Hello everyone This is our first post on Habré, with which we begin a series of publications about fraud and anti-fraud services. We are Payture, or to be precise, an international processing company specializing in e-commerce and mobile commerce services, as well as providing anti-fraud services.
Of course, skimming (offline reading of data from the card) It is also used by fraudsters to obtain personal data used in fraud operations, but in the example we are talking about phishing.
Someone may recall that in 2007 Alfa-Bank customers using the Alfa-Click service were massively exposed to several phishing attacks. We are talking about phishing links and emails. After Alfa-Bank customers entered their personal data on phishing pages, attackers could use the information obtained in various monetization options.
Here we are interested in the case when criminals pay for goods or services on the Internet using stolen plastic cards. So much for fraud data. After such payment, not only the true holder of the compromised card becomes a victim, but also the merchant, who will be obliged to return the funds debited from the card to its true owner.
When funds are debited from the stolen card, the attackers ' participation in the fraud scheme ends, and the proceedings begin (after the cardholder's application), in which the issuing bank (on the cardholder's side), the payment system, the acquiring bank (on the merchant's side) and the merchant participate.
It is worth noting that now the cards of Russian banks are not very popular with scammers specializing in fraud due to their relatively high security.
Therefore, the next example, which will illustrate the merchant's losses due to fraud, will be with the participation of compromised cards of a foreign bank. The incident occurred with our client, who sold air tickets as an online travel agency. The described scheme of fraudsters became possible due to the temporary absence of an anti-fraud system, which allowed attackers to make multiple payments using stolen cards of a foreign bank.
The fraudsters somehow (see above: phishing, skimming) got the data of plastic cards of customers of one foreign bank. Then the attackers on their website and in social networks, posing as employees of the airline, reported that they had the opportunity to sell air tickets at half price. It is interesting that the criminals also found buyers for these tickets by making personal acquaintances among Russians in places where tourists gathered.
Further, through email, the scammers established contact with people who want to take advantage of a tempting offer to buy tickets to any place at a low price. The condition for issuing such a ticket was to transfer funds to the fraudsters ' e-wallet, which is an irrevocable operation.
At the same time, the fraudsters bought the ticket themselves, for the full price, by entering on the website of our client, an online travel agency (merchant) the data of a real future passenger (a ticket buyer from a fraudster for half the price), as well as the data of a stolen card of a client of a foreign bank.
Customers received an e-ticket that was officially registered with the airline from the attackers to their e-mail address. After that, unsuspecting passengers arrived at the airport, checked in with their passport and flew.
The main condition for such a purchase was its small depth: today you buy, and tomorrow you fly away. During this time, the real cardholder did not have time to submit an application to the bank to protest the transaction, and if they did, the chargeback collection system worked out with some delay, which allowed fraudsters to continue making multiple payments, receiving half of the funds from cheap ticket lovers from each transaction.
Holders of compromised cards turned to their issuing bank, and proceedings began with the participation of the payment system, during which the acquiring bank turned out to be guilty. Under the agreement with the merchant, the acquiring bank conducted a chargeback, which caused the travel agency to suffer losses equal to the cost of purchased tickets.
In the dry balance:
The affected company, which did not connect the fraud detection system, additionally paid a fine from international payment systems in the amount of 5,000 euros. Next, a security audit of the gateway's payment solutions and the acquiring bank was scheduled, costing 15,000 euros, and these costs were also passed on to the merchant.
As you can see, the travel agency suffered significant irreplaceable losses due to the lack of an anti-fraud system, because the rules and algorithms for configuring the anti-fraud service would allow calculating such fraudulent payments, for example, based on such indicators:
1 — in the described case, the card belonging to the issuing bank is not specific to the client's audience (the bank that issued the card, for example, is located in France, and the client's audience is mainly from Russia)
2 — the payment was made for a flight that was supposed to take place in the near future (special attention is paid to such operations, since this is quite a rare case. Even if the anti-fraud system missed the payment, the service's analysts would have detected it within a few hours and contacted the client to prevent a fraudulent operation)
3 — a significant variation in the distance between the locations where the device from which the payment is made is located, the passenger, his address, and the issuing bank (comparing these facts, you can call the operation suspicious and either not miss it or double-check it)
Such “holes” where there is no protection against fraudulent operations are used for their attacks by IT scammers.
