See an overview of card payment security mechanisms in our previous article.
All fraud techniques used to attack bank cards can be divided into two categories. The first one includes widespread and well-known methods. The second group is called “the white whales”: such high-profile incidents occur once in 5-10 years and result in disasters for the victims (both banks and their clients) and multimillion-dollar profits for the attackers. Needless to say that the second category attracts plenty of attention from the media and regulators. Still, the main success criteria for carders and other crooks are mass scalability and simplicity. Indeed, if a fraudulent scheme can be easily reproduced thousands of times, then it will become extremely popular among scammers.
Most common fraud types
First, let’s examine attacks targeting payment systems and banks on a regular basis.
Payments not involving 3-D Secure
The most widespread fraud technique targets online payments that are made using the card-not-present scheme. Due to its mass character, international payment systems have introduced an additional dynamic factor: 3-D Secure code.
What is 3-D Secure?
3-D Secure is an additional authorization scheme for online payments that uses three-domain entities (hence the name “3-Domain Secure”). The online store domain receives the payment data and redirects the user to the payment system domain, where a one-time code has to be entered. Then the result is sent to the third domain belonging to the acquiring bank; it checks this code and sends a request that confirms or denies the transaction back to the online store along the same chain.
3-D Secure is efficient against fraud schemes at scale. However, some stores, including large ones (e.g. Amazon), are still not ready to work with 3-D Secure, which – in their opinion – reduces conversion. Furthermore, international payment systems do not insist on its mandatory use! “Better spend more” is their motto. According to the current payment rules, if the card supports 3-D Secure, but the store doesn’t support this technology, and the payment is disputed, then the financial risks lie with the store. If the card doesn’t support 3-D Secure, then the risks lie with the issuing bank. These rules are described in the “3-D Secure liability shift” document. Therefore, greedy scammers all over the world are looking for stores that don’t require 3-D Secure.
For instance, the following fraudulent scheme was busted in the UK in 2018. The malefactors were posting ads on social media offering a 50% discount on pizza delivery from a major brand. This brand didn’t use 3-D Secure on their website, and payments were actually made using stolen cards purchased at various markets. This scheme would bring the attackers £1 of clean laundered money for each £2 spent on pizza from the stolen card. The scheme had been run for several months before it was shut down.
3-D Secure state in the EU
Even though the latest EU regulation called PSD2 mandates the 3-D Secure scheme, there are still stores, both big and small, that allow payments without 3-D Secure, such as Amazon. Another group of websites that don’t require 3-D Secure includes online contactless payments in restaurants. This type of service had flourished during the pandemic; risks posed by such websites and applications are discussed here.
Attack of the clones
The second most popular fraud type involves cloning the card’s magnetic stripe. It remains one of the most widespread attack techniques affecting operations with physical cards (so-called “card-present transactions”). As you are likely aware, magnetic stripes are extremely easy to clone.
Some cybercrime types involve the use of specialized malware. Such attacks must be easily reproducible and highly scalable. This is why attackers infect devices that deal with thousands of cards every day (e.g. cash registers in large supermarkets).
Although such programs are called POS malware, they don’t infect the POS terminals or pinpads. Instead, a special program is scraping the Windows machines (POS Systems or cash registers) memory looking for magstripe records that are very easy to spot using regular expressions.
In 2013, the US-based Target retail chain sustained a massive attack involving the “supply chain compromise” scheme that wasn’t yet widespread at that time. After infecting one of the vendors, the attackers penetrated into the supermarket chain, compromised the entire Windows domain, and infiltrated the operating system directly at cash registers. Already mentioned RAM-scraping trojans were launched on these systems; they scanned the memory for patterns of magnetic stripe tracks. After detecting such tracks, the trojans forwarded them to a C&C server installed on the internal network, and the server sent this information to the external network.
Unfortunately, in many American stores, you can still make a transaction using a magnetic stripe – even if your card is equipped with a chip. In the last ten years, the American market has become one of the most technologically obsolete. And this region is one of the reasons why magnetic stripes are still present on bank cards.
If a payment terminal suddenly refuses to accept the magnetic stripe, malefactors use a scheme that works in both Americas but is already banned in Europe: technical fallback. The attacker inserts a card with a nonexistent chip into an ATM or a terminal three times – and after the third unsuccessful reading attempt, the terminal will offer to make a magnetic stripe transaction.
In any such situation, the responsibility lies with the store that has performed such a high-risk transaction. Furthermore, major payment systems, such as MasterCard, recommend rejecting transactions performed in the technical fallback mode to avoid image risks. No one wants to find out whether the client’s card was actually stolen, or the cardholder just decided not to spend money and announced a fraudulent transaction. And of course, no one is willing to explain to angry customers why their cards were used to purchase expensive TV sets hundreds of miles from their actual location.
It takes a few seconds to create a copy of a magnetic bank card; all you need for this is a special reader available on Amazon. Attackers create such clones and use them in American stores. Even though magstripe transactions are banned in Europe pursuant to the PSD2 regulation, no one stops hackers from stealing tracks and reselling them to other hackers in the US. That’s why EU card dumps are freely sold and bought on numerous hacker forums.
