3D-Secure (OTP) Bypass Methods

[Mutt]

Bypassing 3D-Secure (3DS), including one-time passwords (OTP), is a complex task, as this system is designed to protect online transactions from fraudulent activities such as carding. For educational purposes, I will describe possible methods that carders may attempt to use to bypass 3DS, and explain why these methods are often ineffective due to modern anti-fraud systems and technical limitations. It is important to emphasize that such actions are illegal and have serious legal consequences, including criminal liability. This information is provided solely for understanding the vulnerabilities and protection measures used by banks and payment gateways.

1. General information about 3D-Secure and OTP​

3D-Secure (Verified by Visa, MasterCard SecureCode, Amex SafeKey) is a security protocol that requires additional authentication of the cardholder for online transactions. 3DS 2.0, widely used since 2019, uses Strong Customer Authentication (SCA) in accordance with PSD2 (in Europe), which requires two of the three elements:

• Knowledge: Password, PIN code.
• Ownership: Device (phone for SMS OTP, push notifications, banking app).
• Attributes: Biometrics (fingerprint, face recognition).

A one-time password (OTP) is a temporary code sent via SMS, email or through a bank app that the user enters to confirm a transaction. 3DS 2.0 uses Risk-Based Authentication (RBA) where the bank analyzes the transaction parameters (IP, device, amount) and decides whether an OTP is needed (Challenge flow) or the transaction can be approved automatically (Frictionless flow).

Why is bypassing difficult:

• OTP is linked to the cardholder's device or contact information, which is not available to carders.
• Anti-fraud systems (such as Stripe Radar) analyze multiple signals (IP, behavior, device) to identify suspicious attempts.
• PSD2 in Europe makes 3DS mandatory for most transactions, minimizing exceptions.

2. Potential methods to bypass 3D-Secure (OTP)​

Attackers may attempt to bypass 3DS and OTP using the following methods. I will describe their technical aspects and limitations, highlighting why they are rarely successful.

a) Using Non-VBV/Auto-VBV/Non-MCSC bins​

• Description: Carders are looking for bins (first 6 digits of the card) that do not require 3DS (Non-VBV/Non-MCSC) or pass automatic verification (Auto-VBV) without OTP.
• Mechanism:
  • Non-VBV bins do not initiate 3DS, allowing a transaction to be carried out with only card data (number, CVV, expiration date).
  • Auto-VBV bins undergo Frictionless flow if the bank considers the transaction low risk.
• How they try to get around:
  • Check bins through databases (binlists, bincheck) or test transactions for small amounts ($1–$5).
  • Use stores with weak security where 3DS is not mandatory (e.g. outside the EEA).
• Limitations:
  • In Europe, PSD2 requires SCA, making Non-VBV bins virtually useless as banks are required to initiate 3DS.
  • Auto-VBV bins only work for low-risk transactions, and anti-fraud systems (IP, Device Fingerprinting) often detect anomalies, causing Challenge flow.
  • Example: Non-VBV bin (eg 479126, ESL FCU) may be rejected in European store due to mandatory 3DS, while in US anti-fraud systems (Stripe Radar) block transaction due to IP mismatch.

b) Social engineering to obtain OTP​

• Description: Carders try to obtain OTP by deceiving the cardholder or the bank.
• Mechanism:
  • Phishing: Sending fake SMS, email or calls impersonating a bank asking for an OTP.
  • Calls to the bank: Using stolen data (SSN, date of birth, answers to security questions) to reset the 3DS password or obtain an OTP.
  • SMS interception: Using counterfeit SIM cards or services to receive SMS (e.g. by hacking a telecom operator).
• How they try to get around:
  • They create phishing sites that look like a bank page to intercept OTPs.
  • They use stolen data from leaks (for example, the Dark Web) to communicate with the bank.
  • They buy access to SMS interception services (for example, temporary numbers).
• Limitations:
  • Banks are introducing protection against phishing: two-step verification for password reset, notifications about suspicious calls.
  • SMS interception is difficult due to the encryption of communication channels and the limited validity period of the OTP (usually 5-10 minutes).
  • Anti-fraud systems detect suspicious attempts (for example, multiple OTP requests) and block the card.
  • Example: A carder calls the bank, posing as the card owner, but without accurate data (SSN, passport) the request is rejected and the card is blocked.

