Cybercrime and Fraud

Recently the author of this article was on a trip to Chicago when he was notified that his credit card was used in London. The spurious credit card was presented in person to purchase physical goods. The thieves had managed to capture the data contained on the credit card’s magnetic stripe before replicating the data to the magnetic stripe of a blank “white plastic” card. The swiftness between card compromise and physical exploitation was amazing. Unfortunately this scene occurs daily all over the world. A credit card compromised in Britain, may be used within 24 hours in India. Criminals involved in physical world fraud are constantly leveraging technology to increase their profits.

Victim debit/credit cards can be used or sold as “cvv” or “dumps.” The criminal colloquial “cvv” represents the data embossed on the front of a card such as name, card number, expiration date, and the 3-digit security code printed on the rear of the card. “Dumps” describe the track1 and/or track 2 data encoded to the card’s magnetic stripe. A criminal is able to monetize “cvv” through online or phone purchases of legitimate goods. “Dumps” are monetized through duplication of the physical card and subsequent purchases of goods in person. Typically criminals resell the fraudulently obtained merchandise on auction type websites for competitive prices.

Stolen credit/debit card details remain especially lucrative for criminals. When PIN numbers can be tangentially obtained with a victim’s card details, criminals will monetize cash very quickly at ATM locations.

Team Cymru has observed groups of criminals operating in disparate geographic locations to maximize profit. Attacks on ATMs have been well coordinated, as have groups buying physical goods. Criminal groups can compromise and monetize their own credit cards, but typically criminals seek to purchase credit cards details from quality suppliers. The lure of easy profits creates a constant demand for quality dumps.

The source of stolen cards continues to originate through two primary methods: skimmers and network breaches. A hardware skimmer is a device placed over a card port on an ATM or gas pump. The skimmer is designed to capture the data on the card’s magnetic strip as it is inserted for payment or to withdraw cash. This physical attack on the card previously required a criminal to retrieve the skimmer in order to download the captured data. Today, most skimmers sold in the Underground Economy are equipped with GSM or Bluetooth functionality thereby allowing criminals to remotely retrieve the stolen data and reduce the risk of capture. Generally these skimmers are equipped with enough memory to store a few hundred credit card numbers. Additionally, skimmers are sold to specifically match the manufacturer and model of ATM being targeted. Since ATM manufacturers publicly release new bank contracts, criminals are able to plan skimmer placement before new ATMs are even installed.

A soft skimmer is a device placed on a POTS (Plain Old Telephone Service) circuit in order to intercept the data in transit. Stand-alone ATMs in convenience stores or hotel lobbies may rely on modems for communication with a merchant network. After recording the tones on these phone lines, criminals use widely available software to convert the tones to digital data, specifically credit card numbers. Skimmers continue to be a threat to consumers in countries that rely on magnetic stripe cards.

Unauthorized access to computers and networks containing credit card track data has proven especially disastrous for merchants and banks. The breaches of Heartland Payment Systems, RBS WorldPay, and TJX illustrate the determination of criminals to find and secure large databases of credit card track data. In the past, Point of Sale (POS) terminals used in retail outlets were exploited through vulnerabilities in the underlying operating system that these terminals use. Failure to patch the operating system has led to remote exploitation via freely available hacker tools. Data exfiltration has occurred for months before the merchant discovered or was alerted to the tainted POS terminal. Criminals continue to aggressively hunt for large amounts of card track data either in storage or in transit. Once a target is identified, the compromise is only a matter of time and resources. Today, financial databases and networks continue to fall victim to the most motivated and talented hackers. Previously, compromises have existed for over a year before the breach was discovered. The purveyors of this data will quickly become rich, as will the end users who purchase the data for coordinated exploitation.

The payment card industry (PCI) is in the final stages of implementing an updated version of the Data Security Standard (DSS).(14) DSS is a collection of policies and procedures designed to establish a best practices document for organizations involved in transferring or storing payment card details. While DSS is absolutely necessary and obligatory for merchants, it merely acts as a stopgap for an outdated magnetic stripe card technology. Multiple European countries have fully implemented EMV (also known as “Chip + PIN”), which has significantly reduced the criminal demand for “chipped cards” in these respective countries.

In this framework, debit/credit cards store data on an encrypted chip embedded in the card. While the implementation of the technical EMV specification may be different at various banks, overall the adoption has been very successful from a fraud perspective. Unfortunately this evolution has increased demand for monetization schemes in countries that do not use EMV. A global bank movement to the EMV standard would significantly raise the bar on criminals specializing in this trade. In the realm of “Card Not Present” fraud (telephone and Internet purchases), Visa and MasterCard implemented “Verified by Visa” and “SecureCode” respectively, which require an additional password before a transaction is successfully completed. Unfortunately, a substantial number of “cvv” sold in the Underground Economy today are accompanied by the corresponding Verified by Visa or SecureCode password. This is the result of criminals slightly modifying Phishing and malware attacks.