According to Positive Technologies, up to 50% of banks still do not protect their clients from guessing CVV2 and Expiry Date values. This vulnerability is actively exploited by criminals, particularly in Latin America, who seek out cards and banks susceptible to these attacks.

Distributed attacks on card credential guessing

These attacks are often referred to as BIN Master attacks or distributed guessing attacks. The term gained notoriety from a significant case in 2016, when the UK bank Tesco experienced such a large-scale attack that card payments were suspended for 48 hours.

Over a few days, attackers stole £22 million from 20,000 cards. This incident highlighted vulnerabilities, especially in systems not equipped with 3-D Secure. Notably, in 2018, the bank was fined £16 million, indicating that the cards lacked 3-D Secure protection.

Although these figures were low compared to other major hacks in recent years, it was crucial to consider that Tesco Bank was a relatively small institution with about 136,000 accounts in total. Therefore, the 9,000 affected accounts represented 6.6% of its customer base. Previous reports had suggested that up to 30% of its total customer base was impacted.

Such a high percentage of affected customers likely caused a significant erosion of customer trust, leading to financial strain for the bank. In contrast, a larger bank with more accounts would have experienced fewer negative consequences as a smaller fraction of its customer base would have been affected.

The attack highlighted a significant concern for nearly all small and medium financial institutions: the limited pool of IT security expertise. Smaller banks struggled to compete for talent, as securing millions of accounts did not require proportionally more effort than securing thousands.

Consequently, smaller banks had to allocate a larger portion of their budget to secure their infrastructure. Larger banks could afford better systems and higher wages, thus attracting more skilled personnel.

The CFO’s crash course in finance and compliance

Governance, risk management and compliance. These aren’t exactly the most exciting aspects of a CFO’s role, but that doesn’t stop them from being vital areas of focus. 🎯

Finance AllianceRichard King

3-D Secure Liability rules

The 3-D Secure Liability is a service provided by the issuing bank in accordance with PSD2 SCA regulation and EMVCo standard. It is up to the merchant whether to use this service during online payment or not. Many merchants, like Booking.com and Amazon will only employ it if they estimate the probability of fraud as high. But in most of the cases merchants would skip it in order to have less friction and save conversion.

How hackers guess full card details

A card number consists of several parts, with the first six or eight digits being the Bank Identification Number (BIN). The last digit is a checksum calculated using the Luhn algorithm.

For example, if a card number is 1234 5678 1234 5670, the next card in the range might end with 5688, followed by 5696, and so on. Hackers can potentially guess the expiration date if the bank issues card numbers sequentially, making it easier to guess details for subsequent cards.

Additional methods for guessing card details

To protect against such guesses, payment systems recommend randomising PAN (Primary Account Number) issuance. However, hackers can use various banking services to find matching PAN and Expiry Date fields, such as password recovery or mobile banking login systems.

Guessing the CVV / CVC

The final step is guessing the three-digit CVV2/CVC2 code. In 2014, researchers found that many online services allowed brute-forcing CVV2. Attackers often have the tools needed to perform such attacks. In 2019, a similar vulnerability was patched in the Magento CMS payment module for PayPal.

Using guessed details for mobile wallets

Another common method involves using guessed credentials to set up Google Pay or Apple Pay wallets. In some cases, banks do not require additional verification for these setups, allowing attackers to use guessed card details to create fully functional virtual cards.

One of the most notable fraud cases targeted Apple stores directly. The investigation revealed that Daniel Butler and his accomplices fraudulently obtained at least 477 credit cards, which they linked to Apple Pay on their iPhones. Using their iPhones, they made Apple Pay purchases at various retailers without needing the physical credit cards. According to the DOJ, the group made over $1.5 million in fraudulent purchases.

The problem lies in the fact that many US banks did not require extra verification, such as a one-time code or a call to the bank, when issuing a mobile wallet like Apple Pay. As a result, with just the card number, expiration date, and CVV2 code, a fully functional virtual card could be created and used for payments globally, not just in the USA.

What is economic analysis? (Definition, examples, and more)

It’s a question that should be at the forefront of every CFO’s mind. Yet, some are still unsure about what economic analysis is and what it involves. This guide explains economic analysis: what it is, why it matters, and how to do it.

Finance AllianceSabrinthia Donnelly

Protection methods

AVS

Address Verification System is one of the most important layers of protection for card-not-present transactions. It checks the billing address and postcode during the transaction, which can be used in payment terminals supporting PAN Key Entry.

Limiting multiple checkouts

Another method is limiting multiple checkouts and using address verification. Restricting the number of checkout attempts for each user can deter fraudsters who rely on rapid, low-value transaction attempts.

Transaction monitoring and analysis

Transaction monitoring and analysis are also key strategies. Monitoring for high volumes of low-value purchases, which are common in BIN attacks, can help detect suspicious activity. Specific patterns, such as frequent errors in expiry dates and CVVs on the same card, can indicate card testing attempts and should be closely watched.

Activity and event monitoring

Activity and event monitoring offer another layer of protection. This involves monitoring user behaviours beyond transactions, such as logins, account changes, IP addresses, and device usage. Identifying and flagging irregular activities can help detect and prevent potential fraud before it occurs.

User authentication

Finally, user authentication provides an additional security layer. Implementing systems like CAPTCHA and multi-factor authentication (including biometrics and facial recognition) can validate user authenticity at the transaction point. This measure is particularly effective in preventing software-based brute-force attacks.

Wrapping up, I want to remind that financial regulations in most parts of the world mandate institutions to "know your customer." KYC refers to a set of standards and practices designed to verify that financial customers are who they claim to be.

This process includes checking if customers have criminal histories or hold politically exposed positions, which pose higher risks for abusing an institution’s services to commit financial crimes.