Category Archives: Electronic Payments

Tax refund scammers use the name of the Estonian Tax and Customs Board


“Today I received an email from Already at the beginning it seemed doubtful that such letter would come in November. However, even more bizarre became the thing when I opened the link from this email. It is obvious that this email seeks to scam out of naive people their credit card details – card number, CVV2 code” a person who received the letter writes in her Facebook post.


Banks twisting client arms to draw out personal data


Nordea and Danske clients complained to Postimees that said banks withheld services related to transfers and purchase of shares as the individuals failed to fill fresh personal data declaration.

The banks told Postimees that they are not collecting the detailed data on their own initiative but are under obligation to fulfil diligence measures arising from laws and other regulations.

Danske Bank explained that the information collected about customers has become very detailed. «In addition to an individual’s personal and document data, a bank must identify the customer’s activity profile, field of activity, volume of activity (bank account turnover), main partners,» explained the bank’s communication chief Tõnu Talinurm. «Pursuant to Tax Information Exchange Act, Danske Bank A/S Estonian branch needs to provide Tax and Customs Board information regarding US tax residents known to it or presumed by it. Because of that, we need to ask all clients whether they are US tax residents.»

Data Protection Inspectorate’s main stand is that the bank presenting the questions must also ensure that the clients know why they need to declare the extra data.

Financial Supervision Authority said the laws do lay on banks the obligation to know their customers, but do not prescribe specific questions.


Glich by payment processor Nets Estonia causes chaos in SEB and Swedbank accounts


All it took to trigger the widespread woe was an outwardly insignificant slip: on September 17th, Nets Estonia coordinating card transactions in Estonia forwarded a file with cards transactions to the financial institutions twice, and two days later attempted to correct the mistake by sending a file cancelling the «double» transactions.

The banks which for whatever reason only acted on the cancel-entries sent on September 19th, yesterday morning unexpectedly returned to customers the money spent on September 17th. This, for instance, was the lot of SEB clients. To our knowledge, clients of institutions like Swedbank and Citadele were less lucky. The control systems of said banks had already acted on the double file dating September 17th and brazenly pocketed the customers’ money twice.

As LHV and Nordea banks control systems pulled brakes both on the file prescribing double payments and dataset sent to cancel it, the clients of both escaped the mess.

Why LHV and Nordea engineers could implement fault tolerant algorithm while engineers of the two biggest banks SEB and Swedbank could not?


Investigators disclose best disguised cybercrime in years


This was no classical computer fraud investigation. In this criminal case, the police has no crime notice by any person or foreign bank suffering loss of money. That was what the fraud was built upon: to act unnoticed and avoid being seen by investigators.

Generally speaking, credit card fraud and the obtaining of other people’s credit card data in specialised internet forums is nothing extraordinary. Still, the activity Sergei is accused of was a long step forwards when it comes to conspiracy – for he got his cards data from forums to enter which an invitation was needed from the inner circle.

Getting caught was supposedly avoided by so-called virtual machines used to hide themselves while making purchases with credit cards of strangers. In theory, this was supposed to be the perfect crime. To leave no evidence, all parties involved used encrypted data communication between themselves. The criminal idea as such was simple: purchase at full price for other people’s money, and to resell at considerably lower prices.

To avoid being linked with the goods, he ordered these to post offices in some European countries. Like Germany, Austria, Czech Republic, Sweden of Finland. Mainly the latter. Individuals hired by Sergei’s closest assistant travelled to get the goods; stuffing their luggage full of laptops, the marched off to an airplane.

The article does not tell why the super disguised crime failed.
Probably the guys attracted the attention by selling too cheap goods.


Sniffing real world EMV payment card protocol transaction


The objective of this report is to observe and describe a real world online transaction made between a debit card issued by an Estonian bank and a payment terminal issued by a Estonian bank. In this process we can learn how the EMV protocol works and which protocol features are used in a Chip-and-PIN card issued by an Estonian bank.

The transaction analyzed in this report was captured using a terminal from a friendly merchant in Tartu and using a Visa Electron debit card issued by SEB Estonia. The amount of transaction was 0.99 EUR. The transaction was performed in September, 2014. The full output (all requests and responses) with annotation can be found from the appendix.

The report has been published for UT course “Research Seminar in Cryptography (MTAT.07.022)”.


Two criminal investigations are underway related to Bitcoin


They warned the mediator that in case anyone operates in said area without licence, this could spell violation as treated by Penal Code come under activity without licence. Following the correspondence, Fiscal Intelligence Unit issued a precept in which they demanded data to determine if the person came under Money Laundering and Terrorist Financing Prevention Act.

«He contested the precept and meanwhile our goal was to get him to give the data and say whether he had deals exceeding €1,000. With this we are now in court and we won at first instance,» explained Mr Paul.

Representative of mediator Priit Lätt said Fiscal Intelligence Unit had no right to require the data.