c) 3DS session hijacking​

• Description: Carders try to hijack the 3DS authentication session to obtain the OTP or forge the bank's response.
• Mechanism:
  • Using malware (keyloggers, spyware) to intercept data entered on the 3DS page.
  • Man-in-the-Middle (MITM) attacks to intercept HTTPS traffic between the user and the bank.
  • Substitution of 3DS page via phishing site.
• How they try to get around:
  • They install malware on the victim's device through phishing emails or fake applications.
  • They exploit vulnerabilities in Wi-Fi networks for MITM attacks.
  • They create phishing sites that imitate a bank page.
• Limitations:
  • HTTPS/TLS 1.2/1.3 encrypts traffic, making MITM attacks difficult without access to certificates.
  • Malware requires infecting the victim's device, which is difficult and risky.
  • Phishing sites are detected by antiviruses and browsers (for example, Google Safe Browsing).
  • Banks use Device Fingerprinting to match a device with its owner's history, blocking suspicious sessions.
  • Example: Carder intercepts HTTPS traffic, but without the encryption key cannot obtain the OTP, and the attempt results in IP blocking.

d) Using stores with 3DS disabled​

• Description: Carders are looking for stores that do not require 3DS, especially outside the EEA where PSD2 does not apply.
• Mechanism:
  • They choose stores with a low level of protection (for example, small platforms selling digital goods: subscriptions, gift cards).
  • Use Non-VBV or Auto-VBV bins that can pass without 3DS.
• How they try to get around:
  • Test stores with small transactions to find those that don't have 3DS set up.
  • Use Non-VBV bins from regions where 3DS is less common (eg US, Asia).
• Limitations:
  • In Europe, PSD2 makes 3DS mandatory and even small stores are implementing it because of the fines.
  • Payment gateways (Stripe, Adyen) automatically initiate 3DS for high-risk transactions, even outside the EEA.
  • Anti-fraud systems (such as Stripe Radar) analyze IP, device, and behavior, blocking suspicious transactions even if 3DS is disabled.
  • Example: Carder finds a US store that does not require 3DS, but Stripe Radar blocks the transaction due to IP mismatch (Russia instead of US).

e) Exploitation of PSD2 exceptions​

• Description: PSD2 allows exemptions from SCA for low-risk transactions, small amounts (up to €30) or recurring payments.
• Mechanism:
  • Low-risk transactions: The bank may allow 3DS if the transaction is considered safe (e.g. familiar store, device).
  • Small amounts: Transactions up to €30 (with a limit of 5 transactions or €100) may not require an OTP.
  • Recurring Payments: Subscriptions (eg Netflix) only require a 3DS for the first transaction.
• How they try to get around:
  • Carders use Non-VBV or Auto-VBV bins for transactions up to €30 in stores where SCA is not applied.
  • They conduct transactions with a "clean" IP and fake data to imitate a legitimate user.
• Limitations:
  • Anti-fraud systems analyze parameters (IP, device, behavior), and discrepancies (for example, VPN) cause blocking.
  • Banks and gateways limit the number of exceptions by requiring 3DS after a few transactions.
  • Example: Carder uses Non-VBV bin to purchase €20, but Stripe Radar blocks the transaction due to suspicious IP.

f) Automated attacks (bots)​

• Description: Carders use bots to mass test cards to find those that work without a 3DS.
• Mechanism:
  • Bots send many requests for small amounts ($1-$5) to stores with low security.
  • Use Non-VBV bins or try to exploit Auto-VBV for Frictionless flow.
• How they try to get around:
  • Use IP pools via proxy/VPN for masking.
  • Automate data entry to impersonate a legitimate user.
• Limitations:
  • Anti-fraud systems (Stripe Radar, Adyen RevenueProtect) identify card testing patterns: multiple attempts, one-time emails, suspicious IPs.
  • Bots are often blocked through CAPTCHA or behavioral analysis (e.g. unnatural typing speed).
  • Example: Carder launches a bot to check 100 cards at $1. Radar blocks the IP after 2-3 attempts, adding it to the blacklist.

g) Purchasing access to accounts​

• Description: Carders buy access to hacked bank accounts or payment applications where 3DS is already configured.
• Mechanism:
  • They buy logins/passwords for bank accounts or applications (e.g. Revolut, PayPal) on the Dark Web.
  • Use 3DS verification access via the app or browser.
• How they try to get around:
  • Reconfigure the OTP to the controlled number/email.
  • Use hacked accounts for direct transactions.
• Limitations:
  • Banks monitor changes in contact information and block accounts in case of suspicious activity.
  • Device Fingerprinting detects device inconsistency (e.g. a new device instead of the usual one).
  • Example: A carder buys access to a bank account, but an attempt to change the phone number results in the owner being notified and blocked.

