Alibaba Yunyu · 2016/04/06 15:18
0 x00 overview
In the previous article, we introduced the contents of bank cards in detail, as well as the risks of bank cards being replicable. This article mainly introduces the related content of overseas credit card fraud, and preliminarily discusses the way of credit card anti-fraud.
0x01 Basic Introduction
Basic noun:
-Penny: A Credit Card that has a certain amount of Credit and can be used in advance for spending.
Cvc2 / CVV2: CVV2(Card Verification Value 2->Visa); CVV2(Card Verification Value 2->Visa) The organization of MasterCard Card is called CVC2(Card Validation Code->MasterCard). In China, It is called CVN2 by China UnionPay. CVV2 is mainly used to verify the validity of online transaction cards. It is usually 3-4 digits and printed on the back of bank cards.
EMV(Europay, MasterCard and Visa): EMV refers to the standards formulated by the international financial industry for intelligent payment cards, POS terminals that can use chip-based cards and ATM machines. It was initially formulated by Europay, MasterCard and Visa. Payment cards that comply with EMV standards are called chip cards, or EMV smart cards (also commonly known as IC cards). The chip card’s information is stored in the integrated circuit rather than the magnetic stripe of the past, but most EMV cards have a magnetic stripe that is backward compatible.
Card not Present Transaction (CNP) : Generally speaking, it refers to a transaction that can be made without showing a physical card, such as an online credit card transaction or a phone purchase.
Chargeback: Chargeback: When a cardholder checks his or her bill and finds that the transaction is not his or her own, or that he or she is not satisfied with the transaction (for example, the purchase does not match the merchant’s description or the goods are not equal), he or she requests a Chargeback from the card issuer. There are many kinds of dishonor, among which credit card fraud produces more dishonor.
Fallback Charge: The transaction of a chip card (EMV) is conducted using magnetic stripe information through POS machines that do not support EMV or POS machines that support EMV due to various problems (technical problems, forged cards, attacks, etc.).
Ii) Fraudulent consumption process:
The consumption process of a credit card fraud is as follows:
Description:
Fraudsters obtain the cardholder’s credit card information (credit card number, expiration time, CVV2 code, name, contact information, etc.) in various ways, and then look for websites that support credit card transactions. Fraudsters register on merchant platforms and spend by tying the card.
If the merchant simply verifies the card number and name in the process of tying the card, without other strong verification, the fraudster can easily tie the card successfully. At the same time, in the process of consumption, it usually only needs the card number, expiration time and CVV2 of the credit card to consume. Without a merchant’s own risk control system, fraudsters can easily profit.
The merchant requests the collecting bank for capital settlement, and there are cases of successful deduction or failure of deduction.
Deduct money failure, the credit limit of card is not enough, do not have sufficient capital. Or tying the card successfully, but the card is invalid during the consumption process.
Deducting money is successful, right now cardholder can receive consumption bill, he is not consumed after receiving consumption bill, generation refuses to pay thereby.
Iii. Chargeback
Refusal process:
When a cardholder applies to the issuing bank for refusal of payment, the issuing bank will require the cardholder to provide a written statement of the problem and may also require the receiving bank to provide the relevant transaction receipt.
After confirming the application for dishonor, the issuing bank will report the application to the receiving bank through the card organization network.
The receiving bank resolves the refusal request or forwards the problem to the merchant.
The merchant chooses to accept or reject the dishonor from the receiving bank. And feed the result back to the receiving bank.
Receiving bank: If the merchant agrees to withhold payment, the debit will be revoked and returned to the cardholder. If the merchant refuses, the receiving bank will report the result to the card organization. Credit card organization: the credit card organization conducts arbitration for non-payment, and finally decides who should bear the loss.
Bad debt: If the merchant is unable to obtain the amount receivable, it is called bad debt.
Repudiation rate: If the repudiation rate of the merchant is too high, the card organization will request the merchant to make rectification, or even cancel the transaction channel of the merchant if it is serious.
In bad debts, the role of the merchant is very important, if there is no good risk control, no strong safety check, it is likely to suffer losses.
0x02 Overseas credit card black Industry chain
Industry:
Explanation: In this black industrial chain, the green arrow represents the flow of data, and the red arrow represents the flow of interests.
The attacker is usually a seller, who obtains users’ bank card information through various means and sells it through the sales platform.
The selling platform classifies all card information according to card organization, card type, region, etc., for purchasers to purchase, and earns commission fees between sellers and buyers.
