All About Fraud: How Cyber Crooks Get CVV Online?

Burns-Wilcox.com insurance company regional director Kenneth Labelle wrote:

“So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on the magnetic strip. So how in the world are they committing card not present fraud when they don’t have the CVV number? I don’t understand how that is possible with the CVV code being used in online transactions.”

First off, “dumps,” or credit and debit card accounts that are stolen from hacked point-of-sale systems via skimmers or malware on cash register systems, retail for about $20 apiece on average in the cybercrime underground.

Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell or extract cash from ATMs.

Related :How Bank Logs data is stolen on websites? Secure your Account!

However, when cybercrooks wish to defraud online stores, they don’t use dumps. That’s mainly because online merchants typically require the CVV, criminal dumps sellers don’t bundle CVVs with their dumps.

Instead, online fraudsters turn to “CVV shops,” shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2, and ZIP code.

These CVV bundles are far cheaper than dumps — typically between $2-$5 apiece — in part, because they are useful mainly just for online transactions, but probably also because overall they are more complicated to “cash out” or make money from them.

How Do Carders Get Your CVV Online?

The vast majority of the time, this CVV data has been stolen by Web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking Trojan does on an infected PC, except it’s designed to steal data from Web server applications.

PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers, and card verification codes — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session.

With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

Read Tutorial: What is SIM swap Scam and how do you Protect yourself from SIM swapping Hack?

If you’re responsible for maintaining or securing Web sites, it might be a good idea to get involved in one or more local groups that seek to help administrators.

Professional and semi-professionals are welcome at local chapter meetings of;

• OWASP: a non-profit that aims to improve the security of software through community-led open-source software projects
• CitySec: informal meetings where you directly get to the root of your questions or advice each time
• ISSA: In addition to new techniques, your membership gives you access to professional networking and career development opportunities
• Security Bsides: a community-driven group where you get to choose the events and conversations

Read: Updated Non-VBV/MSC BINs List

WhatsApp Channel Join Now

Telegram Channel Join Now

Related