Content
All methods of fraud with bank cards can be divided into two categories. The first is massive and well-known. The second is often called "white whales": these are incidents that happen every 5-10 years, end in disaster for the attackers and multi-million dollar profits for the attackers, and therefore attract a lot of attention from the press and regulators. In any case, the main criterion for success among carders and similar crooks is massiveness and simplicity.
If a carding scheme is easy to reproduce thousands of times, this is a guarantee of a financial victory over the banking system and the future popularity of the chosen method.
The most common ways to steal money cards
Let's start with the attacks that payment systems and banks have to deal with on a regular basis.
Payments without 3-D Secure
The first place in terms of prevalence among fraudulent schemes is taken by payments on the Internet - they are made according to the card-not-present scheme. Due to their massiveness, payment giants have invented an additional dynamic factor - the 3-D Secure code.
What is 3-D Secure
3-D Secure is an additional authorization scheme for online payments that uses three entity-domains (hence the name 3-Domain Secure): the domain of the online store receives payment data and redirects the user to the payment system domain, where a one-time code is entered. Then the result is sent to the third domain of the acquiring bank, it verifies this code and sends a request that confirms or refutes the transaction back along the chain to the online store.
3-D Secure is a great help against massive fraudulent schemes. However, some stores, including large ones such as Amazon, are still not ready to work with 3-D Secure, which, in their opinion, reduces conversion. And international payment systems do not insist! Better to spend more is their motto. The current payment rules state that if the card supports 3-D Secure, but the store does not support this technology, in the event of a protest against the payment, the financial risks lie with the store. If 3-D Secure is not supported by the card - at the issuing bank. Therefore, all over the world, hungry scammers are looking for stores that do not require 3-D Secure.
Sometimes this can be taken literally: in 2018, one of the fraudulent schemes was identified in the UK. The cybercriminals posted a 50% discount on pizza delivery for a major brand on social media. This brand did not use 3-D Secure when paying, and payments were made using stolen cards purchased at various markets. This gave the cybercriminals 50% of the amount of each pizza sold. The scheme worked for several months before it was shut down.
Attack of the clones
The second most popular type of fraud is the creation of a clone of the magnetic stripe of the card. It still remains one of the most common methods of attacks on physical card operations (the so-called card-present transactions). As you know, the magnetic stripe is extremely easy to clone.
Certain types of cybercrimes include the use of specialized malware. The attack should be easily repeatable and highly scalable. This is why cybercriminals infect devices that use thousands of cards every day - operator machines in large supermarkets.
Since the entire infrastructure that uses a payment terminal (POS, Point-of-Sale) is called a POS system, this type of malware is called POS malware, despite the fact that they are not able to infect POS themselves. Instead, the operator's machine itself - the cash register - is attacked.
In 2013, the American chain Target stores underwent major attace. In it, the criminals used the then not very popular scheme of “compromising the supply chain”. After infecting one of the contractors, the cybercriminals managed to infiltrate the supermarket chain, compromise the entire Windows domain, and infiltrate the operating system directly at the checkout counters. These systems ran so-called RAM scraping Trojans that scan memory for patterns of magnetic stripe tracks. When the tracks were found, the Trojan forwarded them to the C&C server installed on the internal network, which then sent this information to the external network.
It will take a few seconds to create a copy of a magnetic bank card and a special reader, which you can buy on Amazon. Then the attackers create a clone and go with it to stores in America or Europe. Bank card dumps are freely sold and bought on numerous hacker forums.
Why are cloned magnetic cards still so popular, despite the fact that almost all of them are now equipped with a chip? Everything is as easy as shelling pears: in many American stores, you can still pay with a card equipped with a chip, simply by conducting a transaction using a magnetic stripe. In the last 5-10 years, it is, oddly enough, the most backward market, because of which the magnetic stripe is still present on bank cards.
If the payment terminal suddenly refuses to accept the magnetic stripe right away, there is a scheme that works in both the Americas and Europe - a technical fallback. This technique consists in the fact that an attacker three times inserts a card with a non-existent chip into an ATM or terminal, and after the third unsuccessful read attempt, the terminal will definitely offer to carry out an operation on the magnetic stripe.