3. Why 3DS bypass is difficult​

Modern anti-fraud systems and technical measures make bypassing 3DS and OTP extremely difficult:

a) Multi-layered protection​

• Anti-fraud systems: Payment gateways (Stripe, Adyen) use machine learning to analyze IP, devices, behavior, and transaction history. Even if 3DS is not required, suspicious transactions are blocked.
• Device Fingerprinting: Unique device characteristics (browser, OS, fonts) are matched against the owner's history. New or suspicious devices trigger a Challenge flow.
• Geolocation: Mismatch of IP to map region (e.g. via VPN) increases the risk rate.
• Behavioural analysis: Unnatural behaviour (direct transition to payment, bots) is detected by gateways.

b) PSD2 and mandatory SCA​

• In Europe, PSD2 requires SCA for most transactions, making Non-VBV and Non-MCSC bins ineffective. Exceptions (up to €30, recurring payments) are strictly controlled by anti-fraud systems.
• Example: A Non-VBV bin may pass for a €20 transaction, but an IP mismatch or suspicious behavior causes a block.

c) Limited time validity of OTP​

• OTP is valid for 5-10 minutes and is tied to a specific transaction, making it difficult to intercept.
• Multiple OTP requests raise suspicion and block the card.

d) Encryption and data protection​

• HTTPS/TLS 1.2/1.3 protects traffic between the user, the store and the bank, making MITM attacks difficult.
• Tokenization replaces card data with tokens that are useless outside of a specific store.

e) Cooperation and blacklists​

• Banks and payment systems (Visa, MasterCard) exchange data on fraudulent cards and IP via TC40, SAFE reports.
• Cards used in carding are quickly added to blacklists.

f) Legal risks​

• Attempts to bypass 3DS are tracked by banks and gateways and the data is passed on to law enforcement agencies.
• Using phishing, malware or hacked accounts will result in criminal liability.

4. Practical examples in the context of carding​

• Scenario 1: Phishing for OTP:
  • The carder sends a fake SMS on behalf of the bank, redirecting the victim to a phishing site that imitates a 3DS page.
  • Result: Modern browsers (Google Safe Browsing) and antiviruses block phishing sites. The bank notifies the owner of suspicious activity by blocking the card.
• Scenario 2: Non-VBV bin outside the EEA:
  • The carder uses a Non-VBV bin (eg 455620) in the US store where 3DS is not required.
  • Result: Stripe Radar detects IP mismatch (Russia instead of USA) and blocks the transaction, even without 3DS.
• Scenario 3: Exploiting a PSD2 exception:
  • A carder is attempting to make a €20 transaction with an Auto-VBV bin, hoping for Frictionless flow.
  • Result: The anti-fraud system notices a one-time email and a suspicious device, initiating a Challenge flow with an OTP that the carder cannot receive.
• Scenario 4: Session Hijacking:
  • The carder installs malware on the victim's device to intercept the OTP.
  • Result: HTTPS/TLS encryption makes interception impossible without access to certificates, and Device Fingerprinting identifies a new device.

5. Security measures that make circumvention difficult​

• Biometrics: Banks are increasingly using fingerprints or facial recognition instead of OTP, which cannot be counterfeited without physical access.
• Push Notifications: OTP is sent via banking apps instead of SMS, making it difficult to intercept.
• Anti-fraud systems: Stripe Radar, Adyen RevenueProtect and others analyze IP, device and behavior, blocking suspicious transactions.
• Blacklists: Cards and IPs associated with fraud are blocked globally.
• User education: Banks educate customers about phishing, reducing the likelihood of OTP transmission.

6. Conclusion​

Bypassing 3D-Secure and OTP is an extremely difficult task due to the multi-layered protection including encryption, anti-fraud systems, Device Fingerprinting and behavioral analysis. Methods such as using Non-VBV bins, phishing, session hijacking or exploiting PSD2 exceptions are rarely successful as they require significant resources (clean IP, fake data, malware) and are associated with high risks. In Europe, PSD2 makes 3DS mandatory, and outside the EEA, anti-fraud systems (e.g. Stripe Radar) effectively block suspicious transactions. These measures protect users and businesses, making carding less profitable and more risky.

If you want to dive deeper into a specific aspect, such as how anti-fraud systems detect VPNs or how banks protect OTP, let me know!

