Godfathers of Protocols: How Carder Attacks Directly Influenced Changes in International Payment Standards (ISO 8583, EMV)

[Professor]

Idea: Specific examples of how payment systems and regulators have made changes to fundamental interaction protocols following waves of specific attacks.

Introduction: Uninvited Co-authors of Global Rules​

In the quiet halls of international associations, where bankers and engineers spend years developing financial protocols, their voices were never heard. But their influence was felt in every change, every new line of code, every tightening of rules. Carders, operating underground, became the most persuasive lobbyists for change. Each massive wave of attacks was a loud and costly signal: "Your standard is broken! Fix it!" And the financial world was forced to listen. This story is about how shady practices became the driving force behind rewriting the fundamental rules by which the entire global payment system operates. It's about how attacks on individual ATMs and websites forced a rewrite of the protocols that today protect trillions of dollars worldwide.

Chapter 1: The ISO 8583 Phoenix Protocol and the War on Skimming​

Standard: ISO 8583 is the "language" used by ATMs, payment terminals, processing centers, and issuing banks. It defines how a transaction message (authorization request) should be packaged and what it should contain.

Attack catalyst: Massive ATM skimming in the mid-2000s. Carders learned to mass-produce and install magnetic stripe readers and PIN cameras. The problem was in the protocol itself: the message the ATM sent to the bank for verification contained enough data to create a complete clone of the card.

What exactly was "broken" in the standard?

1. Data staticity. The message contained Track 2 Data — the same data from the magnetic stripe (number, expiration date, and other parameters) that can be easily copied and reused.
2. The PIN was transmitted in encrypted form, but... it could be intercepted at the ATM keypad level (using an overlay or a camera), and not on the network.

The Birth of a New Standard: The introduction of EMV (chip cards) as a response to ISO 8583.
This wasn't simply a card replacement. It was a profound change in protocol logic. The chip (EMV) made every transaction unique.

• Dynamic cryptography: The chip generates a unique cryptographic code (ARQC/Cryptogram) for each transaction, using an internal secret key and transaction data. This code cannot be reused.
• Changes to the ISO 8583 message: Instead of static magnetic stripe data, chip data (EMV data) was now transmitted in field 55 (Reserved for ISO use). By verifying the unique cryptogram, the bank could be sure that the request came from a real, physical card, and not a copy of the data.

Bottom line: Skimmer attacks made the transmission of static data in ISO 8583 deadly. The response was a fundamental shift from "data authentication" to "unique computation authentication" baked into the protocol at the EMV level.

Chapter 2: The Birth of 3D-Secure: How Phishing Linked a Human to a Transaction​

Standard (or rather, add-on): 3D-Secure (Verified by Visa, Mastercard SecureCode). This is not a replacement for ISO 8583, but an additional verification layer for online payments (e-commerce).

Attack catalyst: The online carding and phishing epidemic of the late 1990s and early 2000s. Fraudsters massively extorted or brute-forced card data (number, expiration date, CVV) and made purchases online. Online authorization protocols (based on the same ISO 8583) could not distinguish the cardholder from an attacker who knew the card details.

What "broke"? A flaw in cardholder authentication (Cardholder Authentication) in the "card not present" (CNP) channel.

Birth of a new protocol: 3D-Secure (3DS) version 1.0.
The idea was brilliant in its simplicity: to build an extra step into the payment process, controlled by the issuing bank, not the store.

• Three-domain architecture: Issuer domain (customer bank), acquirer domain (store bank), and interaction domain (payment system).
• Change in flow: After entering card details on the store's website, the payment system (Visa/Mastercard) requested confirmation from the issuing bank via a special server (ACS — Access Control Server). The bank displayed a password window to the customer (which could not be stolen from the store) or sent an SMS with a code.
• Implementation in ISO 8583: For 3D-Secure transactions, a special indicator (Electronic Commerce Indicator — ECI) and authentication data (CAVV — Cardholder Authentication Verification Value) were added to the authorization message to confirm that the cardholder had passed the verification.

Bottom line: The wave of online fraud has forced the creation of an entirely new protocol layer, moving the point of trust from card details to the communication channel between the bank and its client.

Chapter 3: The Evolution of 3D-Secure 2.0: How Mobile Banking and the UX War Changed the Standard​

Catalyst attack for the new version: Low adoption of 3DS 1.0 due to terrible user experience and new threats.

1. UX failure: Customers hated pop-ups, which were often blocked by browsers, and forgot their passwords. This led to abandoned shopping carts.
2. 3DS-bypass scams: Carders used phishing to trick not only card details but also one-time passwords from SMS, or infected phones with SMS-intercepting Trojans.
3. Mobile Payments: The old protocol did not work well in mobile applications.

The birth of the 3D-Secure 2.0 standard (2016-2019).
This was a revolution that made security invisible and context-sensitive.

• Risk-Based Authentication (RBA): The protocol now allowed the transmission of over 100 transaction data elements to the issuing bank: amount, purchase history, device data, geolocation, and behavioral biometrics. Based on this, the bank could decide whether to proceed with the transaction without unnecessary steps (frictionless flow) if the risk was low, or to request additional authentication.
• Mobile-friendly: Instead of pop-ups, a native experience within the bank's mobile app (SDK).
• More secure authentication methods: Shift from SMS codes (vulnerable to interception) to push notifications in the banking app with biometrics (Face ID, Touch ID).

Bottom line: Carders, having forced the creation of 3DS 1.0, then, through their resourcefulness and battle for user attention, forced a revision and made it smarter, more convenient, and more secure. They sparked the transition from a "one-size-fits-all" verification system to an intelligent, adaptive, real-time risk assessment system.

Conclusion: Dialogue with the Shadow That Drives Progress​

The history of changes in payment standards is the history of a dialogue in which one side asks questions through hacks, and the other responds by updating protocols.

Carders became unwitting, yet most demanding, architects. They made a clear diagnosis: "Statistical data can be stolen here," "There's no human verification," "There's poor UX that can be manipulated."

And the global financial system, grudgingly and counting its losses, was forced to accept the diagnosis and treat the disease at the most fundamental level — at the level of the protocols the entire world speaks of.

Today, when you pay contactlessly with a chip card or confirm a purchase with a fingerprint in an app, you reap the fruits of this forced dialogue. Every element of this security has been tested in the crucible of real, large-scale attacks.

Therefore, the "godfathers of protocols" are not only scientists in laboratories. These are also those who, in the dark, through trial and costly error, demonstrated the security boundaries of the old world, forcing us to build a new one — smarter, more convenient, and, paradoxically, more trusting. Their legacy is not hacking schemes, but the very digital fortresses they unwittingly helped build.