How to get around the 3D Secure Protocol.
The 3D Secure (3DS) technology, which is used to approve online transactions using credit or debit cards, is continually being circumvented by cybercriminals. Members of secret forums share advice on how to employ phishing and social engineering to get around the newest security measure.
When the bank requested a code or password from the user to validate the transaction in the original iteration of the 3DS function, a lot has changed. Users can validate their purchase in the second iteration (3DS 2), created for smartphones, by connecting into the banking application with biometric information (fingerprint, face recognition). Although 3DS 2 has more comprehensive security protections, the previous generation is still extensively used, allowing fraudsters to utilize their social engineering talents to deceive users into installing malicious software.
into providing a code or password to confirm a transaction.
Gemini Advisory’s experts talked about some of the methods that cybercriminals share on dark web forums to make fraudulent purchases in 3D -enabled online stores. It all starts with gaining access to complete information about the cardholder, including name, phone number, email address, physical address, mother’s maiden name, identification number and driver’s license number. Cybercriminals use this data to impersonate a bank employee calling a customer to verify their identity. Using the personal information they receive, they gain the victim’s trust and ask for their password or code to complete the process.
The same tactic can work with later versions of 3DS and make purchases in real time. Using full cardholder information, a voice changer, and a spoofing phone app, a fraudster can initiate a purchase on the site and then call the victim to get the information he needs.
“At the last stage, the hacker informs the victim that he will receive a confirmation code for the final identity verification, after which the cybercriminal places an order in the store. When prompted to enter the verification code that was sent to the victim’s phone, the fraudster will be able to get it from the victim, ”the experts explained.
You can get the 3D code in another way, such as phishing. When a victim makes a purchase on a phishing site, the criminals transfer all data to the legitimate store in order to get their product. According to experts, some cybercriminals also add stolen credit card details to PayPal account and use it as a payment method.
Another method is “classic” and involves hacking the victim’s phone with malware that can intercept the security code and pass it on to the fraudster. In addition, many stores do not ask for a 3D code when the transaction amount is below a certain limit, which allows fraudsters to make multiple small purchases.