Recently, articles about online fraud with bank credit cards have appeared quite often in print and Internet publications, from which it follows that paying for goods and services with a credit card over the Internet will one day inevitably result in theft of card details and financial losses for its owner. Overall, this type of fraud poses a real danger to online commerce. Let's try to figure out how serious all these threats are, whether Internet merchants and Internet buyers are really so defenseless against scammers, and whether it is true that Internet scammers are so omnipotent. First of all, a few numbers: According to the US Federal Chamber of Commerce, the annual cost of plastic card fraud is more than $2 billion. What part of these losses comes from Internet payments is not specified, but, according to some estimates, losses from fraud in Internet commerce amount to about 1% of turnover. Meanwhile, according to the American organization Internet Fraud Complaint Center (www.ifccfbi.gov), in 2024, only 12% of online crimes were related to the theft of credit card information (the palm, as before, is firmly held by online auctions)
What can threaten the owner of a credit card who pays on the Internet? The correct answer seems to be on the surface - credit card data can be stolen. Indeed, in recent years there have been many cases of large-scale theft of databases containing credit card details. One of the “firstborns” was the Russian hacker Maxim Ivankov (Maxus), who stole a database of about 300 thousand credit cards from the American online store CD Universe. He tried to get a ransom from CD Universe for this data in the amount of 100 thousand dollars, but after the store refused, he posted about 25 thousand credit card numbers on the website of the American company Lightrealm Inc. Another example: in February 2003, an unknown hacker hacked the security system of Data Processors International and stole the details of approximately 8 million plastic cards belonging to almost all international payment systems.
However, the fact of theft itself does not cause financial losses either to the owner of the credit card or to the store from which the card was stolen, since the fraudster must somehow use the funds available on the card account. There may be different ways, the main of which are transferring money from a card account to somewhere where you can pick it up, or paying with a credit card for any goods and services on the Internet. The feasibility of both of these methods will be discussed in more detail, but first one fundamental point. Within the framework of international payment systems (Visa, MasterCard, American Express, Diners Club) there is the concept of “issuing bank”, i.e. a bank that issues and issues a credit card to the user, and an “acquiring bank” that ensures that credit cards are accepted for payment. The same bank can act both as an issuer and as an acquirer. When a cardholder makes a purchase at a store, the store's credit card information is sent in a request form to the acquiring bank and from there to the issuing bank.
The issuing bank checks the correctness of the information about the card and its owner, as well as the availability of funds on the card account and, based on the results of the check, either allows or does not allow the purchase. A positive response from the issuing bank is a guarantee that the acquiring bank will receive the money and transfer it to the store’s account. According to the rules of international payment systems in regular offline trade, the issuing bank bears responsibility for fraudulent transactions with plastic cards, i.e. in case of fraud, he returns the debited funds to the user at his own expense. In Internet commerce, responsibility for fraudulent transactions falls on the acquiring bank, which most often shifts it to the store, and the refund to the cardholder is carried out at the expense of the online store through which the fraudulent transaction took place. The first conclusion that follows from this: the intimidation of credit card owners that occurs in some places, that by paying with a card on the Internet, they risk losing a lot of money from their card account due to fraudsters, has no serious basis, since if the card owner who performed recommendations of his issuing bank, nevertheless became a victim of fraud, then he has the right to challenge transactions that he did not make, and the bank will be obliged to compensate him for his losses.
Conclusion two: the most unprotected link in the online purchase scheme is the online retail outlet, since ultimately it is at its expense that the credit card owner is compensated for losses. But since there are a huge number of online stores in the world that accept credit cards for payment, and many of them are thriving (unfortunately, this almost does not apply to Russia), it means that there are protection systems that can effectively resist fraud. Now let's get back to ways to cash out stolen credit card details. To consider the option of transferring funds according to the “victim’s card account - attacker’s account” scheme, let’s take the PayPal payment system (www.paypal.com) as an example. This system was founded in 1998 by American Peter Thiel and a native of Ukraine Max Levchin, it provides its users with the opportunity to accept and send payments using email. In order to become a user of the system, you must fill out a special registration form and open a personal account in the system, and you can also top up your account using a credit card. The PayPal system provides the user with the opportunity to transfer a certain amount from his personal account to another PayPal user or a complete stranger with an email address.
The emergence of such a system opened up wide opportunities for the activities of fraudsters, since it was enough to register in it using stolen credit card details, top up your account and then transfer money and cash it out, so the authors of PayPal consistently took a number of measures designed to provide protection against fraudulent transactions, namely:
Obviously, having received only credit card details as a result of hacking an online store, an attacker is unlikely to be able to transfer funds from it using PayPal or a similar system with appropriate anti-fraud settings.