In any of these cases, the responsibility according to the rules lies with the store that performed such a high-risk operation. Moreover, payment systems such as MasterCard, in order to avoid image risks, recommend rejecting transactions received in the technical fallback mode. No one wants to find out if the customer's card was actually stolen, or if he just wanted not to spend money and declare a fraudulent transaction. Even less want to explain to angry customers why they bought TVs using their cards for thousands of dollars and hundreds of kilometers from their real location.
And what about Russia?
In Russia, terminals must not accept a magnetic stripe for payment if the card is equipped with a chip. And even technical fallback should be banned. However, there are some nasty exceptions. It was recently discussed on underground forums that the Auchan network has terminals that accept technical fallback operations. In any case, even if hackers cannot use Russian cards in Russia, no one bothers them to sell this data to other hackers in Europe or America for further monetization.
Offline Chip Transactions and Authentication Attacks
According to the rules of modern payment systems, 99.9% of card transactions must be made online - with the confirmation of the cryptogram on the side of the issuing bank. Exceptions are metro, payment on airplanes and on cruise ships. That is, where the Internet is available intermittently or there is no way to wait for a long time for a response from the issuing bank, as, for example, at metro turnstiles.
And when the EMV protocols were created, many payment systems worked offline according to the so-called Floor Limits - transactions above these limits had to be confirmed online, and below - they took place in local mode, that is, they were confirmed by the terminal itself. Even 5-10 years ago, the number of such terminals, especially in the countries of Latin and North America, was large enough to massively try to attack the shortcomings of offline card authentication.
White whales
It was to protect against mass and simple fraud that chip cards and confirmation of transactions using the 3-D Secure code were once invented. These protection methods are not perfect, they had their own problems, which the experts warned about from the very beginning. However, such cards still cannot be hacked en masse, and when an attack succeeds, it is more like a blitzkrieg - everything happens in a matter of days or hours. A small group of intruders gets the maximum profit and disappears from the horizon. That is why each case or new scheme is of great interest to experts.
We will call such cases white whales. These incidents, which happen once every 5-10 years, end in disaster for the attacked banks and multi-million dollar profits for the attackers, and therefore attract a lot of attention from the press and regulators. I will discuss several types of such attacks to illustrate the fundamental flaws in card payment technologies.
Distributed attacks on the selection of card details
These attacks are often referred to as BIN Master attacks or distributed guessing attacks. They got these names thanks to the loudest case that happened in 2016. Then the British bank Tesco was subjected to a distributed attack of such magnitude that they had to turn off card payments for 48 hours. In a few days, the attackers managed to steal 22 million pounds from 20 thousand cards.
As mentioned, this data can easily be used to pay in online stores that are not equipped with 3-D Secure. However, there is a caveat: in 2018, the regulator fined the bank £ 16 million for the 2016 attack, which most likely indicates that the cards themselves were not equipped with 3-D Secure.
The rules, called 3-D Secure Liability shift, determine the responsible party in case of fraudulent transactions: if the bank does not equip 3-D Secure cards, the responsibility for the fraud lies with the bank. If cards equipped with 3-D Secure are used, for example, at Amazon, where this technology is not used, the responsibility lies with the online store.
How do carders find complete card details?
Suppose we have one card - ours. Its number consists of several parts. The first six digits are called BIN - bank identification number. In this case, the same BIN may belong to more than one bank, in addition, a bank may have several BIN Range. However, this is the main starting point from which the name of the attack comes. The last digit is also calculated using the Luna checksum algorithm .
Suppose our card has the number 1234 5678 1234 5670. The next card from this range, according to the algorithm, will end at 5688, then 5696, and so on. There is a nonzero chance that 5688 and 5696 cards exist and are active.
Now we need to find out the value of the Expiry Date field. If the bank issues card numbers sequentially, then the next client of the bank to whom the card was issued after you will have the number 5688. If the bank is large and opens hundreds of cards every day, most likely, the Expiry Date field will coincide with that on your card, or it will be differ by one month.
To protect against such a selection of values, payment systems recommend introducing PAN randomization - to issue them not sequentially, but randomly. Then it will be more difficult for hackers to find out the Expiry Date of the 5688 card.
