Research indicates criminals are sharing social engineering ideas to steal static and one-time passwords used with 3D Secure and others. This is one more reason to avoid passwords and use biometrics wherever possible:
“Cyber-criminals are actively sharing tips and advice on how to bypass the 3D Secure (3DS) protocol to commit payment fraud, according to researchers.
A team at threat intelligence firm Gemini Advisory found the discussions on multiple dark web forums, claiming that phishing and social engineering tactics stood a good chance of success in certain situations.
Although version two of the protocol, designed for smartphone users, allows individuals to authenticate payments with hard-to-spoof or steal biometric information, earlier, less secure versions are still widely used, the firm claimed.
Use of a static password to authenticate exposes shoppers to such scams. Fraudsters could buy personal information on a user, call them up impersonating their bank and then provide some of this info to ‘prove’ their legitimacy, before asking for the password, Gemini Advisory said.
The firm’s analysts have also eavesdropped on reputable hackers offering advice on how to make purchases in real-time, bypassing two-factor authentication (2FA) codes. They enter stolen payment card details into an e-commerce site, then call the cardholder spoofing their number to appear as if they’re calling from the bank. When the 2FA code comes through, they request it from the victim.
Mobile malware could also be used to intercept 2FA numbers sent by SD3 v 1 to shoppers, the report noted.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group