Online stores are more attractive to fraudsters from the point of view of using stolen credit card details, and this can involve both the purchase of physical goods and payment for virtual services (for example, hosting, access to paid information, etc.). However, stores, as well as electronic payment systems, are taking measures to combat fraud. Anti-fraud protection for an online retail outlet can be built both directly on the side of the store, and on the side of the payment gateway or billing company that serves it. As a rule, such protection is a certain set of filters and rules; if a transaction satisfies these rules, then it is allowed through, otherwise it is rejected. Such filters may include:
An example of such an anti-fraud system is Advanced Fraud Screen (developed by Cybersource, www.cybersource.com), which checks several dozen parameters and sets its own risk rating for each transaction, which can range from 0 to 99.
To be fair, it should be noted that all such anti-fraud systems do not provide 100% protection from scammers; each of the filter elements can be bypassed, but this is a painstaking and time-consuming process, the description of which is beyond the scope of this article. The important thing is that if a few years ago it was possible to buy goods using generated credit card numbers and without problems order delivery, for example, to Moscow, now a purchase using a stolen credit card results in a complex and costly scheme of several participants, each of whom at any time can either be detained by law enforcement agencies, or, as they say, “dump” the partner. Therefore, this previously quite profitable type of criminal business now represents a kind of lottery in which the risk is certain and the gain is doubtful. In their confrontation with scammers, the authors of payment systems do not stop there and are taking further actions to improve the security of Internet transactions using bank cards. Thus, on April 1 of this year, the 3D Secure technology developed by the Visa payment system began to operate. Its essence lies in the fact that the issuing bank that supports this technology can attach a special passphrase to the card, which it communicates to the cardholder.
When making a purchase in an online store that also uses 3D Secure, the buyer enters his password in a special window on the website, which is verified by the issuing bank. The system is designed in such a way that this password is transmitted in encrypted form directly to the issuer and is not available to either the store or the acquiring bank. Thus, it is assumed that an attacker, even if credit card details are stolen as a result of hacking an online store or payment gateway, will still not be able to obtain this password, since it is known only to the card holder and the bank that issued the card. However, the main feature of 3D Secure is not the technological solution, but the fact that it redistributes responsibility for fraudulent transactions: if a fraudulent transaction took place through an online store using the 3D Secure solution, then responsibility for it, according to the rules of Visa , will no longer be borne by the acquiring bank, but by the issuing bank, and it does not matter whether the issuer uses 3D Secure technology or not. The benefits of using 3D Secure for an online point of sale are clear, but issuers find themselves in a more difficult situation, since they are faced with a choice: either purchase a very expensive 3D Secure solution and protect themselves from fraudsters, or close their cards for use in online stores and give in to the competition fight other banks, or do nothing and hope that the fraud will bypass them.
It cannot be ruled out that in the initial stages of implementing 3D Secure, there may be some surge in fraud (which, however, again will not affect credit card owners in a financial sense) due to the issuing banks of the third category, which will not take any action. Fraudsters are a fairly flexible and responsive environment that instantly responds to the emergence of vulnerabilities in the payment system. For example, after PayPal introduced checking CVV2/CVC2 codes, they quickly found out that credit cards of a certain type with the universal code 000 successfully pass through this filter. A similar situation was observed with one of the Russian electronic payment systems. But even if there are such banks, then, having learned from bitter experience, they will eventually move into one of the first two categories, thereby leaving attackers even less chance of successfully carrying out fraudulent actions.
So what do we see as a result? The problem of fraud with bank cards on the Internet really exists, and there is a rather sharp confrontation between banks and payment systems, on the one hand, and fraudulent groups, on the other, there are many fraudulent schemes, many of which were not even mentioned in this article, but In addition, there are also adequate mechanisms for protecting against fraud, allowing it to be kept within acceptable limits for e-commerce participants. Unfortunately, fraud as a phenomenon is ineradicable, since it is based on human psychology, and it will develop and evolve along with the technological development of mankind, but losses from fraud can always be minimized. Only to achieve maximum efficiency, this process must be supported at all levels, starting from the state (by developing a unified state policy to combat high-tech fraud) and ending with the end participants of the payment system (by supporting this policy and choosing specific methods of protection).
(c) Expert S.N. Khrenov
What can threaten the owner of a credit card who pays on the Internet? The correct answer seems to be on the surface - credit card data can be stolen. Indeed, in recent years there have been many cases of large-scale theft of databases containing credit card details. One of the “firstborns” was the Russian hacker Maxim Ivankov (Maxus), who stole a database of about 300 thousand credit cards from the American online store CD Universe. He tried to get a ransom from CD Universe for this data in the amount of 100 thousand dollars, but after the store refused, he posted about 25 thousand credit card numbers on the website of the American company Lightrealm Inc. Another example: in February 2003, an unknown hacker hacked the security system of Data Processors International and stole the details of approximately 8 million plastic cards belonging to almost all international payment systems.
