This week’s post comes from David Balaban. David is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.
Carders and network fraudsters invent more and more new ways to steal money from bank accounts. In this article, I will tell you about several methods criminals use to bypass the security systems of bank cards.
The main criterion of success for hackers is simplicity. If a fraudulent scheme is easy to reproduce thousands of times, this guarantees a financial victory over the banking system and the future popularity of the chosen method.
Table of Contents
Payments without 3-D Secure
The first place in terms of prevalence among fraudulent schemes is occupied by payments done on the Internet. They occur based on the card-not-present scheme. To address mass abuse, the payment giants have invented an additional factor – the 3-D Secure code.
3-D Secure is a method of additional authorization of online payments that uses three entities, hence the name 3-Domain Secure. The first is the online store domain that accepts payment data and redirects the user to the payment system domain, where a one-time code is entered. Then the payment data is sent to the third domain – the bank, which verifies this code and confirms or refutes the transaction and sends data along the chain back to the online store.
3-D Secure is a great help against mass fraudulent schemes. However, some stores, including large ones, are still not ready to work with 3-D Secure, which, in their opinion, reduces the conversion. At the same time, Visa and other international payment systems do not insist. The current rules state that if the card supports 3-D Secure and the online store does not support this technology, in the event of a payment dispute, the financial risks lie with the store. If the card does not support 3-D Secure, the issuing bank is to blame. Therefore, all hungry scammers are looking for online stores that do not require 3-D Secure.
Attack of the Clones
The second most popular type of fraud is the creation of a clone of the magnetic stripe of the card. It still remains one of the most widespread methods of attacks on physical cards (the so-called card-present transactions.) The magnetic stripe is extremely easy to clone.
Certain types of cybercrime groups use specialized and intermediary malware for this. Attackers infect devices that process thousands of cards every day, like machines in large supermarkets, cafes, etc.
In 2013, Target suffered a major attack. Criminals used the not yet particularly popular supply chain attack. After infecting, one of the contractors, the scammers managed to penetrate the supermarkets’ network and get into cash registers. RAM scraping Trojans were launched on point-of-sale systems, which scanned the memory in search of magnetic stripe tracks data. The Trojan then forwarded this data to the C&C server installed on the internal network, which then sent it to the external network.
To create a copy of a magnetic stripe, you need a few seconds and a special card reader, which you can buy on Amazon. Then the villains create a clone of a card and hire money mules to shop all around the world. Dumps of bank cards are sold and bought on numerous hacker forums.
Even though almost all cards are now equipped with a chip, cloned cards are still extremely popular. And the reason for this is very banal. In many stores, even if your card is equipped with a chip, you still can make a transaction using a magnetic strip. After so many years, chips, oddly enough, are still lagging too often, and card issuers still place the magnetic strip on bank cards.
Offline Chip Transactions and Authentication Attacks
According to the rules of modern payment systems, 99.9% of card transactions must be performed online with confirmation on the side of the issuing bank. Exceptions can take place in the subway, payments on airplanes, and cruise liners. That is, we are talking about places where the Internet is not always available or there is no possibility to wait for a long time for an answer from the bank.
When EMV standards were created, many payment systems worked offline using the so-called Floor Limit where transactions above certain limits should be confirmed online, and below – pass in the local mode, that is, confirmed by the terminal itself. The number of such terminals, especially in Latin America, is big enough to en masse attack the shortcomings of offline card authentication mechanisms.
Distributed Guessing Attacks
Such attacks are also called BIN attacks. They received their names thanks to the loudest case, which took place in 2016. Tesco Bank underwent a distributed guessing attack of such a scale that it had to turn off card payments for 48 hours. In a few days, hackers managed to steal 22 million pounds from 20 thousand cards.
3-D Secure Liability Shift determines the responsible party in case of fraudulent transactions. If the bank does not equip the cards with 3-D Secure, the responsibility lies with the bank. If cards equipped with 3-D Secure are used, for example, on Amazon, where this technology is not always used, the responsibility lies with the online store.
How do Hackers find Card Details?
Let us look at the bank card. Its number consists of several parts. The first six digits are called BIN – bank identification number. The same BIN may belong to more than one bank. In addition, a bank may have several BINs. This is the starting point from which the name of the attack came. After the BIN, we see nine digits that represent the account number, and the last digit is a checksum, which is calculated using a special algorithm.
Suppose my card has the following number: 1324 5768 2134 5670. The next card from this range will end with 5688, then 5696 and so on. There is a non-zero probability that cards 5688 and 5696 exist and are active.
Now crooks need to find out the value of the expiration date. If the bank issues card numbers consecutively, then it means the next client of the bank will have the number 5688. If the bank is large and issues hundreds of cards every day, most likely, the expiration date will match the one on my card or it will differ by one month.
To protect against such guessing attacks, payment systems recommend implementing PAN randomization and issue cards not consecutively. This way, it will be more difficult for hackers to find out the expiration date for card 5688.
But there are no unsolvable tasks. There are many services that help to determine PAN and expiration date. One of them is a system for restoring a password or a login for a mobile bank.
So, finally, it remains to guess three digits on the back of the card – CVV2. Security researchers who analyzed the Tesco attack found that at that time 291 of 400 of the most popular online services allowed you to enter the CVV2 code multiple times. This is not surprising as the money does not belong to the owners of these services. So, malefactors will always have enough methods to find the details of bank cards.
Another variation of this attack is the use of obtained card details for creating Google Pay or Apple Pay wallets. The fact is that some banks do not require additional verification with the help of a one-time code or a call to the bank to issue a mobile wallet. This means that knowing only the card number, its validity period and the CVV2 code, it is sometimes possible to get a full-fledged virtual card.
There is another means of protecting payments when the card is not physically present. It is called the address verification service (AVS). In this case, when making a payment, the payment system also checks the postal code and billing address provided by the user to the merchant against the postal code and billing address in its database.
According to Positive Technologies estimates, half of mobile banks still do not protect their clients from attacks that involve CVV2 and expiration date guessing.
Worried about Protecting Your Business? Worry no more!
At TracSoft, we’re experts in security monitoring and data protection. We have over 20 years of experience looking out for both big and small businesses in the West-central Georgia/East Alabama region and beyond. As a small business ourselves, we understand how devastating security breaches can be. That’s why we offer 24/7 security monitoring using the latest tools from industry-leading Kaseya.
Contact TracSoft today for a free, no-obligation security assessment and find out how we can keep you safer.