Chip-based offline transactions and attacks on authentication
Rules regulating the operation of modern payment systems require 99.9% of card transactions to be made online, including the cryptogram confirmation by the issuing bank. Exceptions include subway systems and payments on aeroplanes and cruise ships (i.e. locations where the Internet is unstable, or there it’s impossible to wait a long time for a response from the issuing bank). In addition, at the time when the EMV protocols were created, many payment systems had operated offline using the so-called Floor limits: transactions above these limits had to be confirmed online, while transactions below the limits were performed in the offline mode (i.e. confirmed by the terminals).
Hackers still flood on forums and channels trying to sell “special software” that allegedly allows to create chip cards able to deceive offline terminals. Although five or ten years ago, there were enough offline terminals in the world to enrich sellers of EMV cloning software, these days the likelihood of finding such terminals goes to zero.
The white whales
Chip-based cards and transaction confirmation systems involving the 3-D Secure code were invented to protect cardholders against massive and simple fraud schemes. These protection methods are far from perfection and have their own problems (experts had warned about these from the very beginning). Still, such cards cannot be hacked en masse, and even when an attack succeeds, it’s more like a blitzkrieg: everything happens in a matter of days or hours. A small group of malefactors gains the maximum profit and disappears from the horizon. That is why each such case or a new scheme is of great interest to experts.
Such high-profile incidents are called “the white whales”. They occur every 5-10 years, result in disasters for the attacked banks and multimillion profits for the attackers, and therefore attract plenty of attention from the media and regulators. Let’s examine a few types of such attacks in more detail to get an understanding of fundamental shortcomings plaguing card payment technologies.
Distributed attacks that guess card details
Such attacks are often called “BIN Master attacks” or “distributed guessing attacks”. These names originate from an incident that occurred in 2016. British Tesco Bank sustained a large-scale distributed attack and had to disable card payments for 48 hours. The attackers stole £22 million from some 20,000 cards in a few days. As said above, the data stolen by the attackers can easily be used for payments in online stores that don’t support 3-D Secure. However, there is a nuance: in 2018, the FCA regulator fined the bank £16 million for the 2016 attack; this indicates that its cards might not be equipped with 3-D Secure.
A set of rules called 3-D Secure Liability shift determines the responsible party in case of a fraudulent transaction: if the bank doesn’t equip its cards with 3-D Secure, the responsibility for any fraud lies with it. If a card equipped with 3-D Secure is used to make a payment (e.g. on Amazon that doesn’t support this technology), the responsibility lies with the online store.
How do hackers guess full card details?
Assume that you have a card issued in your name. Its number consists of several parts. The first six digits are called BIN (bank identification number). The same BIN can belong to more than one bank; one bank may also have several BINs. However, this is the main starting point from which the attack name comes. The last digit is computed using the Luhn algorithm.
Let’s say the number of your card is 1234 5678 1234 5670. In accordance with the algorithm, the next card in this range will end with 5688, then 5696, and so on. In other words, there is a non-zero probability that 5688 and 5696 cards exist and are active.
Now it’s necessary to find out the value of the Expiry Date field. If the bank issues card numbers sequentially, the next client (whose card was issued after yours) has the 5688 card. In a large bank issuing hundreds of cards every day, the Expiry Date field will most likely match the one on your card or differ by one month. Payment systems recommend using PAN randomization to protect cardholders against this value guessing mechanism (i.e. issue cards not sequentially but randomly). This makes it more difficult for hackers to find out the Expiry Date of the 5688 card.
But there are no unsolvable problems. Many banking services can be used to guess a combination of PAN/Expiry Date fields. For instance, the password/login recovery system in the mobile bank, registration in a remote banking system, and return of funds in payment acquiring.
Finally, the attacker has to guess three numbers on the back of the card: CVV2/CVC2. In late 2016, Newcastle University researchers have first analyzed the attack on Tesco Bank and found that 291 top online services, out of the 400, permit to guess the CVV2 field. This is not surprising: after all, the money doesn’t belong to the owners of such services. A service is just a tool for the attacker. This means that attackers will always have enough tools to enumerate bank card details. For instance, in 2019, a similar vulnerability was fixed in the Magento CMS payment module for PayPal.
Another variant of this attack frequently used by malefactors involves the use of guessed details to issue a Google Pay or an Apple Pay mobile wallet. The irony is that one of the most high-profile scams targeted Apple stores. The idea was simple: many banks in America don’t require additional verification involving a one-time code or a call to the bank when an Apple Pay mobile wallet is issued. This means that if you know only the card number, its expiration date, and CVV2 code, you can issue a fully functional virtual card and use it to make payments all over the world (i.e. not just in the USA).
There is another mechanism protecting card-not-present payments. It’s called the “address verification system”: in addition to other mandatory data, the payment system also checks the cardholder’s postcode and billing address. Payment terminals that support the PAN Key Entry method (see the previous article) can be equipped with this technology as well.
According to Positive Technologies, up to 50% of banks still don’t protect their customers from the enumeration of CVV2 and Expiry Date values. That is why hackers from Latin America are actively searching worldwide for cards and banks vulnerable to such attacks.
Other “white whales” of card fraud will be discussed in the next article. See you soon!