But there are no unsolvable problems. There are many banking services that help you choose a bunch of PAN / Expiry Date fields. Among them - a system for recovering a password or a mobile bank login, registration in the RBS system, refunds in payment acquiring.
And finally, it remains to guess three numbers on the back of the card - CVV2 / CVC2. In late 2014, when researchers at the University of Newcastle first analyzed the Tesco bank attack, they found that 291 of the 400 most popular online services had the ability to iterate over the CVV2 field. This is not surprising: the money does not belong to the owners of these services. The service is just a tool for the attacker. This means that cybercriminals will always have enough tools to brute force the details of bank cards. For example, in 2019, a similar vulnerability was fixed in the Magento CMS payment module for PayPal .
Another variation of this attack frequently used by cybercriminals is the use of brute-force details to issue a Google Pay or Apple Pay mobile wallet. The irony is that one of the most high-profile scams targeted the Apple stores themselves. The fact is that many banks (again in America) do not require additional verification with a one-time code or a call to the bank when issuing the Apple Pay mobile wallet.
This means that, knowing only the card number, its expiration date and the CVV2 code, you can issue a full-fledged virtual card, with which you can already pay around the world, and not just in the USA.
There is another card-not-present payment protection tool. It's called the address verification system. In this case, when making a payment, the payment system also verifies the numbers from the postal code and the address at which the card is registered (postcode / billing address). Payment terminals supporting the PAN Key Entry method can be equipped with the same system.
Conclusion
According to Positive Technologies estimates, up to 50% of banks still do not protect their clients from the selection of CVV2 and Expiry Date values. That is why laborers from Latin America are so actively engaged in searching around the world for cards and banks that are vulnerable to these attacks.
I will talk about other "white whales" of card fraud next time.
(c) https://xakep.ru/2021/02/04/credit-cards-fraud/
- 1 The most common ways to steal money cards
- 1.1 Payments without 3-D Secure
- 1.2 Attack of the clones
- 1.3 Offline Chip Transactions and Authentication Attacks
- 2 White whales
- 2.1 Distributed attacks on the selection of card details
- 2.2 How do carders find complete card details?
- 3 Conclusion
INFO
You can learn how the card security systems themselves work from the previous article.All methods of fraud with bank cards can be divided into two categories. The first is massive and well-known. The second is often called "white whales": these are incidents that happen every 5-10 years, end in disaster for the attackers and multi-million dollar profits for the attackers, and therefore attract a lot of attention from the press and regulators. In any case, the main criterion for success among carders and similar crooks is massiveness and simplicity.
If a carding scheme is easy to reproduce thousands of times, this is a guarantee of a financial victory over the banking system and the future popularity of the chosen method.
The most common ways to steal money cards
Let's start with the attacks that payment systems and banks have to deal with on a regular basis.
Payments without 3-D Secure
The first place in terms of prevalence among fraudulent schemes is taken by payments on the Internet - they are made according to the card-not-present scheme. Due to their massiveness, payment giants have invented an additional dynamic factor - the 3-D Secure code.
What is 3-D Secure
3-D Secure is an additional authorization scheme for online payments that uses three entity-domains (hence the name 3-Domain Secure): the domain of the online store receives payment data and redirects the user to the payment system domain, where a one-time code is entered. Then the result is sent to the third domain of the acquiring bank, it verifies this code and sends a request that confirms or refutes the transaction back along the chain to the online store.
3-D Secure is a great help against massive fraudulent schemes. However, some stores, including large ones such as Amazon, are still not ready to work with 3-D Secure, which, in their opinion, reduces conversion. And international payment systems do not insist! Better to spend more is their motto. The current payment rules state that if the card supports 3-D Secure, but the store does not support this technology, in the event of a protest against the payment, the financial risks lie with the store. If 3-D Secure is not supported by the card - at the issuing bank. Therefore, all over the world, hungry scammers are looking for stores that do not require 3-D Secure.
Sometimes this can be taken literally: in 2018, one of the fraudulent schemes was identified in the UK. The cybercriminals posted a 50% discount on pizza delivery for a major brand on social media. This brand did not use 3-D Secure when paying, and payments were made using stolen cards purchased at various markets. This gave the cybercriminals 50% of the amount of each pizza sold. The scheme worked for several months before it was shut down.
