Hackers Know How to Bypass 3D Secure
The 3D Secure provides a second level of security for users’ bank cards, is constantly in the spotlight of cybercriminals, as the latter look for ways to circumvent it.
That’s why on one of the dark web forums, the attackers shared their best practices that allow unauthorized purchases of goods in online stores at cardholders’ expense.
Even your gift card can be traced. Read this article and take the necessary measures to protect yourself.
What is 3D secure?
3D Secure is a two-factor authentication of the cardholder when making a payment. In simple terms, this is a confirmation that it is actually the cardholder who makes the payment by entering a password sent by SMS to the cardholder’s phone number.
The technology is used to confirm the identity of the client. It is based on the XML Protocol (Extensible Markup Language Protocol). The name 3D Secure stands for the three domains that are involved in the data processing.
Initially, the technology was included in the Verified by VISA package and was available only to VISA cardholders. Now 3DS authentication is widely used by payment systems in different countries. Let’s take a closer look at what it is.
Avoid national consumer scams following the essential methods listed in this article.
3DS adds an extra layer of protection when shopping in online stores. Thanks to the protocol, the buyer must confirm that he is indeed the owner of the bank card from which the money is debited.
The second version of the protocol (3DS 2.0) is designed specifically for smartphones. It allows the confirming of purchases using banking applications installed on the mobile device. In this case, the user can use biometric authentication: fingerprint or face scanning.
Online thieves went offline and learned how to rob your house using a smartphone.
What’s wrong with 3D security?
However, the first version of the 3DS is still in use in many stores, which opens up methods of cheating the cardholder with social engineering. In this case, the attackers’ main task is to force the user to enter a shortcode or password to confirm an illicit transaction made by the attackers.
As noted by cybercriminals on the forum, the successful use of a combination of social engineering and phishing attacks can allow you to bypass 3D Secure and buy any product at the expense of an unsuspecting citizen.
Bank data theft can be one of the reasons for social engineering.
The security company Gemini Advisory published a post in which they warn users about the existing methods of circumventing the 3D Secure protocol. At the same time, experts emphasize that cybercriminals are actively discussing these methods, leading to a surge in such attacks.
To implement the described methods, an attacker will first need to obtain at least a minimum amount of information about the cardholder: his name, phone number, email address, residential address, and possibly driver’s license number.
Why is it dangerous?
After obtaining the necessary data, the criminal can use it in a conversation with the user in the guise of a bank employee. As a rule, gullible users fall for such tricks because the fraudster gives out the correct information. One of the visitors to the dark web forum described just such a scheme:
Using user data, voice-altering software, and a phone number spoofing app purchased in an online store, a cybercriminal can then call the cardholder and find out all the information needed to confirm the transaction.
Cybercriminals also described other ways, such as luring a user to a phishing site, install malware on their mobile device, and so on. In general, people need to be more careful when it comes to bank cards.
Don’t forget to refresh your mind with the latest news in the cybersecurity world.