Cybercriminals are continually reaching out to explore and document brand new techniques to exploit the loopholes in 3D Secure protocol (3DS). This protocol is used to authorize online card transactions. The underground forums bear various discussion threads that majorly involve advice on how to bypass the current variant of the security feature by mixing the tactics of phishing attacks and social engineering.
People on various dark web forums share their know-how on conducting fraudulent purchases on shops that make use of 3D Secure protocol for protecting their customers’ transactions. The 3DS applies a layer of security to online purchases using debit and credit cards. It needs direct confirmation from the owner of the cards for authorizing payment.
The 3D Secure protocol feature had evolved from the first version, where the bank had urged the users for a code or a static password to approve the transaction. In the second version that is 3DS two implemented for smartphones, the users can confirm their online purchase by authenticating the online transaction in their banking app utilizing their biometric data such as face recognition or fingerprint.
In spite of the advanced security features that 3DS 2 enables, the first version is widely deployed to date. This offers cybercriminals a golden opportunity to utilize their social engineering skills and trick the users into giving the password or code for the approval of the transaction.
In the latest blog post, the analysts at Gemini Advisory, a threat intelligence company, shared some of the methods that the cybercriminals keep on discussing on the darknet forums for making fraudulent purchases at the several online stores deploy 3D Secure protocol.
The procedure initializes with acquiring complete cardholder information, including personal details such as name, email address, phone number, residential or official address, ID number, mother’s maiden name and driver’s license number. Then, the cybercriminals use these details to impersonate a bank employee and call up a customer to confirm their identity. They offer some personally identifiable information (PII), gaining the victim’s trust and then requesting their password or code to complete the process.
The same mechanism could also work on the later variants of the 3D Secure protocol and conduct purchases in real-time. A hacker has also described the method via a post on a top-rated underground forum.
Utilizing the exclusive cardholder’s details along with a phone number spoofing app and a voice changer, the scammer can start a purchase at a website. Then he would call the victim to acquire the required information.
“In the final step, the hacker advises the victim that they will receive a confirmation code for final identity verification, at which point the cybercriminal should place the order at the shop; when prompted to enter verification code that was sent to the victim’s phone, the fraudster should retrieve that code from the victim” Gemini Advisory.
However, achieving the code for 3D Secure protocol is also possible via other means such as injects and phishing campaigns. When the victim carries out a purchase on the phishing website, the cybercriminals pass on all the details to the legitimate stores to get their product.
As per Gemini Advisory’s findings, some cyber criminals add stolen credit card data to a PayPal account and then use it as a payment mode. Another method can be termed as classic and includes compromising a victim’s phone with malware that possesses the capability to intercept the security code and pass it on to the fraudster. However, some of the stores never ask for the 3D Secure code when the transactions remain below a particular threshold. This permits the fraudsters to make multiple purchases in smaller amounts.
The majority of these techniques work in the places that implemented the earlier versions of 3DS. With 3DS 2, it is still a long distance away from getting widely adopted. Currently, Europe is leading in accepting the more secure standard – PSD2 regulation, where the strong customer authentication is fulfilled with 3DS 2. In the U.S, the merchants’ liability protection using the 3D Secure 1 will expire on the 17th of October, 2021.
Nevertheless, Gemini Advisory trusts that the cybercriminals will take a stab at the more secure 3DS 2 via social engineering.
Source: Bleeping Computer
Disclaimer: Read the complete disclaimer here.
The post 3D Secure: Hackers Bypass Security of Payment Cards appeared first on Dark Web Link | Deep web Onion Links | Darknet News.