Attack of the clones
The second most popular type of fraud is the creation of a clone of the magnetic stripe of the card. It still remains one of the most common methods of attacks on physical card operations (the so-called card-present transactions). As you know, the magnetic stripe is extremely easy to clone.
Certain types of cybercrimes include the use of specialized malware. The attack should be easily repeatable and highly scalable. This is why cybercriminals infect devices that use thousands of cards every day - operator machines in large supermarkets.
Since the entire infrastructure that uses a payment terminal (POS, Point-of-Sale) is called a POS system, this type of malware is called POS malware, despite the fact that they are not able to infect POS themselves. Instead, the operator's machine itself - the cash register - is attacked.
In 2013, the American chain Target stores underwent major attace. In it, the criminals used the then not very popular scheme of “compromising the supply chain”. After infecting one of the contractors, the cybercriminals managed to infiltrate the supermarket chain, compromise the entire Windows domain, and infiltrate the operating system directly at the checkout counters. These systems ran so-called RAM scraping Trojans that scan memory for patterns of magnetic stripe tracks. When the tracks were found, the Trojan forwarded them to the C&C server installed on the internal network, which then sent this information to the external network.
It will take a few seconds to create a copy of a magnetic bank card and a special reader, which you can buy on Amazon. Then the attackers create a clone and go with it to stores in America or Europe. Bank card dumps are freely sold and bought on numerous hacker forums.
Why are cloned magnetic cards still so popular, despite the fact that almost all of them are now equipped with a chip? Everything is as easy as shelling pears: in many American stores, you can still pay with a card equipped with a chip, simply by conducting a transaction using a magnetic stripe. In the last 5-10 years, it is, oddly enough, the most backward market, because of which the magnetic stripe is still present on bank cards.
If the payment terminal suddenly refuses to accept the magnetic stripe right away, there is a scheme that works in both the Americas and Europe - a technical fallback. This technique consists in the fact that an attacker three times inserts a card with a non-existent chip into an ATM or terminal, and after the third unsuccessful read attempt, the terminal will definitely offer to carry out an operation on the magnetic stripe.
In any of these cases, the responsibility according to the rules lies with the store that performed such a high-risk operation. Moreover, payment systems such as MasterCard, in order to avoid image risks, recommend rejecting transactions received in the technical fallback mode. No one wants to find out if the customer's card was actually stolen, or if he just wanted not to spend money and declare a fraudulent transaction. Even less want to explain to angry customers why they bought TVs using their cards for thousands of dollars and hundreds of kilometers from their real location.
And what about Russia?
In Russia, terminals must not accept a magnetic stripe for payment if the card is equipped with a chip. And even technical fallback should be banned. However, there are some nasty exceptions. It was recently discussed on underground forums that the Auchan network has terminals that accept technical fallback operations. In any case, even if hackers cannot use Russian cards in Russia, no one bothers them to sell this data to other hackers in Europe or America for further monetization.
Offline Chip Transactions and Authentication Attacks
According to the rules of modern payment systems, 99.9% of card transactions must be made online - with the confirmation of the cryptogram on the side of the issuing bank. Exceptions are metro, payment on airplanes and on cruise ships. That is, where the Internet is available intermittently or there is no way to wait for a long time for a response from the issuing bank, as, for example, at metro turnstiles.
And when the EMV protocols were created, many payment systems worked offline according to the so-called Floor Limits - transactions above these limits had to be confirmed online, and below - they took place in local mode, that is, they were confirmed by the terminal itself. Even 5-10 years ago, the number of such terminals, especially in the countries of Latin and North America, was large enough to massively try to attack the shortcomings of offline card authentication.
White whales
It was to protect against mass and simple fraud that chip cards and confirmation of transactions using the 3-D Secure code were once invented. These protection methods are not perfect, they had their own problems, which the experts warned about from the very beginning. However, such cards still cannot be hacked en masse, and when an attack succeeds, it is more like a blitzkrieg - everything happens in a matter of days or hours. A small group of intruders gets the maximum profit and disappears from the horizon. That is why each case or new scheme is of great interest to experts.
