fee charge from negative to positive and it is not clear why a correction is not made, there is a concern that this is being used deliberately, mainly due to the existence of the loophole for such a long period of time, its simplicity and its conspicuous visibility.
This has great significance, especially in a central and public body, a significant part of which is owned by institutional bodies and pension funds.
“Isracard” reply is — “that they are aware of this matter and for them it is a business decision and not a loophole”.
It is difficult for me to define a decision to lose money as a “business decision” since they have been losing huge amounts every month for several years.
Lior Ben David, entrepreneur, researcher and lecturer in the field of cyber and blockchain, member of the Committee on Cyber Issues in the Israeli Union of Directors- IDU, owner of a cyber security and development company, accompanies startups as a mentor and consultant, holds a master’s degree in business administration from Bar Ilan’s EMBA program and is CISSP certified, volunteers at “Yadidim “😊. Provides regular reports on security breaches and provides training to boards of directors for proper control of cyber risks in the organization, inventor and owner of a patent for a smart charger.
Join the group to receive cyber updates https://t.me/cyberisraeli
https://www.linkedin.com/in/liorbendavid1/
