3D Secure Protocol and how to bypass it.
Cybercriminals are constantly exploring new ways to bypass the 3D Secure (3DS) protocol used to authorize online transactions using credit or debit cards. Clandestine forums users offer tips on how to bypass the latest security feature by combining social engineering with phishing attacks.
The 3DS feature has changed a lot compared to the first version, when the bank asked the user for a code or password to confirm the transaction. In the second version (3DS 2), developed for smartphones, users can confirm their purchase by logging into the banking application using biometric data (fingerprint, face recognition). Despite the advanced security features in 3DS 2, the first version is still widely used, giving cybercriminals the ability to use their social engineering skills to trick users into providing a code or password to confirm a transaction.
Gemini Advisory’s experts talked about some of the methods that cybercriminals share on dark web forums to make fraudulent purchases in 3D -enabled online stores. It all starts with gaining access to complete information about the cardholder, including name, phone number, email address, physical address, mother’s maiden name, identification number and driver’s license number. Cybercriminals use this data to impersonate a bank employee calling a customer to verify their identity. Using the personal information they receive, they gain the victim’s trust and ask for their password or code to complete the process.
The same tactic can work with later versions of 3DS and make purchases in real time. Using full cardholder information, a voice changer, and a spoofing phone app, a fraudster can initiate a purchase on the site and then call the victim to get the information he needs.
“At the last stage, the hacker informs the victim that he will receive a confirmation code for the final identity verification, after which the cybercriminal places an order in the store. When prompted to enter the verification code that was sent to the victim’s phone, the fraudster will be able to get it from the victim, ”the experts explained.
You can get the 3D code in another way, such as phishing. When a victim makes a purchase on a phishing site, the criminals transfer all data to the legitimate store in order to get their product. According to experts, some cybercriminals also add stolen credit card details to PayPal account and use it as a payment method.
Another method is “classic” and involves hacking the victim’s phone with malware that can intercept the security code and pass it on to the fraudster. In addition, many stores do not ask for a 3D code when the transaction amount is below a certain limit, which allows fraudsters to make multiple small purchases.
Leave a Reply