The card buyer pays anonymously and downloads the card information through the anonymous network, and takes the card information to cash out and makes profits from it. There are a variety of other actors in the process that provide cash-out services for a fee.
1) Anonymity guarantee
In the dark chain of credit card fraud, anonymous networks and anonymous transactions make it impossible for fraudsters to be traced, and it is this anonymity that allows the industry to thrive.
1. The Onion Router (Tor) network
Tor, commonly known as the Onion Router, is an anonymous network through which Tor can communicate anonymously on the Internet and visit websites anonymously. The communication information is encrypted with layers of encryption, making it difficult for Tor users to be traced. Access to the anonymous network requires a customized browser.
2.DeepWeb
The DeepWeb refers to the DeepWeb, the web content on the Internet that cannot be indexed by standard search engines. Comparing the Internet to the ocean, these web content is located in the depths of the ocean and cannot be easily retrieved by traditional search engines. Links to deep Web sites usually end in onion and can only be accessed through a Tor browser. These websites are full of information about credit card scalping, ID scalping, drugs, crimes and so on.
3.bitcoin
Bitcoin is a cryptocurrency used around the world. Bitcoin, a peer-to-peer online payment system and virtual pricing tool called a digital currency by some, was first launched as open source software by Satoshi Nakamoto in 2009. Bitcoin is also considered a cryptocurrency because it uses cryptography to control the production and transfer of money. Bitcoins can be acquired through transaction purchase or running program calculation. The process of obtaining bitcoins through a lot of calculation is commonly referred to as “mining”.
Data theft
Data theft mainly refers to obtaining the raw track information of a credit card or credit card information that can be used to make payments.
Vulnerability attacks: Use attacks and malware to steal credit card information. For example, through penetration testing, hacking into the payment networks of merchants or receiving banks, and installing backdoors in POS or ATMs (Windows hosts are the majority) that can pull Dumps data from memory. Or to attack ordinary users through various ways such as horse mounting and social engineering. After running the software, users will be implanted with malicious backdoor. After detecting login or payment information of online banking, the software will record and send it to the control terminal.
Phishing methods: Phishing methods mainly refer to forging bank pages, guiding users to log in, and recording user information. For example, fake bank websites are sent to users by mail, fake base stations and other means. Security-conscious users may simply enter credit card and other relevant information. For example, we forged China Merchants Bank through the fake base station and sent phishing links to users. It is difficult for users with poor security awareness to detect the forged bank address. As shown in figure
Social engineering: Social engineering is often implemented in conjunction with data breaches, fishing, etc. When fraudsters through a variety of ways to master the user’s relevant information, and through further ways to obtain more information. For example, according to the information disclosed by the cardholder, such as the card number, name and so on, the bank disguised staff to try to obtain the PIN password, CVV2 code and so on.
Offline acquisition methods: The offline acquisition methods usually include stealing user credit cards and side recording credit cards. For example, when a recording device is installed in an ATM machine, the user swipes the card to withdraw money without feeling it, resulting in the credit card being copied. For example, POS machines install measuring instruments to guide users to swipe cards through preferential activities, or collude with merchants to copy credit cards when users are not paying attention.
Data resale
1. The term
Dumps: Dumps are the raw magnetic stripe information of bank cards, which can be read by card readers such as MSR or directly from memory by installing backdoors in POS and ATMs.
Fullz: It’s a fraud term that refers to information that can be used to make a transaction. It carries the cardholder’s details like name, address, credit card information, Social Security number, date of birth, etc.
Checker: There is a service on the trading platform that provides users who purchase card information to check whether the card information is valid. It deducts the amount of small items and checks the return code to confirm the validity of the card and collects fees.
Let’s look at several bank card information trading platforms
As shown in figure 1.
As shown in figure 2.
As shown in figure 3.
All of these trading platforms support bitcoin transactions and achieve anonymity. At the same time, the site will provide some proxy services, servers, paid tutorials, and selling paypal, ebay and other account information.
Profits from card theft
1. The role:
Dropper: A Dropper role is a service person who provides a legitimate shipping address for fraudsters buying physical items online. They often use the forged ID to rent a legitimate address, which is then used to provide services for fraudsters to receive goods.
Runner: A Runner character is someone who goes directly to an ATM to withdraw cash using a forged card.
Shopper: Shopper refers to a person who goes to a physical store to cash out by using a fake bank card.
