Attention holiday shoppers: The card verification value should never be stored online
The end-of-year online buying season is a bank fraud frenzy. This used to be done by criminals using stolen or cloned payment cards in person, via card-present (CP) fraudulent transactions. The introduction of chip-based Europay, Mastercard, and Visa (EMV) cards has changed this. CP fraud is now much more difficult.
In response, criminals have moved to card-not-present (CNP) fraud. This is a switch to online fraud. Card details can be stolen in mass amounts from online retailers and then used to purchase goods from other retailers. But it shouldn't be that easy, because cards include a separate number known as the card verification value (CVV).
This is a three-digit (most commonly) or four-digit (on American Express cards) unique number printed on the card. This code is required to complete a transaction – but it should never be stored online. Its purpose is to prove to the retailer that the customer has the card in his or her possession.
The problem is that on the dark web there are huge numbers of card details, described as “fullz,” available for sale from one criminal to another. “Fullz” indicates that everything required for fraudulent transactions is available – including the CVV number.
The question then is how do the criminals obtain these numbers that should never be stored anywhere on the internet?
Protecting the CVV
Card details are primarily protected by a security standard known as the Payment Card Industry Data Security Standard (PCI DSS, usually just known as PCI). Compliance is required by any firm that accepts card payments:
“Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card used to verify card-not-present transactions) after authorization.”
There are problems with PCI. It is claimed that no retailer or merchant compliant with PCI has ever been breached – and this may be so – however, compliance is measured and confirmed by annual audits. It is possible for a firm to be technically compliant, but not actually compliant for 364 days of the year.
The Verizon 2019 Payment Security Report makes three interesting observations. First, none of the companies it investigated over payment card breaches during the last year were PCI compliant at the time of the breach. Second, the number of companies achieving compliance is increasing; but third, the number of companies sustaining that compliance throughout the year is declining. Only 37% of these companies managed to sustain their PCI compliance throughout the entire year of 2018.
While it is possible that some of the CVV numbers sold on the dark web as fullz have been stolen from online databases, this is unlikely and rare. We need to look elsewhere for the criminals' source of CVV numbers: at malware attacks against individual PCs and at Magecart-style attacks against retailers and merchants.
Attacks against user PCs
There are four primary malware attacks against PCs designed to steal credit card details, including the CVV. These are phishing, infostealers, keyloggers, and browser insertion malware.
Phishing is based on the use of social engineering to persuade users to visit a malicious website. This can be via a disguised link in the email, a link to a look-alike but false website, or links embedded in an attachment. Once the user visits the fallacious website, further social engineering is used to persuade the victim to enter card details, which are captured and sent to the criminal.
Keyloggers comprise malware of varying sophistication that can watch for triggers (such as accessing a bank site or major retailer) and then capture the keys typed at the keyboard. Any card details are recognized, recorded, and sent to the criminal.
Infostealers are generally smash and grab raids. If a PC is infected, the malware scans the system and steals confidential data – including any payment details it can find. This can often be achieved in a matter of seconds. More persistent infostealers may also drop a keylogger for longer term activity.
Browser insertion malware will infiltrate the victim's browser. It usually focuses on just one or two of the major national banks or major retailers. When it detects the user visiting one of these sites, it overlays its own copy of the bank's login form or retailer’s payment details form. Data entered into these identical but false forms is captured and sent to the criminal. Once achieved, it is often followed by an phony error message saying that a problem requires the user to refresh the page and try again. The user then completes the transaction correctly, and may never know that the card details have just been stolen.
The key principle behind all these attacks is that the card details – including the CVV number – can be stolen directly from the user in an unencrypted state. In criminal terms, they require high effort for limited returns (one PC at a time), so probably do not account on their own for the volume of fullz available on the web. Nevertheless, such attacks will likely increase in coming years with the growth of malware-as-a-service. This removes much of the effort of being a criminal and makes malware available to wannabe criminals of limited technical ability.
For the greater number of CVV thefts, we need to look at Magecart-style attacks against retailers.
Magecart was originally the name applied to an individual cybercriminal gang operating a specific type of attack. The attack process is to gain access to a retailer's payment system, then use malware to skim off card details in real time as they are entered to fulfill a purchase. This type of attack is known as web skimming. It steals the payment card details – including the CVV number – as they are entered in plaintext and before they are encrypted by the retailer. The user, and indeed the retailer, will know nothing about the theft until the malware is discovered.
The attack methodology was subsequently copied by numerous other criminal gangs, and the term Magecart now refers to the style of attack rather than any specific gang. It is thought that there are more than a dozen Magecart cybercriminal gangs. They have been named sequentially as discovered: Magecart 1, Magecart 2, Magecart 3, etcetera.
Some of the gangs behind the different groups are long-standing and infamous cybercriminals. Magecart 5, for example, is thought to be the Carbanak gang, which has been responsible for some of the largest online thefts in recent years. This group is also thought to be responsible for the Ticketmaster Magecart hack.
The attack on British Airways in 2018 was not a supply chain attack, but it maintained the Magecart web skimming approach. “Magecart set up a custom, targeted infrastructure to blend in with the British Airways website specifically and avoid detection for as long as possible,” explained researchers from RiskIQ. “While we can never know how much reach the attackers had on the British Airways servers, the fact that they were able to modify a resource for the site tells us the access was substantial, and the fact they likely had access long before the attack even started is a stark reminder about the vulnerability of web-facing assets.”
It has been claimed that up to 500,000 British Airways customers may have been affected by this breach – and the UK’s data protection regulator subsequently fined the company almost $230,000 for its poor security.
If you compare the number of credit card details – including the CVV number – that can be stolen in a single Magecart attack to the targeting of PCs, it seems clear that the majority of fullz credit card details available on the dark web have probably been stolen by the various Magecart gangs. These attacks are continuing and will probably increase during 2020.
How to stay safe
Protecting our payment card details is difficult. We can defend our own PCs but can do nothing against attacks against the retailers.
There is nothing we can do personally to prevent Magecart attacks against the retailer, other than to be aware and prepared. Corporations are told to assume that they have or will be breached, and to prepare an incident response plan. We need to take a similar approach – assume our payment details will be stolen and know what to do when we learn about it. We can use accounts for online purchasing that do not contain more money than we can afford to lose. We can monitor our bank accounts to see if any purchases are being made that we do not recognize. And we can keep a regular eye on our credit scores.