Carding 4 Carders
Professional
- Messages
- 2,724
- Reaction score
- 1,579
- Points
- 113
Carding is any fraudulent operation associated with plastic cards.
What types of carding exist and how to deal with them, says Sergey Prokhorov, an expert at KORUS Consulting.
Consumers have begun to trust more online shopping and to use plastic cards more actively. According to Nielsen, 90% of Russians have made at least one online purchase in the past two years.
There are several universal fraud prevention methods that businesses can use to secure their consumer transactions. However, important safety aspects and even regulatory requirements are still often overlooked.
Today, service personnel bring the terminal to the client, not take away the card. Both physical and electronic means of protection are installed on ATMs to detect skimmers (miniature devices that are attached to the ATM and read card data).
In addition, devices with contactless payment methods are becoming popular. All of these have contributed to a reduction in skimmer fraud.
Photo: Unsplash
However, the most dangerous are still attacks of the BlackBox class, which involve connecting a miniature computer, forcing an ATM to dispense all the money it has.
The ATM Manufacturers International (ATMIA) in its report last year named the BlackBox threat as one of the most dangerous, which is just beginning to spread in the United States.
This attack was made possible by modified utilities from ATM manufacturers designed to diagnose problems. The situation is complicated by the fact that manufacturers consider the losses from BlackBox to be less significant than the costs of reconfiguring ATM software. This leads to the fact that modern ATMs are practically not protected from the threat of BlackBox.
The most popular method of fraud, which is now understood as "carding", is data theft from end devices.
And such convenience, which is not, for example, in Russia and Europe, online stores provide despite the existence of the Payment Card Industry Data Security Standard (PCI-DSS) - a security standard that does not allow the seller to save customer card data.
An online store that wants to retain a customer chooses an acquiring bank loyal to PCI-DSS requirements. A credit institution also needs to earn money, and it allows you to save card data, turning a blind eye to the requirements of the regulator.
To minimize the risks of data loss, the bank, as a rule, installs an anti-fraud system for assessing the security of transactions, integrating acquiring into the code of the online store. It is they who become victims of hackers.
What happens after the theft of customer data? Neither the online store nor the acquiring bank in the United States will advertise the hack, as this threatens with a fine from the regulator, loss of reputation and scrutiny from all sides.
Photo: Unsplash
The stolen data is sold to carders in black markets on the darknet. In order to try on someone else's "digital fingerprint" (operating system, time zone, system language, browser version), scammers use special antidetect systems, find a proxy server closest to the location of the cardholder, and enter online stores through it and mail.
There they pre-"warm up" the card, making small payments, which were usually made by the owner, and after a few days they withdraw all funds, buying expensive goods to the address of the card holder.
Then local criminals - "drops", who are fluent in the language, dialect peculiarities and specifics of the conversation with the store, join in. Their task is to change someone else's delivery address to their own and, after receiving the goods, send it or money (40-50% of the cost of the goods) to the carder.
It has been ten years since the attack on Royal Bank of Scotland, in which cybercriminals withdrew more than $ 9 million from 2,000 ATMs in 280 cities around the world. The attack took less than 12 hours, after which the hackers disappeared to appear on the covers of tabloids a year later under real names and not of their own free will.
Major global players such as Amazon do not store card data and are introducing mandatory 3D Secure security technology. But in this case, a workaround was found: the average visitor to the trading platform usually has a certain number of gift cards that do not ask to enter the card number and password.
Marketplaces know about this: payment systems receive their royalties, online stores - money for goods, acquiring banks - a percentage for a transfer. It is worth noting that among the large payment systems there are those that sacrifice security for the sake of convenience, such as PayPal - from the cards attached to it, you can transfer funds without 3D-Secure.
Many domestic companies are protected, but not enough. According to various sources, 50-70% of all attacks in 2018 were aimed at the banking sector. Therefore, it is extremely important for a modern financial and credit organization to have a complete understanding of the ongoing processes within the company.
Here are the steps to take to ensure safety:
And an important point: most carders are afraid to work in Russia and the CIS, because in almost 100% of cases they are discovered within a short period of time.
(c) https://rb.ru/opinion/stop-carding/
What types of carding exist and how to deal with them, says Sergey Prokhorov, an expert at KORUS Consulting.
Consumers have begun to trust more online shopping and to use plastic cards more actively. According to Nielsen, 90% of Russians have made at least one online purchase in the past two years.
According to the Central Bank of the Russian Federation, in 2018 almost one and a half billion rubles were stolen from the cards of Russians. And global losses, according to Nielsen, make up about one tenth of a percent of the world turnover on plastic cards. At the same time, the level of anxiety of the holders is very low: people have not changed their passwords for years and continue to use shops that store their card data.
There are several universal fraud prevention methods that businesses can use to secure their consumer transactions. However, important safety aspects and even regulatory requirements are still often overlooked.
What is carding
Carding can be of two types:- with physical access to a card or ATM,
- remote attacks.