2. Online profit:
Buy online, buy physical stuff online.
Buying virtual goods online mainly refers to recharging online games and gambling websites, purchasing virtual currency, and purchasing members of pornographic websites.
At the same time, these fraudsters often go to cloud hosting vendors to buy hosts, and then “mine” the way to profit. Because many cloud hosts provide post-payment mode, that is, the first use of the host, and then payment, and its settlement funds may have a certain cycle, the fraudster as long as the card tied successfully, the manufacturer did not identify the risk, it is possible to cash out.
3. Offline profit:
Offline profits are mainly made by using forged cards to withdraw cash from ATM machines, which is the fastest way but also risky.
Secondly, you can go to offline physical stores for credit card consumption and profit.
Other: 4.
In the whole black industry chain, can not avoid the phenomenon of black eating black. For example, the card information is repeatedly resold, providing cash services are not trustworthy.
The responsible party after the theft
Fraudulent purchases of counterfeit cards are usually the responsibility of the issuing bank, but in October the card organization added new rules that would make the receipt bank or merchant liable if fraudsters copied the magnetic stripe data on the chip card and made a transaction by swiping the stripe. The parties responsible for forgery card fraud are listed below
| Card type | What kind of POS machine does the card consume in | responsibility |
|---|---|---|
| Pure magnetic stripe card | EMV is supported or not | Card issuers |
| Chip card | Support the EMV | Card issuers |
| A counterfeit card copied from a chip card’s magnetic strip | Do not support the EMV | Receiving bank or merchant |
| A counterfeit card copied from a chip card’s magnetic strip | Support the EMV | Card issuers |
0x03 Credit Card anti-fraud way
Card issuing bank and card organization
In response to the growing number of card fraud, card organizations have taken various measures to curb it, such as upgrading the types of cards and adopting stronger security checks.
1. The chip card
Ordinary magnetic stripe cards face the risk of replication, so the introduction of chip cards, card information is encrypted, not easy to copy.
2.3 D Secure (Three – Domain Secure)
3D verification, a scheme used by Visa to confirm the identity of a cardholder for online transactions, is also used by MasterCard. It is called MasterCard SecureCode. 3D verification requires the support of the issuing bank. When users purchase goods and pay, they can jump to the page of the issuing bank and enter the security code set in the issuing bank for identity confirmation. Usually need a specific type of card, domestic words can check the industrial bank of the USE of 3D verification guide
3. Credit mechanism
The card organization and each card issuing bank have the credit information of the user, some poor credit with bad records may be banned from trading. Cybersource, a subsidiary of Visa inc., provides anti-fraud services for merchants and banks based on credit information.
2) Cardholder
There are many ways to steal a user’s credit card data. The cardholder can go to the bank to upgrade the magnetic stripe card to a chip card and be security conscious:
1. Offline Scene:
The CVV2 code of credit card should keep out, brush card in normal place, guarantee card is in line of sight range.
For some of the line swipe card consumption tempting activities, be cautious to attend
Check the ATM card slot carefully to see if it has been modified
2. Online Environment:
Computer to install anti-virus software, do not open unknown sources of links, software, etc
Make sure the domain name is correct when logging on to a sensitive trading site
The mobile phone installs the application through the formal application mall
When receiving messages about money, please do not enter your account password at will
Iii) Merchant [Key point]
In credit card fraud, merchants are greatly affected, usually merchants will produce capital loss (loss of material goods and need to return the money and virtual goods stolen by the cardholder), and bad debts. In case of non-payment, merchants need to pay the handling fee and service fee for non-payment processing. Meanwhile, if the non-payment rate of merchants is too high, the card organization will inform merchants to take relevant measures to rectify. If the non-payment rate exceeds the allowed range, merchants’ transaction account may be closed.
Therefore, it is the responsibility of merchants to take appropriate measures to prevent and control credit card fraud.
1) Basic protection
1. Device fingerprint In a fraud, multiple accounts are usually used for fraud. Therefore, a method is needed to uniquely identify users, and identifying users through device fingerprints is a very important method. Merchants can set up their own fingerprint credit library or purchase some authoritative third-party services.
2. Machine behavior Merchants should have their own machine behavior detection methods to identify machine behavior in a variety of ways.
3. Garbage prevention registered businesses should have garbage registration prevention and control mechanism, and have prevention and control mechanism for batch registration and batch landing. Of course, IP-based interception is not very effective, and the cost of switching IP is low for fraudsters. Garbage registration prevention and control usually requires the combination of device fingerprint and machine behavior detection.