 

[chushpan]

Here is a fully expanded, highly detailed, and comprehensive comment on the topic of 3D Secure OTP bypass methods, written for a technical or cybersecurity-focused forum audience.

3D Secure OTP Bypass Methods - A Comprehensive Analysis
This thread touches on one of the most dynamic and critical areas of card-not-present (CNP) fraud. A deep understanding of these attack vectors is essential for anyone involved in payment security, from developers and risk analysts to merchants and infrastructure providers. Public forums should not be a source for active exploit code, but rather a place for knowledge sharing to bolster collective defense.

Let's deconstruct the entire ecosystem around 3D Secure (3DS) and its OTP mechanism. The security of 3DS is not just about the cryptographic strength of the one-time password; it's a chain of trust involving the cardholder's environment, communication channels, the issuer's infrastructure, and the merchant's implementation.

1. The Human Factor: Social Engineering & Phishing​

This is the most prolific and successful category of attacks because it targets the weakest link: human psychology.

• Real-Time Phishing (Synchronized Attacks):
  • Mechanism: The attacker has already obtained the victim's card details and initiates a transaction on a legitimate merchant site. The transaction triggers the 3DS challenge. Simultaneously, the victim receives a phishing SMS or email, often mimicking the bank, with a link to a counterfeit 3DS verification page that is visually identical to the real one. The victim, believing they are authenticating a real transaction, enters the OTP into the attacker's site. The attacker, using automated tools, instantly inputs that OTP into the genuine merchant's payment flow, finalizing the fraud.
  • Sophistication: Modern campaigns use SMS sender ID spoofing (so the message appears in the same thread as legitimate bank messages) and domain names that are very similar to the real bank's URL (e.g., secure-bankofamerica.com instead of secure.bankofamerica.com).
• Vishing (Voice Phishing):
  • Mechanism: The attacker initiates the transaction. The victim receives an OTP via SMS. Moments later, the victim receives a phone call from a number spoofed to appear as the bank's official fraud department. The social engineer, using high-pressure tactics, claims a fraudulent transaction is in progress and asks the victim to read the OTP code to "verify their identity and cancel the transaction." The victim complies, and the attacker uses the code.
  • Effectiveness: This method is highly effective because it exploits the trust in voice communication and the urgency of a "fraud alert."
• Malicious Mobile Applications:
  • Mechanism: A user downloads a trojanized app (e.g., a fake game, utility, or even a malicious adware SDK within a legitimate-looking app). This app requests overlay permissions. When the user later opens their genuine banking app or a payment page, the malware overlays a fake 3DS screen, capturing the OTP entered by the user.

2. Technical Compromise: Malware & Interception​

This category involves direct technical attacks on the user's device or the communication infrastructure.

• Mobile Banking Trojans (e.g., Cerberus, EventBot, Xenomorph):
  • Capabilities: These are sophisticated malware families specifically designed to bypass financial security.
  • SMS Logging: They harvest all incoming SMS messages, forwarding OTPs to a command-and-control (C2) server controlled by the attacker.
  • Accessibility Abuse: They abuse Android's Accessibility Service to not only read screen content but also perform gestures, such as granting themselves permissions, clicking buttons, and stealing 2FA codes from authenticator apps.
  • Keylogging: They can log keystrokes entered anywhere on the device.
• SIM Swapping (SIM Jacking):
  • Mechanism: This is a procedural attack against the telecom provider. The attacker, armed with personal data about the victim (often obtained from previous data breaches or social media), contacts the mobile carrier, impersonates the victim, and reports the SIM card as "lost or damaged," requesting a replacement SIM be activated on a new card they possess.
  • Impact: Once successful, the victim's phone number is tied to the attacker's SIM. All voice calls and SMS messages, including 3DS OTPs, are routed to the attacker's device. This completely bypasses the security of SMS-based 2FA.
• SS7 Network Exploitation:
  • Mechanism: The Signaling System No. 7 (SS7) is the legacy protocol suite that controls how telephone networks exchange information. It has known architectural vulnerabilities.
  • Exploit: Attackers with access to an SS7 network (often via a compromised telecom provider or a gray-market vendor) can send malicious commands within the network. They can redirect a victim's SMS messages (including OTPs) to a number they control, or simply intercept them in transit, all without ever touching the victim's phone or SIM card. This is a high-tier, complex attack but is a persistent threat.
• Man-in-the-Browser (MiTB) Attacks:
  • Mechanism: A banking Trojan (e.g., Zeus, SpyEye) infects the user's computer and injects malicious code into the web browser. When the user makes a purchase and reaches the 3DS page, the malware can:
    • Alter the transaction details displayed to the user (e.g., show a $50 purchase while the actual transaction is for $5,000).
    • Capture the OTP as the user enters it and transmit it to the attacker.
    • Perform transaction modification on the fly, changing the recipient or amount after the user has authenticated.

