By Alistair Paterson:
Credit card fraud has been big business for quite some time with losses expected to reach $24 billion by 2018. There are two types of credit card fraud – physical card fraud which involves the cloning of credit cards and Card Not Present (CNP) fraud, when the card is used online and over the phone. While the Europay, Mastercard and Visa (EMV) chip technology has made physical card fraud more difficult, online card spending is expected to double by 2021 and business will likely continue to boom for fraudsters.
We all know that cybercriminals don’t operate alone. Benefitting from a rich ecosystem that provides supporting infrastructure, malware and money services, even less sophisticated actors can turn a profit. Lately we’ve seen an influx of extremely professional online tutorials designed to educate bad actors on the latest fraud tactics and tools. Complete with webinars, instructors and reading material, these online courses also provide insights that defenders can use to protect against this increasingly popular threat. Here is just a glimpse into what students can learn from one class that costs nearly $1,000 and is conducted in Russian, targeting fraudsters in that geography.
How to find shops that sell credit card details. Alphabay, one of the largest marketplaces for illicit goods, was recently shut down, but a Google search returns almost 25,000 results of other shops that traffic in credit card information. Many of the sites are scams so choosing a “reputable” one can be difficult. In the course, students are pointed to six carding sites in particular and advised to look for shops with capabilities that allow them to check and see if the card is still in use and has a worthwhile balance.
How to socially engineer individuals. A week-long lecture series focuses on how to build local knowledge and rapport with the target. Fraudsters aren’t blindly putting card numbers into retail sites hoping to make a purchase. They are being trained to learn the target’s surrounding and processes to make more money in more ways and evade detection.
How to cash out. Fraudsters are coached on three main ways to make a profit – direct purchase, agent fraud and through the use of drops and middlemen. For direct purchase they target sites that are “card-able,” meaning susceptible to fraudulent purchases as a result of lax security controls. Agent fraud involves impersonating an agent, for example from an airline or hotel, making a reservation in the cardholder’s name, and then changing the reservation name once the card is authorized. The use of drops and middlemen includes a range of techniques that involve duping individuals and legitimate delivery companies to reship stolen goods and counterfeit money to safe addresses.
Given this information what can payment card companies, merchants and consumers do to better protect themselves? The list is long, but here are three tips for each.
Payment Card Companies:
- Proactively monitor for permutations on your domain name, which could help you to detect any criminal seeking to harvest information from your customers.
- Understand banking trojans, like Trickbot, and how they are targeting and possibly gaining access to your customers’ computers.
- Monitor carding sites for Bank Identification Numbers (BINs) and Issuer Identification Numbers (IINs) that are offered for sale. In many cases it is possible to free text search and filter by BIN.
Merchants:
- Consider using 3D Secure as an additional layer of security which has proven to be a real obstacle for criminals and is deployed by Visa and Mastercard.
- Don’t sacrifice security for user experience. Criminals are turning to mobile apps to commit payment card fraud as they can be less secure.
- Monitor for mentions of your company on cardable sites with the help of Google Alerts or open source web crawlers like Scrapy.
Consumers:
- If shopping somewhere new, ensure the shop uses 3D Secure.
- Use caution when using a travel agent you haven’t used before – don’t fall prey to an offer that’s too good to be true.
- Don’t be part of a cashing-out scam. Be wary of job postings offering well-paid jobs to re-ship goods, often offering to work from home
As the opportunity for payment card fraud grows, it’s safe to assume that more cybercriminals will take advantage of new, sophisticated online courses to get a piece of the pie. Even as you put additional precautions in place, remember that attackers continue to innovate and update their training regularly. However you can teach fraudsters a few lessons as well, by continuously monitoring for nefarious activity and staying apprised of the latest security measures.