Gemini has found several individuals on dark web forums who are engaged in activities related to bypassing the 3D Secure (3DS) security measure. 3DS is a protocol designed to be an additional security layer for online credit and debit card transactions. There were multiple versions of this protocol starting with version 1.0; the latest version is version 2.0. 3D Secure 2.0 (3DS 2) was designed to accommodate smartphones. Payment authentication can take the form of a fingerprint or facial recognition, instead of just passwords or confirmation text messages, which allows for a smoother customer experience. This is essential to widespread adoption, given the deterrent effect that additional 3DS verification steps had on customers placing payments, who sometimes abandoned their transactions after they had become too burdensome.
According to emerchantpay, the latest versions of 3DS also utilize the most advanced security features, such as 3DS 2. It analyzes over 100 key data points, including the merchant’s contextual data, acting as an advanced layer of fraud protection. The cardholder enters their card details at checkout. At this point, the merchant’s 3DS service provider sends an authentication request with rich data to the issuer. This data includes a varying amount of cardholder and device information upon regional or market law restrictions, such as device ID, MAC address, geo-location, previous transactions etc.
Cybercriminals can use various tactics to circumvent the 3DS measures, most of which involve various social engineering techniques. Additionally, cybercriminals can use phishing or scam pages in order to trick their victims into providing their card information, as well as payment verification information, which the criminals can then use to make fraudulent purchases.
According to Gemini’s research, earlier versions of 3DS had vulnerabilities that cybercriminals could have exploited to bypass these security features. One of these weaknesses was the password requirement for the transaction, which sometimes took the form of a personal identification number (PIN). Cybercriminals can find various ways to acquire the password, including by using social engineering to trick the victim into providing their password. Below are some of the ways that cybercriminals can accomplish this.
Social engineering can take many forms. Particularly adept cybercriminals can trick their victims into providing their passwords by impersonating a bank representative. For instance, some of the stolen payment cards sold on the dark web marketplaces contain full cardholder information, including name, phone number, email address, physical address, mother’s maiden name, ID number, driver’s license number, and more. By using this information, a cybercriminal could call the customer, impersonate a bank worker by first providing the victim with some of their personally identifiable information (PII), and then request that the victim provide them with their password for final identity confirmation.
Image 1: PII per record for the last 12 months of cards offered for sale in the dark web.
Similar social engineering methods could be used on later 3DS versions. On September 5, 2020, on a top-tier dark web forum, Gemini analysts observed a reputable hacker described a method of social engineering in which cybercriminals can make fraudulent purchases in real-time by tricking their victim. According to the hacker, cybercriminals first have to have a card with full victim information, then download a phone number-spoofing app and a voice changer. In the next step, the hacker recommended going to a shopping site of the fraudster’s choice and entering the shopping card and payment information. Then, the hacker recommended spoofing the bank’s phone number that is normally found on the back of the bank card and calling the victim, employing similar steps as those described above to make the victim comfortable with sharing their information. In the final step, the hacker advises the victim that they will receive a confirmation code for final identity verification, at which point the cybercriminal should place the order at the shop; when prompted to enter verification code that was sent to the victim’s phone, the fraudster should retrieve that code from the victim.
Image 2: benten777’s post explaining how to bypass 3DS.
A search on the dark web forums revealed that various cybercriminals are engaged in activities related to the sale of information collected from phishing sites, the sale of injects that collect victim information, and the creation of phishing sites. Phishing sites often mimic actual sites and trick victims into inputting their account information, which the cybercriminals then collect and process on the actual site. In this type of scam, cybercriminals could present the victim with an online shop that appears to be identical to the actual shop. When the victim unwittingly shops on the phishing site, cybercriminals pass the payment details through to the legitimate site to pay for their own purchases, which the victim then unwittingly verifies through 3DS.
Image 3: An Amazon phishing page.
