Real carding: how to make online payments secure

[Cartographer]

Carding is any fraudulent transaction involving plastic cards.

What happens carding

Carding can be of two types:

with physical access to a card or ATM,
remote attacks.

The most obvious fraud is the actions of staff who can scan data using special equipment, make a copy and withdraw funds from an ATM. But the number of such crimes is gradually decreasing.

Today, maintenance staff brings the terminal to the client, and does not carry the card. Both physical and electronic means of protection are installed on ATMs to detect skimmers (miniature devices that attach to an ATM and read card data).

In addition, devices with contactless payment methods are becoming popular. All of this has contributed to the reduction of skimmer fraud cases.

However, the most dangerous attacks are still BlackBox class attacks, which are connecting a miniature computer, forcing the ATM to issue all the money that it has.

The International ATM Manufacturers Association (ATMIA) in its last year report called the BlackBox threat one of the most dangerous, which is just beginning to spread in the United States.

This attack was made possible thanks to the modified utilities of ATM manufacturers, created for troubleshooting. The situation is complicated by the fact that manufacturers consider the losses from BlackBox less significant than the costs of reconfiguring ATM software. This leads to the fact that modern ATMs are practically not protected from the threat of BlackBox.

The most popular method of fraud, which is now referred to as “carding,” is the theft of data from end devices.

By clicking on the link, opening an unknown attachment in the mail, or entering card information on an unknown site that neglects protection, the user risks losing data.

An attacker steals all the information related to bank cards, cryptocurrency, system information, photos and videos, history and browser settings - this allows you to create a “digital double” of the victim. All this is necessary so that the carder can pretend to be this user during purchases.

In the US, online shopping has long been common, and the level of service and convenience is only growing.

And such convenience, which is not, for example, in Russia and Europe, online stores provide despite the existence of Payment Card Industry Data Security Standard (PCI-DSS) - a security standard that does not allow the seller to save customer card data.

An online store that wants to save a customer chooses an acquiring bank loyal to PCI-DSS requirements. A credit institution also needs to earn money, and it allows you to save card data, turning a blind eye to the requirements of the regulator.

To minimize the risk of data loss, the bank, as a rule, installs an anti-fraud system for assessing transaction security, integrating acquiring into the code of the online store. It is they who become victims of hackers.

What happens after the theft of customer data? Neither the online store, nor the acquirer bank in the United States will advertise the hack, as this threatens a fine from the regulator, loss of reputation and close attention from all sides.

Stolen data is sold to carders on black markets on the dark. In order to try on someone else's “digital fingerprint” (operating system, time zone, system language, browser version), scammers use special anti-detection systems, find the proxy server closest to the cardholder’s location, and go through it to online stores and mail.

There, they preliminarily “warm up” the card, making small payments, which the holder usually made, and after a few days they withdraw all the funds by buying expensive goods to the address of the card holder.

Then local criminals are connected - “drops”, who perfectly know the language, the dialect and the specifics of the conversation with the store. Their task is to change someone else's delivery address to their own and after receiving the goods forward it or money (40-50% of the cost of the goods) to the carder.

Ten years have passed since the attack on the Royal Bank of Scotland, when attackers withdrew more than nine million dollars from two thousand ATMs in 280 cities around the world. The attack took less than 12 hours, after which the hackers dissolved, so that in a year they would appear on the covers of the tabloids under real names and not of their own free will.

Large global players, such as Amazon, do not store map data and introduce mandatory use of 3D Secure protection technology. But in this case, workaround was found: the average visitor to the trading platform usually has a certain number of gift cards that do not ask for their card number and password.

Silver Bullet and Security Systems

Things are slightly better in the Russian market. According to Fincert (a structure of the Central Bank of the Russian Federation that deals with cyber security of the financial sector), targeted attacks caused 76.5 million rubles in seven months of 2018 instead of 1.08 billion in the same months of 2017, despite a ten percent increase in the number of attacks.

Many domestic companies are protected, but not enough. According to various sources, 50-70% of all attacks of 2018 were aimed at the banking sector. Therefore, it is extremely important for a modern financial and credit organization to have a complete picture of the processes taking place inside the company.

Here are the steps you need to take to ensure security:

installation of NGFW security software at all network entry and exit points for segmenting and analyzing traffic from / to the data center;
file movement control - most infections occur through mail;
conducting annual testing for penetration and elimination of found vulnerabilities;
regular internal audit on the implementation of information security service orders;
participation of the information security service in the development of a mobile application;
creating a transparent and non-overloaded process for managing changes in IT and information security;
minimizing the gap between the release of security updates for information systems and their installation;
knowledge of traffic going on the network and on the perimeter, protocols and applications, within which information exchange is necessary;
introduction of modern antifraud systems based on machine learning;
maximum user involvement in the information security process: training, regular trainings, case studies and incidents;
changing sales processes to new ones in which carding is impossible;
continuous monitoring of the black market for new methods of carding;
and most importantly, compliance with all regulatory requirements.

I would like to note separately that non-cash payments in Russia are now becoming more secure. In our country, one of the first appeared contactless payment by devices, banks are equipped with modern means of biometric identification of customers (including voice).

And an important point: most carders are afraid to work in Russia and the CIS, since in almost 100% of cases they are detected within a short period of time.

[kufei007]

Teacher, I want to ask you some questions.