Cybercriminals are constantly exploring and documenting new ways to go around the 3D Secure (3DS) protocol used for authorizing online card transactions.
Discussions on underground forums offer advice on how to bypass the latest variant of the security feature by combining social engineering with phishing attacks.
Individuals on multiple dark-web forums are sharing their knowledge on making fraudulent purchases on shops that implemented 3DS to protect customer transactions.
3DS adds a layer of security for online purchases using credit or debit cards. It requires direct confirmation from the card owner to authorize a payment.
The feature evolved from the first version where the bank asked the user for a code or a static password to approve the transaction. In the second version (3DS 2), designed for smartphones, users can confirm their purchase by authenticating in their banking app using their biometric data (fingerprint, face recognition).
Despite the advanced security features that 3DS 2 provides, the first version is still widely deployed, giving cybercriminals a chance to use their social engineering skills and trick users into giving the code or password to approve the transaction.
Social engineering gets the 3DS code
In a blog post today, analysts at threat intelligence company Gemini Advisory share some of the methods cybercriminals discuss on dark-web forums to make fraudulent purchases at online stores that implemented 3DS.
It all starts with full cardholder information, which includes at least the name, phone number, email address, physical address, mother's maiden name, ID number, and driver's license number.
Cybercriminals use these details to impersonate a bank employee calling the customer to confirm their identity. By offering ..