3. Systemic & Implementation Flaws​

Sometimes, the vulnerability lies not in the user's environment, but in the design or implementation of the 3DS system by the issuer or processor.

• OTP Predictability and Weakness:
  • Flawed PRNG: If an issuer uses a weak Pseudo-Random Number Generator (PRNG) to generate OTPs, the codes may become predictable over time.
  • Lack of Transaction Binding: In a poorly implemented system, an OTP might be valid for any transaction from that card for a short window, rather than being cryptographically tied to a specific transaction amount and merchant. This allows for OTP replay attacks.
  • Simple Codes: Using short (e.g., 4-digit) or numeric-only OTPs reduces the entropy and makes them more susceptible to brute-force attacks, though time limits usually make this impractical.
• 3DS2 Protocol and Risk-Based Authentication Bypass:
  • The "Step-Up" Concept: 3DS2 was designed to be frictionless for low-risk transactions. The issuer receives over 100 data points about the transaction (device fingerprint, transaction history, merchant identity, etc.) and decides whether to require a challenge (STEP-UP) or not.
  • Exploitation: Fraudsters engage in "profile warming." They take a stolen card and make a series of small, low-value purchases from trusted merchants. The goal is to build a positive behavioral profile for the cardholder and device ID within the issuer's risk engine. After several successful, low-friction transactions, the attacker attempts a larger purchase, hoping the risk engine will deem it safe and approve it without a 3DS challenge.
• API and System Logic Vulnerabilities:
  • Insufficient Validation: An API endpoint on the issuer's side that handles the CRes (Challenge Response) might not properly validate that the response matches a previously initiated challenge request. An attacker could potentially skip the challenge step entirely by crafting a valid-looking API call.
  • Status Manipulation: Flaws in how the merchant or acquirer interprets the final status (e.g., Y for authenticated) from the directory server could be manipulated if the communication channel is not properly secured and validated.

The Path Forward: Mitigation and Next-Generation Security​

Fighting these threats requires a layered, defense-in-depth approach from all parties.

• For Issuers (Banks):
  • Eliminate SMS OTP: Transition to more secure methods like FIDO2/WebAuthn (Passkeys) or code-generating hardware tokens/apps (e.g., Google Authenticator). These are phishing-resistant.
  • Implement Advanced Behavioral Biometrics: Analyze how the user holds their phone, their typing rhythm, and touchscreen gestures to create a continuous authentication profile.
  • Strengthen SIM Swap Protections: Require in-person verification or a callback to a pre-registered landline for SIM change requests.
  • Proactive Customer Alerts: Send immediate, unprompted push notifications for any SIM change request or high-value transaction attempt, with a clear, easy way to report fraud.
• For Merchants & Acquirers:
  • Force 3DS for High-Risk: Implement rules to mandate 3DS step-up for transactions that meet certain risk criteria (e.g., new customer, high value, specific high-risk BINs, proxy/VPN usage).
  • Leverage Multi-Layered Fraud Screening: Use a dedicated fraud solution that operates independently of 3DS. This solution should analyze IP reputation, device fingerprinting, behavioral analytics, and transaction velocity before the payment is even sent to the card network.
  • Implement Strong Customer Authentication (SCA) Compliantly: For regions under PSD2, ensure flows properly use 3DS2 and exemptions (like TRA - Transaction Risk Analysis) correctly.
• For Consumers:
  • Use Authentication Apps: Prefer apps like Google Authenticator or Authy over SMS for any service that offers it.
  • Be Paranoid: Understand that your bank will never call you to ask for an OTP. If you receive such a call, hang up and call the number on the back of your card.
  • Protect Your Mobile Account: Set up a PIN or password with your mobile carrier to protect against unauthorized SIM swaps.
  • Scrutinize URLs and Links: Always check the domain name in any link received via email or SMS.

In summary, the "OTP Bypass" is rarely a single magic bullet. It is almost always a case of compromising one of the many supporting pillars of the authentication chain. The industry's collective move away from shared secrets (SMS OTPs) and toward asymmetric cryptography and behavioral analysis is the only sustainable path to closing these attack vectors. This is a crucial discussion for raising the security bar for everyone.