4. Enhance binding card verification
A. 3D verification means that the user needs to provide the online transaction password when tying the card and confirm the legal identity of the user after passing the authentication.
B. Using micro-charge means to deduct a random amount from the user during the card binding process, and then the user fills in the amount to confirm his identity after receiving the bill of deduction. Paypal deducts $1.95 from the credit card and then returns a four-digit verification code to the user for confirmation.
C. Special types of cards, such as GiftCard, are not allowed to be bound. Users can take these cards to bind, and they will find that the payment cannot be deducted when the merchant deducts the payment after the consumption is completed (use before payment mode).
D. Black card blacklist, card Bin blacklist, namely, for small banks with more fraud and areas with more card theft, refuse binding or risk marking.
5. Consumption verification
A.0$, 1$authentication 0 or 1 yuan is deducted to check whether the bound card is valid. For example, in the merchant that provides “use first, pay later” service, the user tied the card and passed, but it took a long time to make consumption. After the user finished consumption, the merchant found that the card may have been invalid when the payment was deducted.
B. WS(Address Verification System) Verifies the user’s Address, which can be verified before physical items are purchased.
C. Pre-frozen amount For example, in the merchant that provides “use first, pay later” service, if the user has purchased a large amount of service, but the merchant finds that the balance of the tied card is insufficient when clearing funds. Therefore, after spending more than a certain amount, the amount can be frozen.
6. Business monitoring Merchants shall have their own business monitoring system. Such as user-based, device-based, IP-based transaction data monitoring. Check abnormal transactions in time and take corresponding confirmation measures. Such as email confirmation, return call or manual confirmation.
2) Anti-fraud of credit card based on machine learning
In fact, machine learning plays an important role in credit card fraud detection. For example, neural network, Bayes, SVM and other algorithms are used to build a risk control model, so as to effectively identify the risks in transactions.
Supervised learning provides labeled transaction data, such as whether the transaction is fraudulent or normal. Bayesian classification algorithm or SVM algorithm is used for classification prediction, so as to establish the prevention and control model. Foreign credit card anti-fraud information based on machine learning is more, interested in the link given in the reference to view.
1. Training samples
Regardless of supervised learning or unsupervised learning and whichever algorithm is adopted, sufficient training samples are required. At the same time, the sample must have some basic factors to have a better effect. For specific information, please refer to the table below. Of course, merchants can add or modify the sample according to their own business scenarios.
| classification | content |
|---|---|
| Equipment information | Operating system, system area language, system time, browser information, Flash information, device reputation, etc |
| The user information | Registration time, registration agent registration, gender, country, age, authentication information, email, mobile phone number, etc |
| Behavior information | The latest login time, the latest login IP address, whether the IP appears in the risk database, whether the latest login is a proxy, the change of login environment (device replacement, browser replacement, etc.), the latest purchase behavior, the latest browsing behavior, etc |
| Trading information | Payment type, transaction amount, card bin, user’s behavior characteristics during transaction, accumulated transaction amount of the day, consumption record of the last month, etc |
| Other information | For example, the established user reputation score |
2. Risk control model
Merchants should build user black and white lists based on users’ transaction information, and build their own risk control model by integrating various information.
For example, in a transaction process, the general process is as follows:
In anti-fraud, all user behavior information needs to be connected, rather than just judging the current user behavior and device information when consuming. But from the user registration, records the user’s behavior information (such as whether risk IP, whether proxy, etc.), in the login, such information is fed back to the card binding stage. At the same time, the process of tying the card continues to accumulate information, and finally feedback to the transaction behavior. Then combined with all the information to form a credit system, to build a risk control model.
Of course, if the risk control model cannot identify, it needs to conduct manual audit and constantly improve the model.
0 x04 summary
Credit card fraud has been happening for a long time. Card organizations, banks and merchants should take corresponding measures to reduce the risk. For merchants, it is particularly important to establish their own risk control model.
0 x05 reference
- www.blackhat.com/docs/asia-1…
- www.ulb.ac.be/di/map/adal…
- Ijettjournal.org/volume-8/nu…
- Ijrte.academypublisher.com/vol02/no03/…
- Albahnsen.com/files/Cost%…
- Usa.visa.com/dam/VCOM/do…
- www.emv-connection.com/downloads/2…
- www.emv-connection.com/downloads/2…