How Hackers Steal Money from Bank Cards
Cybercriminals and carders are constantly inventing new ways to steal money from bank customers’ accounts. In this article, we’ll discuss the methods criminals use to bypass the security systems of bank cards.
All card fraud schemes can be divided into two categories. The first are widespread and well-known. The second are often called “white whales”: these are incidents that happen once every 5–10 years, end in disaster for the victims, and bring millions in profits to the attackers, attracting a lot of attention from the press and regulators. In any case, the main criteria for success among carders and similar scammers are scale and simplicity. If a fraudulent scheme can be easily repeated thousands of times, it’s a recipe for financial victory over the banking system and future popularity of the chosen method.
Most Common Types of Card Fraud
Payments Without 3-D Secure
The most common fraud scheme involves online payments—so-called card-not-present transactions. Because of their prevalence, payment giants invented an additional dynamic factor: the 3-D Secure code.
What is 3-D Secure?
3-D Secure is an extra layer of online payment authorization that uses three domains (hence the name “3-Domain Secure”): the online store’s domain receives payment data and redirects the user to the payment system’s domain, where a one-time code is entered. The result is then sent to the acquiring bank’s domain, which verifies the code and sends a confirmation or denial of the transaction back to the online store.
3-D Secure is very effective against mass fraud schemes. However, some stores—including major ones like Amazon—still don’t use 3-D Secure, believing it reduces conversion rates. International payment systems don’t insist on it either. Current payment rules state that if a card supports 3-D Secure but the store doesn’t, the store bears the financial risk in case of a disputed payment. If the card doesn’t support 3-D Secure, the issuing bank is responsible. As a result, fraudsters worldwide look for stores that don’t require 3-D Secure.
Sometimes this is quite literal: in 2018, a fraud scheme was uncovered in the UK where criminals posted ads on social media offering a 50% discount on pizza delivery from a major brand. This brand didn’t use 3-D Secure, and payments were made using stolen cards bought on various markets. The criminals pocketed 50% of each pizza sold. The scheme lasted several months before being shut down.
Card Cloning Attacks
The second most popular type of fraud is cloning the magnetic stripe of a card. This remains one of the most common methods for attacking physical card transactions (so-called card-present transactions). Magnetic stripes are extremely easy to clone.
Some cybercrimes involve using specialized malware. The attack must be easily repeatable and scalable, which is why criminals infect devices that process thousands of cards daily—like operator machines in large supermarkets.
Info: The entire infrastructure using payment terminals (POS, Point-of-Sale) is called a POS system, and the malware targeting them is called POS malware, even though the POS terminals themselves usually aren’t infected. Instead, the operator’s machine (cash register) is targeted.
In 2013, the American retail chain Target suffered a massive attack. Criminals used a then-rare “supply chain compromise” scheme. After infecting a contractor, they penetrated the supermarket network, compromised the entire Windows domain, and accessed the operating system on the cash registers. RAM-scraping trojans scanned memory for magnetic stripe track patterns and sent them to an internal C&C server, which then forwarded the data externally.
Info: Creating a copy of a magnetic bank card takes just a few seconds and a special reader, which can be bought on Amazon. Criminals then create a clone and use it in stores in the US or Europe. Dumps of bank cards are freely bought and sold on numerous hacker forums.
Why are cloned magnetic cards still so popular, even though almost all cards now have chips? It’s simple: in many American stores, you can still pay with a chip-enabled card by swiping the magnetic stripe. Over the past 5–10 years, the US market has lagged behind, which is why magnetic stripes are still present on bank cards.
If a payment terminal refuses to accept the magnetic stripe, there’s a scheme called “technical fallback” used in both Americas and Europe. The criminal inserts a card with a non-existent chip three times into an ATM or terminal; after the third failed attempt, the terminal will offer to process the transaction via the magnetic stripe.
In all these cases, the store is responsible for such high-risk transactions. Payment systems like MasterCard recommend rejecting transactions made via technical fallback to avoid reputational risks. No one wants to investigate whether a customer’s card was really stolen or if they just want to dispute a transaction. Even less do they want to explain to angry customers why their cards were used to buy expensive TVs hundreds of miles from their actual location.
What About Russia?
In Russia, terminals shouldn’t accept magnetic stripe payments if the card has a chip, and even technical fallback should be prohibited. However, there are unpleasant exceptions. Underground forums have discussed that the Auchan chain has terminals accepting technical fallback transactions. Even if hackers can’t use Russian cards in Russia, nothing stops them from selling the data to other hackers in Europe or America for further monetization.