Making Small Purchases
3DS can sometimes make purchases more difficult, and as such, additional verification steps could deter customers from making purchases. In order to simplify the purchase process, some online shops disable the 3DS feature for smaller purchases, which, depending on the shop, can be in the hundreds of dollars. For example, transactions less than $30 are exempted, but not if the card is used 5 times or the total charges exceed $100. Other sites have their own requirements, sometimes as high as $400. Cybercriminals can test these sites to determine which purchase amount triggers the 3DS, and then keep the purchases under those amounts.
Another way in which cybercriminals can bypass the 3DS is by using PayPal. In this type of scheme, cybercriminals would add stolen payment card information to a PayPal account and use the PayPal payment method when making purchases. In order for this scheme to work with a debit card, cybercriminals would need access to the bank account in order to confirm the mini deposit along with a PayPal code. However, for a credit card, they would only need access to the online PayPal account, since PayPal does not always issue a validation code for confirmation. The dark web marketplaces and forums sell payment cards with bank account login information. Cybercriminals could then purchase such information and successfully add payment cards to PayPal. Once the card is added to PayPal, cybercriminals can make purchases on the marketplaces that allow for PayPal payments without going through 3DS, even if it is enabled on that site.
Image 4: A Russian-speaking hacker selling bank accounts with online access.
As mentioned above, part of 3DS version 1 verification involves sending a text message with a security code to the cardholder to confirm purchases. Cybercriminals can install malware on a victim’s cell phone in order to intercept such messages. In many cases, such malware is attached to malicious apps in Android Apps in the Google Play store, which are installed by unsuspecting victims. The Google Play store allows open-source apps to be offered to their users, and as such, Android users are especially susceptible to apps that can infect their phones. This malware would then intercept any incoming text messages, including 3DS verification codes, that are then used when making purchases.
3DS 2 and SCA
3DS has been upgraded to 3DS 2, which was designed to accommodate smartphones. Payment authentication can take the form of a fingerprint or facial recognition, instead of just passwords or confirmation text messages, which allows for a smoother customer experience. This is essential to widespread adoption, given the deterrent effect that additional 3DS verification steps had on customers placing payments, who sometimes abandoned their transactions after they had become too burdensome.
Europe introduced a new set of payment requirements on September 14, 2019, to raise the standard of online payment authentication. These requirements are known as Strong Customer Authentication (SCA) and included enforcement timelines across 2020 and 2021 per country. SCA is intended to secure customer-initiated payments (as opposed to recurring payments) and can be fulfilled with 3DS 2, which is expected to be the main form of payment compliance. Like earlier versions of 3DS, it includes provisions to exempt transactions below certain amounts from additional verification.
While 3DS 2 technology will raise the level of online transaction security, there have been varied levels of global implementation. Europe is leading the charge among governments in widespread adoption mandates. The United States opted for a less direct approach; US fraud liability protection for merchants using 3DS 1.0 will expire on October 17, 2021. US issuers must have upgraded to 3DS 2.0 by August 31, 2020, and merchants that do not upgrade to 3DS 2.0 by October 17, 2021 will be unable to take advantage of the fraud liability shift from merchant to issuer bank. AsiaPay, Asia’s leading digital payment service and technology, announced its Xecure 3DS 2.0 solution, which is EMV 3-D Secure (3DS) version 2.2 certified. Thus, through direct mandates, regulatory incentives, or private-sector initiatives, 3DS 2.0 adoption is increasing worldwide, although implementation varies among different countries.
As Europe adopts these new requirements, the security of basic transactions will improve. However, this will raise the demand for cybercriminal means to bypass 3DS 2. The more technical hacking methods that target 3DS are unlikely to find the same success with 3DS 2, but phishing and social engineering schemes often transcend technical upgrades. This may make many of the methods described above more valuable in the cybercriminal underground.
The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. The newer 3DS 2 version is more difficult for cybercriminals to bypass, especially through technical means, but it is not impervious to well-honed social engineering skills. Additionally, cybercriminals use phishing pages to trick victims into providing their passwords and PINs in order to make fraudulent purchases. Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures.
Gemini Advisory provides actionable fraud intelligence to the largest financial organizations in an effort to mitigate ever-growing cyber risks. Our proprietary software utilizes asymmetrical solutions in order to help identify and isolate assets targeted by fraudsters and online criminals in real-time.