However, the fact of theft itself does not cause financial losses either to the owner of the credit card or to the store from which the card was stolen, since the fraudster must somehow use the funds available on the card account. There may be different ways, the main of which are transferring money from a card account to somewhere where you can pick it up, or paying with a credit card for any goods and services on the Internet. The feasibility of both of these methods will be discussed in more detail, but first one fundamental point. Within the framework of international payment systems (Visa, MasterCard, American Express, Diners Club) there is the concept of “issuing bank”, i.e. a bank that issues and issues a credit card to the user, and an “acquiring bank” that ensures that credit cards are accepted for payment. The same bank can act both as an issuer and as an acquirer. When a cardholder makes a purchase at a store, the store's credit card information is sent in a request form to the acquiring bank and from there to the issuing bank.
The issuing bank checks the correctness of the information about the card and its owner, as well as the availability of funds on the card account and, based on the results of the check, either allows or does not allow the purchase. A positive response from the issuing bank is a guarantee that the acquiring bank will receive the money and transfer it to the store’s account. According to the rules of international payment systems in regular offline trade, the issuing bank bears responsibility for fraudulent transactions with plastic cards, i.e. in case of fraud, he returns the debited funds to the user at his own expense. In Internet commerce, responsibility for fraudulent transactions falls on the acquiring bank, which most often shifts it to the store, and the refund to the cardholder is carried out at the expense of the online store through which the fraudulent transaction took place. The first conclusion that follows from this: the intimidation of credit card owners that occurs in some places, that by paying with a card on the Internet, they risk losing a lot of money from their card account due to fraudsters, has no serious basis, since if the card owner who performed recommendations of his issuing bank, nevertheless became a victim of fraud, then he has the right to challenge transactions that he did not make, and the bank will be obliged to compensate him for his losses.
Conclusion two: the most unprotected link in the online purchase scheme is the online retail outlet, since ultimately it is at its expense that the credit card owner is compensated for losses. But since there are a huge number of online stores in the world that accept credit cards for payment, and many of them are thriving (unfortunately, this almost does not apply to Russia), it means that there are protection systems that can effectively resist fraud. Now let's get back to ways to cash out stolen credit card details. To consider the option of transferring funds according to the “victim’s card account - attacker’s account” scheme, let’s take the PayPal payment system (www.paypal.com) as an example. This system was founded in 1998 by American Peter Thiel and a native of Ukraine Max Levchin, it provides its users with the opportunity to accept and send payments using email. In order to become a user of the system, you must fill out a special registration form and open a personal account in the system, and you can also top up your account using a credit card. The PayPal system provides the user with the opportunity to transfer a certain amount from his personal account to another PayPal user or a complete stranger with an email address.
The emergence of such a system opened up wide opportunities for the activities of fraudsters, since it was enough to register in it using stolen credit card details, top up your account and then transfer money and cash it out, so the authors of PayPal consistently took a number of measures designed to provide protection against fraudulent transactions, namely:
- introduction of regional restrictions. Only a resident of the United States (and a small number of other countries) who has a bank account in one of the US banks can become a full-fledged user of the PayPal system;
- bank account verification. During the registration process, the user enters his bank account details, into which the system subsequently makes two micropayments of less than $1. After receiving these payments, you must enter their amounts into a special registration window of the system, after which, if they match, the account will be considered verified;
- checking CVV2/CVC20 codes. CVV2 code for Visa payment system cards (CVC2 for MasterCard) is a three-digit number that is printed on the back of the card and is designed to increase the security of Internet transactions;
- anti-fraud (from fraud) analysis of PayPal accounts and transactions carried out on them based on a certain set of rules;
- blocking suspicious accounts.
Obviously, having received only credit card details as a result of hacking an online store, an attacker is unlikely to be able to transfer funds from it using PayPal or a similar system with appropriate anti-fraud settings.