Today, service personnel bring the terminal to the client, not take away the card. Both physical and electronic means of protection are installed on ATMs to detect skimmers (miniature devices that are attached to the ATM and read card data).
In addition, devices with contactless payment methods are becoming popular. All of these have contributed to a reduction in skimmer fraud.
Photo: Unsplash
However, the most dangerous are still attacks of the BlackBox class, which involve connecting a miniature computer, forcing an ATM to dispense all the money it has.
The ATM Manufacturers International (ATMIA) in its report last year named the BlackBox threat as one of the most dangerous, which is just beginning to spread in the United States.
This attack was made possible by modified utilities from ATM manufacturers designed to diagnose problems. The situation is complicated by the fact that manufacturers consider the losses from BlackBox to be less significant than the costs of reconfiguring ATM software. This leads to the fact that modern ATMs are practically not protected from the threat of BlackBox.
The most popular method of fraud, which is now understood as "carding", is data theft from end devices.
The attacker steals all information related to bank cards, cryptocurrency, system data, photos and videos, history and browser settings - what allows the victim to create a “digital twin”. All this is needed so that the carder can pretend to be this user when shopping.
Who is at risk
Online shopping has long been common in the US, and the level of service and convenience is only growing.And such convenience, which is not, for example, in Russia and Europe, online stores provide despite the existence of the Payment Card Industry Data Security Standard (PCI-DSS) - a security standard that does not allow the seller to save customer card data.
An online store that wants to retain a customer chooses an acquiring bank loyal to PCI-DSS requirements. A credit institution also needs to earn money, and it allows you to save card data, turning a blind eye to the requirements of the regulator.
To minimize the risks of data loss, the bank, as a rule, installs an anti-fraud system for assessing the security of transactions, integrating acquiring into the code of the online store. It is they who become victims of hackers.
What happens after the theft of customer data? Neither the online store nor the acquiring bank in the United States will advertise the hack, as this threatens with a fine from the regulator, loss of reputation and scrutiny from all sides.
Photo: Unsplash
The stolen data is sold to carders in black markets on the darknet. In order to try on someone else's "digital fingerprint" (operating system, time zone, system language, browser version), scammers use special antidetect systems, find a proxy server closest to the location of the cardholder, and enter online stores through it and mail.
There they pre-"warm up" the card, making small payments, which were usually made by the owner, and after a few days they withdraw all funds, buying expensive goods to the address of the card holder.
Then local criminals - "drops", who are fluent in the language, dialect peculiarities and specifics of the conversation with the store, join in. Their task is to change someone else's delivery address to their own and, after receiving the goods, send it or money (40-50% of the cost of the goods) to the carder.
It has been ten years since the attack on Royal Bank of Scotland, in which cybercriminals withdrew more than $ 9 million from 2,000 ATMs in 280 cities around the world. The attack took less than 12 hours, after which the hackers disappeared to appear on the covers of tabloids a year later under real names and not of their own free will.
Major global players such as Amazon do not store card data and are introducing mandatory 3D Secure security technology. But in this case, a workaround was found: the average visitor to the trading platform usually has a certain number of gift cards that do not ask to enter the card number and password.
Marketplaces know about this: payment systems receive their royalties, online stores - money for goods, acquiring banks - a percentage for a transfer. It is worth noting that among the large payment systems there are those that sacrifice security for the sake of convenience, such as PayPal - from the cards attached to it, you can transfer funds without 3D-Secure.
"Silver Bullet" and protection systems
The situation on the Russian market is a little better. According to Fincert (the structure of the Central Bank of the Russian Federation dealing with the cybersecurity of the financial sector), targeted attacks caused 76.5 million rubles in damage in seven months of 2018 instead of 1.08 billion in the same months of 2017, despite a 10% increase in the number of attacks.Many domestic companies are protected, but not enough. According to various sources, 50-70% of all attacks in 2018 were aimed at the banking sector. Therefore, it is extremely important for a modern financial and credit organization to have a complete understanding of the ongoing processes within the company.
Here are the steps to take to ensure safety:
- installation of NGFW security software at all points of entry and exit to the network for segmenting and analyzing traffic from / to the data center;
- file movement control - most infections occur via mail;
- annual penetration testing and elimination of found vulnerabilities;
- regular internal audit for the implementation of orders of the information security service;
- participation of the information security service in the development of a mobile application;
- creation of a transparent and non-congested IT and information security change management process;
- minimizing the gap between the release of security updates for information systems and their installation;
- knowledge of traffic flowing in the network and at the perimeter, protocols and applications within which the exchange of information is required;
- introduction of modern antifraud systems based on machine learning;
- maximum involvement of users in the information security process: training, regular trainings, analysis of cases and incidents;
- changing sales processes to new ones in which carding is impossible;
- constant monitoring of the black market for new methods of carding;
- and most importantly, compliance with all regulatory requirements.
And an important point: most carders are afraid to work in Russia and the CIS, because in almost 100% of cases they are discovered within a short period of time.
(c) https://rb.ru/opinion/stop-carding/