We will call such cases white whales. These incidents, which happen once every 5-10 years, end in disaster for the attacked banks and multi-million dollar profits for the attackers, and therefore attract a lot of attention from the press and regulators. I will discuss several types of such attacks to illustrate the fundamental flaws in card payment technologies.
Distributed attacks on the selection of card details
These attacks are often referred to as BIN Master attacks or distributed guessing attacks. They got these names thanks to the loudest case that happened in 2016. Then the British bank Tesco was subjected to a distributed attack of such magnitude that they had to turn off card payments for 48 hours. In a few days, the attackers managed to steal 22 million pounds from 20 thousand cards.
As mentioned, this data can easily be used to pay in online stores that are not equipped with 3-D Secure. However, there is a caveat: in 2018, the regulator fined the bank £ 16 million for the 2016 attack, which most likely indicates that the cards themselves were not equipped with 3-D Secure.
The rules, called 3-D Secure Liability shift, determine the responsible party in case of fraudulent transactions: if the bank does not equip 3-D Secure cards, the responsibility for the fraud lies with the bank. If cards equipped with 3-D Secure are used, for example, at Amazon, where this technology is not used, the responsibility lies with the online store.
How do carders find complete card details?
Suppose we have one card - ours. Its number consists of several parts. The first six digits are called BIN - bank identification number. In this case, the same BIN may belong to more than one bank, in addition, a bank may have several BIN Range. However, this is the main starting point from which the name of the attack comes. The last digit is also calculated using the Luna checksum algorithm .
Suppose our card has the number 1234 5678 1234 5670. The next card from this range, according to the algorithm, will end at 5688, then 5696, and so on. There is a nonzero chance that 5688 and 5696 cards exist and are active.
Now we need to find out the value of the Expiry Date field. If the bank issues card numbers sequentially, then the next client of the bank to whom the card was issued after you will have the number 5688. If the bank is large and opens hundreds of cards every day, most likely, the Expiry Date field will coincide with that on your card, or it will be differ by one month.
To protect against such a selection of values, payment systems recommend introducing PAN randomization - to issue them not sequentially, but randomly. Then it will be more difficult for hackers to find out the Expiry Date of the 5688 card.
But there are no unsolvable problems. There are many banking services that help you choose a bunch of PAN / Expiry Date fields. Among them - a system for recovering a password or a mobile bank login, registration in the RBS system, refunds in payment acquiring.
And finally, it remains to guess three numbers on the back of the card - CVV2 / CVC2. In late 2014, when researchers at the University of Newcastle first analyzed the Tesco bank attack, they found that 291 of the 400 most popular online services had the ability to iterate over the CVV2 field. This is not surprising: the money does not belong to the owners of these services. The service is just a tool for the attacker. This means that cybercriminals will always have enough tools to brute force the details of bank cards. For example, in 2019, a similar vulnerability was fixed in the Magento CMS payment module for PayPal .
Another variation of this attack frequently used by cybercriminals is the use of brute-force details to issue a Google Pay or Apple Pay mobile wallet. The irony is that one of the most high-profile scams targeted the Apple stores themselves. The fact is that many banks (again in America) do not require additional verification with a one-time code or a call to the bank when issuing the Apple Pay mobile wallet.
This means that, knowing only the card number, its expiration date and the CVV2 code, you can issue a full-fledged virtual card, with which you can already pay around the world, and not just in the USA.
There is another card-not-present payment protection tool. It's called the address verification system. In this case, when making a payment, the payment system also verifies the numbers from the postal code and the address at which the card is registered (postcode / billing address). Payment terminals supporting the PAN Key Entry method can be equipped with the same system.
Conclusion
According to Positive Technologies estimates, up to 50% of banks still do not protect their clients from the selection of CVV2 and Expiry Date values. That is why laborers from Latin America are so actively engaged in searching around the world for cards and banks that are vulnerable to these attacks.
I will talk about other "white whales" of card fraud next time.
(c) https://xakep.ru/2021/02/04/credit-cards-fraud/
Last edited by a moderator:
