You probably know that weird phenomenon: Airplane crashes get significantly more media attention than traffic accidents, despite the number of casualties per year being significantly smaller in the former. The same phenomenon applies to other aspects of life, including cybersecurity and cybercrime reporting.<\/p>\n
When back in 2014 we discovered Carbanak<\/a>, the cybergang that had stolen more than a billion USD, that was a big deal for the press. But we should not forget that the more common credit card fraud that happens every day results in significantly bigger financial losses. For example, The Nilson Report<\/em> estimates that in 2018 card fraud caused about $24 billion in losses<\/a> and is set to grow significantly this year. Carding \u2014 that\u2019s what cybercriminals and security specialists call card fraud \u2014 is not dead. On the contrary, it\u2019s growing.<\/p>\n That may seem surprising, with more and more banks implementing strict security systems and clever fraud-prevention solutions based on machine learning, and otherwise protecting funds on cards from being stolen. Theoretically, that should\u2019ve stopped at least the newbie crooks from stealing money from cards, but the statistics say otherwise. And on darknet forums, if someone asks a question like \u201cWhat is the first step in a cybercriminal career?\u201d the answer is \u201ccarding.\u201d<\/p>\n Fortunately, carding has indeed become harder because of the security measures implemented by banks and payment platforms. Unfortunately, antifraud systems don\u2019t work that flawlessly in reality \u2014 and special services, tools, and marketplaces for those services and tools are available for those who want to give stealing money from others\u2019 credit cards a try.<\/p>\n Kaspersky Lab researcher Sergey Lozhkin has discovered a market on the darknet<\/a>, called Genesis, that is used to sell users\u2019 digital masks. He delivered a keynote on his discovery at the Security Analyst Summit 2019<\/a>. A digital mask consists of a user\u2019s digital fingerprint \u2014 Web history, OS and browser information, installed plugins, and so on \u2014 and information about the user\u2019s behavior: what they do online and how they do it.<\/p>\n Why would crooks sell masks, and how is that related to carding? Digital masks are used by antifraud systems to verify users. If the digital mask that an antifraud system sees matches the one it has previously seen for the same user, it will mark the transaction legitimate. For quite a lot of banks, that means they won\u2019t even require a 3D Secure code sent by SMS or push notification to the user to confirm the transaction.<\/p>\n So, if a criminal somehow manages to steal your digital mask and your online banking credentials, the antifraud system will think it\u2019s you and won\u2019t raise any flags. That way the criminal can siphon all the money from your account without being noticed.<\/p>\n That is why some malefactors scrape the data from users\u2019 devices and put it on Genesis for sale. Others buy that information, which costs $5 to $200 depending on the amounts of data and credentials included, and use it to pretend to be the owner of that digital mask.<\/p>\n To do that they use a free browser plugin. Developed by the people behind Genesis and called Genesis Security, the plugin lets them use the digital mask to recreate the legitimate user\u2019s virtual identity and thus fool antifraud systems. Basically, it modifies the parameters the antifraud system sees so that they match the parameters of the victim\u2019s device and recreates their behavior.<\/p>\n So, where do the cybercriminals behind Genesis get the data they sell? The answer is simple, but rather vague: from various malware species.<\/p>\n Not every piece of malware tries to encrypt your data for ransom or steal your money right after it gets on your device. Some species sit quietly, gathering all the data they can reach and creating those digital masks that are later sold on Genesis.<\/p>\n\n The first way to bypass fraud prevention systems is to look familiar. The other is to look completely new. And, since criminals know about the other way, there\u2019s a service on the Internet to do that as well.<\/p>\n Completely new<\/em> means next to no matching parameters between the digital mask used and any other digital masks the service is aware of. It means the fraudster won\u2019t be allowed to log in to a service with a fraud prevention system, even if they install a new browser on their PC, if some of the parameters \u2014 such as computer hardware, screen resolution, and many more \u2014 will be the same as in the digital mask they used earlier.<\/p>\n But a service called Sphere allows the crooks to create a new digital identity and customize all of those parameters so that the fraud prevention system sees them as someone completely new. And it has no reason not to trust that new person.<\/p>\n The problem is that no matter how advanced the fraud prevention system is, these techniques still work, because the fraud prevention system\u2019s algorithms that determine if the person is allowed to access the funds rely on exactly the same data the malefactors harvest.<\/p>\n So, is it possible to protect from this advanced card fraud?<\/p>\n For banks, protection requires introducing mandatory two-factor authentication<\/a>, maybe even using some biometrics such as fingerprint reading (real, not digital), iris scanning, or face recognition as the second factor. Banks also need to be aware of the various kinds of fraud that emerge; otherwise, they won\u2019t implement measures to fight that fraud.<\/p>\nDigital fingerprinting: Borrowing an identity to steal from its card<\/h2>\n
Collecting the fingerprints<\/h3>\n
Other ways to bypass fraud prevention<\/h3>\n
Saying no to doppelgangsters<\/h3>\n