Fraudsters Circumvent 3D Secure with Social Engineering

Cyber-criminals are actively sharing tips and advice on how to bypass the 3D Secure (3DS) protocol to commit payment fraud, according to researchers.

A team at threat intelligence firm Gemini Advisory found the discussions on multiple dark web forums, claiming that phishing and social engineering tactics stood a good chance of success in certain situations.

Although version two of the protocol, designed for smartphone users, allows individuals to authenticate payments with hard-to-spoof or steal biometric information, earlier, less secure versions are still widely used, the firm claimed.

Use of a static password to authenticate exposes shoppers to such scams. Fraudsters could buy personal information on a user, call them up impersonating their bank and then provide some of this info to ‘prove’ their legitimacy, before asking for the password, Gemini Advisory said.

The firm’s analysts have also eavesdropped on reputable hackers offering advice on how to make purchases in real-time, bypassing two-factor authentication (2FA) codes. They enter stolen payment card details into an e-commerce site, then call the cardholder spoofing their number to appear as if they’re calling from the bank. When the 2FA code comes through, they request it from the victim.

Mobile malware could also be used to intercept 2FA numbers sent by SD3 v 1 to shoppers, the report noted.

Other scams designed to circumvent 3DS include phishing pages, which can be used to harvest static passwords, and use of PayPal. The latter would first require the purchase of credit card details plus bank account logins, then a fraudster could add the card to the relevant PayPal account, Gemini Advisory said.

Another scam discussed on dark web sites involves smaller purchases.

“In order to simplify the purchase process, some online shops disable the 3DS feature for smaller purchases, which, depending on the shop, can be in the hundreds of dollars. For example, transactions less than $30 are exempted, but not if the card is used five times or if the total charges exceed $100,” Gemini said.

“Other sites have their own requirements, sometimes as high as $400. Cyber-criminals can test these sites to determine which purchase amount triggers the 3DS, and then keep the purchases under those amounts.”

Although SD3 v2 is more secure, it is not impervious to “well-honed social engineering skills,” the report concluded.

What’s Hot on Infosecurity Magazine?