Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Cybercriminals Finding Ways to Bypass ‘3D Secure’ Fraud Prevention System

Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.

Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.

Designed as an additional protection layer for these transactions, 3DS has seen several releases, with the most recent of them, namely version 2.0, also designed to accommodate smartphones, allowing for authentication using a fingerprint or facial recognition.

In addition to various social engineering tactics that attackers can use to circumvent 3DS, phishing and scam pages allow them to trick victims into revealing their card details and payment verification information.

Gemini’s security researchers say that vulnerabilities in earlier versions of 3DS could have been exploited to bypass security. The use of a password for the transaction was one of these issues, as this was sometimes a personal identification number (PIN) that cybercriminals were able to acquire using various means.

Using various social engineering techniques, such as impersonating bank representatives, cybercriminals can harvest a lot of information from victims, including name, ID number, phone number, physical and email address, mother’s maiden name, driver’s license numbers, and the like. Armed with some personally identifiable information (PII), the attacker could trick the victim into sharing additional details.

One method recommended by some cybercriminals for bypassing 3DS involves calling up the victim from a phone number that spoofs the number on the back of the payment card, and tricking them into verifying a transaction currently being made by the fraudster by claiming it is needed for identity verification purposes.

The use of phishing sites that mimic legitimate online shops can also allow hackers to harvest the victims’ card information and trick them into authorizing a payment via 3DS. In some cases, the attackers may use malware to target users’ smartphones and retrieve 3DS verification codes.

Cyber-criminals can also abuse the fact that some online shops disable the 3DS feature for smaller purchases. Thus, after testing the limit, the hackers make purchases that are under those amounts.

Advertisement. Scroll to continue reading.

The use of PayPal also allows attackers to bypass 3DS. For that, they add stolen payment card information to a PayPal account, and then make purchases using the PayPal payment method. This scheme works best with credit cards, as PayPal does not always require user confirmation by issuing validation codes (which would also require access to the bank account).

The next step in the evolution of securing online card transactions, Gemini says, is Strong Customer Authentication (SCA), which secures customer-initiated payments and which can be fulfilled with 3DS 2. Transactions under certain amounts may be exempted from verification.

“The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. […] Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” Gemini concludes.

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Related: Cybercriminals Could Be Cloning Payment Cards Using Stolen EVM Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.