Offline Chip Transactions and Authentication Attacks
According to modern payment system rules, 99.9% of card transactions should be performed online—with cryptogram confirmation by the issuing bank. Exceptions include subways, in-flight payments, and cruise ships, where internet access is unreliable or unavailable. When EMV protocols were created, many payment systems operated offline using “floor limits”—transactions above these limits required online confirmation, while those below were approved locally by the terminal. Even 5–10 years ago, there were enough such terminals, especially in Latin and North America, to make mass attacks on offline card authentication worthwhile.
White Whales: Rare, Catastrophic Attacks
Chip cards and 3-D Secure were invented to protect against mass, simple fraud. These defenses aren’t perfect and have their own issues, as experts warned from the start. However, such cards still can’t be hacked on a mass scale, and when an attack does succeed, it’s more like a blitzkrieg—everything happens in a matter of days or hours. A small group of criminals gets maximum profit and then disappears. That’s why each case or new scheme attracts great interest from experts.
We’ll call these cases “white whales.” These are incidents that happen once every 5–10 years, end in disaster for the targeted banks, and bring millions in profits to the attackers, drawing a lot of attention from the press and regulators. Here are a few types of such attacks to illustrate the fundamental flaws in card payment technologies.
Distributed Card Data Guessing Attacks
These attacks are often called BIN Master attacks or distributed guessing attacks, named after a major incident in 2016. That year, the UK’s Tesco Bank suffered a distributed attack so massive that they had to disable card payments for 48 hours. In just a few days, criminals stole £22 million from 20,000 cards. As mentioned, this data can be used for payments in online stores that don’t use 3-D Secure. In 2018, regulators fined the bank £16 million for the 2016 attack, likely indicating that the cards themselves weren’t equipped with 3-D Secure.
Info: The 3-D Secure Liability Shift rules determine who is responsible for fraudulent transactions: if the bank doesn’t equip cards with 3-D Secure, the bank is liable. If 3-D Secure-enabled cards are used at, for example, Amazon (which doesn’t use the technology), the online store is liable.
How Do Hackers Guess Full Card Details?
Suppose you have a card—your own. Its number consists of several parts. The first six digits are the BIN (bank identification number). The same BIN can belong to more than one bank, and a bank can have several BIN ranges. This is the starting point for the attack. The last digit is calculated using the Luhn checksum algorithm.
For example, your card number is 1234 5678 1234 5670. The next card in this range, according to the algorithm, will end in 5688, then 5696, and so on. There’s a nonzero chance that cards 5688 and 5696 exist and are active.
Next, the attacker needs to figure out the Expiry Date. If the bank issues card numbers sequentially, the next customer will have card 5688, and if the bank is large and issues hundreds of cards daily, the Expiry Date will likely match yours or differ by a month. To protect against this, payment systems recommend randomizing PANs (Primary Account Numbers) instead of issuing them sequentially, making it harder for hackers to guess the Expiry Date.
But there are always workarounds. Many banking services help attackers match PAN/Expiry Date pairs, such as password recovery systems, mobile banking registration, or payment gateway refund processes.
Finally, the attacker needs to guess the three digits on the back of the card—CVV2/CVC2. In late 2014, researchers from Newcastle University analyzed the Tesco Bank attack and found that 291 out of 400 popular online services allowed brute-forcing the CVV2 field. This isn’t surprising: the money doesn’t belong to the service owners, so the service is just a tool for the attacker. Thus, criminals will always have enough tools to brute-force card details. For example, in 2019, a similar vulnerability was fixed in the Magento CMS PayPal payment module.
Another common variant is using the guessed details to issue a mobile wallet with Google Pay or Apple Pay. Ironically, one of the most high-profile fraud cases targeted Apple stores themselves. Many banks (again, in the US) don’t require additional verification via one-time code or phone call when issuing an Apple Pay wallet. This means that knowing just the card number, expiration date, and CVV2 code is enough to issue a fully functional virtual card, which can then be used worldwide, not just in the US.
There’s another protection for card-not-present payments: the address verification system. In this case, the payment system also checks the digits from the postal code and billing address registered to the card. Payment terminals supporting PAN Key Entry can also use this system.
Conclusion
According to Positive Technologies, up to 50% of banks still don’t protect their customers from brute-forcing CVV2 and Expiry Date values. That’s why fraudsters from Latin America are so actively searching worldwide for cards and banks vulnerable to these attacks.