As you know, the share of fraudulent transaction attempts in online trading reaches 10%. Fraudsters very often attack online store sites for the lack of an anti-fraud system. And if, one day, a fraudster finds such a " hole”, then this information is instantly distributed among like-minded people.
One case from our practice perfectly illustrates this situation. For reasons that we can't disclose, our client's antifraud was disabled for just a day.
As a result, we saw an avalanche-like increase in transactions for this client involving the cards of one British bank, where data was recently leaked. Within a few hours, there were fraud attempts coming from the scammers themselves, drops and robots. Probably, not all of these payments were made for purchases. Many people simply tried to find out about the availability of funds on a particular card, because they chose offers in a completely random way.
Just as the feeds of popular social networks are filled with viral posts, so the social networks of scammers are filled with messages that a particular “hole”has been discovered. For this reason, sometimes the actions of IT scammers (especially in the travel segment) can have disastrous consequences, even during the day.
Separately on disputes in terminology: some sources describe this fraud scheme as Carding. But, in our practice, it is customary to call it a fraud. The type of fraud described in the first example is considered Professional. There are also Blind, Smart and Friendly Fraud, and we'll write about their features next time.
We are ready to answer practical questions on the topic of fraud, anti-fraud services, and transaction security, because we would like to avoid excessive generalization and superficiality. For obvious reasons, we are somewhat constrained in the depth of disclosure of the topic, but we will try to make communication with us interesting.
Fraud and phishing go side by side (about where the data for fraud is taken)
Of course, skimming (offline reading of data from the card) It is also used by fraudsters to obtain personal data used in fraud operations, but in the example we are talking about phishing.
Someone may recall that in 2007 Alfa-Bank customers using the Alfa-Click service were massively exposed to several phishing attacks. We are talking about phishing links and emails. After Alfa-Bank customers entered their personal data on phishing pages, attackers could use the information obtained in various monetization options.
Here we are interested in the case when criminals pay for goods or services on the Internet using stolen plastic cards. So much for fraud data. After such payment, not only the true holder of the compromised card becomes a victim, but also the merchant, who will be obliged to return the funds debited from the card to its true owner.
A merchant often becomes a victim in fraud proceedings
When funds are debited from the stolen card, the attackers ' participation in the fraud scheme ends, and the proceedings begin (after the cardholder's application), in which the issuing bank (on the cardholder's side), the payment system, the acquiring bank (on the merchant's side) and the merchant participate.
It is worth noting that now the cards of Russian banks are not very popular with scammers specializing in fraud due to their relatively high security.
Therefore, the next example, which will illustrate the merchant's losses due to fraud, will be with the participation of compromised cards of a foreign bank. The incident occurred with our client, who sold air tickets as an online travel agency. The described scheme of fraudsters became possible due to the temporary absence of an anti-fraud system, which allowed attackers to make multiple payments using stolen cards of a foreign bank.
How does professional fraud work?
The fraudsters somehow (see above: phishing, skimming) got the data of plastic cards of customers of one foreign bank. Then the attackers on their website and in social networks, posing as employees of the airline, reported that they had the opportunity to sell air tickets at half price. It is interesting that the criminals also found buyers for these tickets by making personal acquaintances among Russians in places where tourists gathered.
Further, through email, the scammers established contact with people who want to take advantage of a tempting offer to buy tickets to any place at a low price. The condition for issuing such a ticket was to transfer funds to the fraudsters ' e-wallet, which is an irrevocable operation.
