Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions. Cybercriminals
Designed as an additional protection layer for these transactions, 3DS has seen several releases, with the most recent of them, namely version 2.0, also designed to accommodate smartphones, allowing for authentication using a fingerprint or facial recognition.
In addition to various social engineering tactics that attackers can use to circumvent 3DS, phishing and scam pages allow them to trick victims into revealing their card details and payment verification information.
Gemini’s security researchers say that vulnerabilities in earlier versions of 3DS could have been exploited to bypass security. The use of a password for the transaction was one of these issues, as this was sometimes a personal identification number (PIN) that cybercriminals were able to acquire using various means.
Using various social engineering techniques, such as impersonating bank representatives, cybercriminals can harvest a lot of information from victims, including name, ID number, phone number, physical and email address, mother’s maiden name, driver’s license numbers, and the like. Armed with some personally identifiable information (PII), the attacker could trick the victim into sharing additional details.
One method recommended by some cybercriminals for bypassing 3DS involves calling up the victim from a phone number that spoofs the number on the back of the payment card, and tricking them into verifying a transaction currently being made by the fraudster by claiming it is needed for identity verification purposes.
The use of phishing sites that mimic legitimate online shops can also allow hackers to harvest the victims’ card information and trick them into authorizing a payment via 3DS. In some cases, the attackers may use malware to target users’ smartphones and retrieve 3DS verification codes.
Cyber-criminals can also abuse the fact that some online shops disable the 3DS feature for smaller purchases. Thus, after testing the limit, the hackers make purchases that are under those amounts.
The use of PayPal also allows attackers to bypass 3DS. For that, they add stolen payment card information to a PayPal account, and then make purchases using the PayPal payment method. This scheme works best with credit cards, as PayPal does not always require user confirmation by issuing validation codes (which would also require access to the bank account).
The next step in the evolution of securing online card transactions, Gemini says, is Strong Customer Authentication (SCA), which secures customer-initiated payments and which can be fulfilled with 3DS 2. Transactions under certain amounts may be exempted from verification.
“The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. […] Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” Gemini concludes.