Connect with us

Hi, what are you looking for?



Cybercriminals Finding Ways to Bypass ‘3D Secure’ Fraud Prevention System

Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.

Security researchers with threat intelligence firm Gemini Advisory say they have observed dark web activities related to bypassing 3D Secure (3DS), which is designed to improve the security of online credit and debit card transactions.

Designed as an additional protection layer for these transactions, 3DS has seen several releases, with the most recent of them, namely version 2.0, also designed to accommodate smartphones, allowing for authentication using a fingerprint or facial recognition.

In addition to various social engineering tactics that attackers can use to circumvent 3DS, phishing and scam pages allow them to trick victims into revealing their card details and payment verification information.

Gemini’s security researchers say that vulnerabilities in earlier versions of 3DS could have been exploited to bypass security. The use of a password for the transaction was one of these issues, as this was sometimes a personal identification number (PIN) that cybercriminals were able to acquire using various means.

Using various social engineering techniques, such as impersonating bank representatives, cybercriminals can harvest a lot of information from victims, including name, ID number, phone number, physical and email address, mother’s maiden name, driver’s license numbers, and the like. Armed with some personally identifiable information (PII), the attacker could trick the victim into sharing additional details.

One method recommended by some cybercriminals for bypassing 3DS involves calling up the victim from a phone number that spoofs the number on the back of the payment card, and tricking them into verifying a transaction currently being made by the fraudster by claiming it is needed for identity verification purposes.

The use of phishing sites that mimic legitimate online shops can also allow hackers to harvest the victims’ card information and trick them into authorizing a payment via 3DS. In some cases, the attackers may use malware to target users’ smartphones and retrieve 3DS verification codes.

Advertisement. Scroll to continue reading.

Cyber-criminals can also abuse the fact that some online shops disable the 3DS feature for smaller purchases. Thus, after testing the limit, the hackers make purchases that are under those amounts.

The use of PayPal also allows attackers to bypass 3DS. For that, they add stolen payment card information to a PayPal account, and then make purchases using the PayPal payment method. This scheme works best with credit cards, as PayPal does not always require user confirmation by issuing validation codes (which would also require access to the bank account).

The next step in the evolution of securing online card transactions, Gemini says, is Strong Customer Authentication (SCA), which secures customer-initiated payments and which can be fulfilled with 3DS 2. Transactions under certain amounts may be exempted from verification.

“The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. […] Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” Gemini concludes.

Related: New Attacks Allow Bypassing EMV Card PIN Verification

Related: Cybercriminals Could Be Cloning Payment Cards Using Stolen EVM Data

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...