At the same time, the fraudsters bought the ticket themselves, for the full price, by entering on the website of our client, an online travel agency (merchant) the data of a real future passenger (a ticket buyer from a fraudster for half the price), as well as the data of a stolen card of a client of a foreign bank.
And then they flew
Customers received an e-ticket that was officially registered with the airline from the attackers to their e-mail address. After that, unsuspecting passengers arrived at the airport, checked in with their passport and flew.
The main condition for such a purchase was its small depth: today you buy, and tomorrow you fly away. During this time, the real cardholder did not have time to submit an application to the bank to protest the transaction, and if they did, the chargeback collection system worked out with some delay, which allowed fraudsters to continue making multiple payments, receiving half of the funds from cheap ticket lovers from each transaction.
What were the consequences of the fraud?
Holders of compromised cards turned to their issuing bank, and proceedings began with the participation of the payment system, during which the acquiring bank turned out to be guilty. Under the agreement with the merchant, the acquiring bank conducted a chargeback, which caused the travel agency to suffer losses equal to the cost of purchased tickets.
In the dry balance:
- buyers of half-price air tickets have successfully used them
- fraudsters received part of the money on stolen cards
- the true owners of compromised cards returned the debited funds
- and the travel agency's problems were just beginning
The affected company, which did not connect the fraud detection system, additionally paid a fine from international payment systems in the amount of 5,000 euros. Next, a security audit of the gateway's payment solutions and the acquiring bank was scheduled, costing 15,000 euros, and these costs were also passed on to the merchant.
How to minimize losses?
As you can see, the travel agency suffered significant irreplaceable losses due to the lack of an anti-fraud system, because the rules and algorithms for configuring the anti-fraud service would allow calculating such fraudulent payments, for example, based on such indicators:
1 — in the described case, the card belonging to the issuing bank is not specific to the client's audience (the bank that issued the card, for example, is located in France, and the client's audience is mainly from Russia)
2 — the payment was made for a flight that was supposed to take place in the near future (special attention is paid to such operations, since this is quite a rare case. Even if the anti-fraud system missed the payment, the service's analysts would have detected it within a few hours and contacted the client to prevent a fraudulent operation)
3 — a significant variation in the distance between the locations where the device from which the payment is made is located, the passenger, his address, and the issuing bank (comparing these facts, you can call the operation suspicious and either not miss it or double-check it)
Such “holes” where there is no protection against fraudulent operations are used for their attacks by IT scammers.
Security holes are viral posts on scammers ' social networks
As you know, the share of fraudulent transaction attempts in online trading reaches 10%. Fraudsters very often attack online store sites for the lack of an anti-fraud system. And if, one day, a fraudster finds such a " hole”, then this information is instantly distributed among like-minded people.
One case from our practice perfectly illustrates this situation. For reasons that we can't disclose, our client's antifraud was disabled for just a day.
As a result, we saw an avalanche-like increase in transactions for this client involving the cards of one British bank, where data was recently leaked. Within a few hours, there were fraud attempts coming from the scammers themselves, drops and robots. Probably, not all of these payments were made for purchases. Many people simply tried to find out about the availability of funds on a particular card, because they chose offers in a completely random way.
Morale
Just as the feeds of popular social networks are filled with viral posts, so the social networks of scammers are filled with messages that a particular “hole”has been discovered. For this reason, sometimes the actions of IT scammers (especially in the travel segment) can have disastrous consequences, even during the day.
Separately on disputes in terminology: some sources describe this fraud scheme as Carding. But, in our practice, it is customary to call it a fraud. The type of fraud described in the first example is considered Professional. There are also Blind, Smart and Friendly Fraud, and we'll write about their features next time.
We are ready to answer practical questions on the topic of fraud, anti-fraud services, and transaction security, because we would like to avoid excessive generalization and superficiality. For obvious reasons, we are somewhat constrained in the depth of disclosure of the topic, but we will try to make communication with us interesting.