Online stores are more attractive to fraudsters from the point of view of using stolen credit card details, and this can involve both the purchase of physical goods and payment for virtual services (for example, hosting, access to paid information, etc.). However, stores, as well as electronic payment systems, are taking measures to combat fraud. Anti-fraud protection for an online retail outlet can be built both directly on the side of the store, and on the side of the payment gateway or billing company that serves it. As a rule, such protection is a certain set of filters and rules; if a transaction satisfies these rules, then it is allowed through, otherwise it is rejected. Such filters may include:
- transaction security mechanisms offered by payment systems, such as the CVV2/CVC2 codes mentioned above, as well as for certain types of cards, AVS (Address Verification Service) verification, which determines the accuracy of the cardholder's billing address;
- checking the information that the buyer provides about the credit card and about himself when placing an order (card parameters, name and address of the owner, delivery address of the goods, etc.). For example, if the cardholder's home address is different from the address provided for delivery of the item, the transaction will be reviewed more closely and either be declined or the cardholder will be contacted by the merchant for additional supporting information;
- analysis of data from the user’s Internet connection to the website of an online store (for example, if a buyer accesses the site through an anonymous proxy server, then such a transaction is very likely to be rejected);
- analysis of statistical elements identified based on the study of fraudsters’ tactics (a large number of transactions from different credit cards to one address in a limited period of time will undoubtedly be perceived as a sign of fraud).
An example of such an anti-fraud system is Advanced Fraud Screen (developed by Cybersource, www.cybersource.com), which checks several dozen parameters and sets its own risk rating for each transaction, which can range from 0 to 99.
To be fair, it should be noted that all such anti-fraud systems do not provide 100% protection from scammers; each of the filter elements can be bypassed, but this is a painstaking and time-consuming process, the description of which is beyond the scope of this article. The important thing is that if a few years ago it was possible to buy goods using generated credit card numbers and without problems order delivery, for example, to Moscow, now a purchase using a stolen credit card results in a complex and costly scheme of several participants, each of whom at any time can either be detained by law enforcement agencies, or, as they say, “dump” the partner. Therefore, this previously quite profitable type of criminal business now represents a kind of lottery in which the risk is certain and the gain is doubtful. In their confrontation with scammers, the authors of payment systems do not stop there and are taking further actions to improve the security of Internet transactions using bank cards. Thus, on April 1 of this year, the 3D Secure technology developed by the Visa payment system began to operate. Its essence lies in the fact that the issuing bank that supports this technology can attach a special passphrase to the card, which it communicates to the cardholder.
When making a purchase in an online store that also uses 3D Secure, the buyer enters his password in a special window on the website, which is verified by the issuing bank. The system is designed in such a way that this password is transmitted in encrypted form directly to the issuer and is not available to either the store or the acquiring bank. Thus, it is assumed that an attacker, even if credit card details are stolen as a result of hacking an online store or payment gateway, will still not be able to obtain this password, since it is known only to the card holder and the bank that issued the card. However, the main feature of 3D Secure is not the technological solution, but the fact that it redistributes responsibility for fraudulent transactions: if a fraudulent transaction took place through an online store using the 3D Secure solution, then responsibility for it, according to the rules of Visa , will no longer be borne by the acquiring bank, but by the issuing bank, and it does not matter whether the issuer uses 3D Secure technology or not. The benefits of using 3D Secure for an online point of sale are clear, but issuers find themselves in a more difficult situation, since they are faced with a choice: either purchase a very expensive 3D Secure solution and protect themselves from fraudsters, or close their cards for use in online stores and give in to the competition fight other banks, or do nothing and hope that the fraud will bypass them.
It cannot be ruled out that in the initial stages of implementing 3D Secure, there may be some surge in fraud (which, however, again will not affect credit card owners in a financial sense) due to the issuing banks of the third category, which will not take any action. Fraudsters are a fairly flexible and responsive environment that instantly responds to the emergence of vulnerabilities in the payment system. For example, after PayPal introduced checking CVV2/CVC2 codes, they quickly found out that credit cards of a certain type with the universal code 000 successfully pass through this filter. A similar situation was observed with one of the Russian electronic payment systems. But even if there are such banks, then, having learned from bitter experience, they will eventually move into one of the first two categories, thereby leaving attackers even less chance of successfully carrying out fraudulent actions.
So what do we see as a result? The problem of fraud with bank cards on the Internet really exists, and there is a rather sharp confrontation between banks and payment systems, on the one hand, and fraudulent groups, on the other, there are many fraudulent schemes, many of which were not even mentioned in this article, but In addition, there are also adequate mechanisms for protecting against fraud, allowing it to be kept within acceptable limits for e-commerce participants. Unfortunately, fraud as a phenomenon is ineradicable, since it is based on human psychology, and it will develop and evolve along with the technological development of mankind, but losses from fraud can always be minimized. Only to achieve maximum efficiency, this process must be supported at all levels, starting from the state (by developing a unified state policy to combat high-tech fraud) and ending with the end participants of the payment system (by supporting this policy and choosing specific methods of protection).
(c) Expert S.N. Khrenov
