A surge in fraud with P2P payments | 09.07.2020
Company Group-IB has recorded a sharp rise in fraud using transfers card-to-card: from April to June 2020, the number of such transactions increased more than 6 times. Scammers
lure users into phishing websites on which victims enter their payment information to create fake payment pages, thinking that make a purchase. These data are used by attackers to
recourse to public P2P services of banks to transfer to their accounts.
Several major Russian banks, representative offices of international banks and payment services has received complaints of scams that stole money from Bank cards of customers using
fake payment pages on the websites of the “online stores”. Currently, one Bank on average captures 400-600 attempts this method of fraud per month. The average check per transfer is
more than 7 000.
Experts Group-IB have identified a fraudulent scheme by which the attackers bypassed the existing measures of protection of online payments, namely, an additional step of authentication in the form of SMS-code
send to map-phone number (authorisation 3D Secure (3DS)).
Legitimate scenario using the 3D Secure Protocol looks like this: user enters their card details on the payment page of the online store. She made a request to the service
acquiring Bank (Merchant Plug-In (MPI), which serves the store. In response, the page “gets” encoded payment data and the recipient (PaReq). They contain information about the merchant,
which is then displayed on the page 3DS and 3DS-page of the issuing Bank that issued the card user. The response also contains the URL of the page that the user will return
after confirmation of payment one-time code from SMS.
3DS technology version 1.0, which is now used everywhere, though, and protects payments from “outside” the fraud and the attempts to use these stolen cards, does not provide
fraud protection from the “online stores”.
In cases attackers have created phishing resources, such as online stores with fake pages accept payments. Popularity in demand during a pandemic, goods –
masks, gloves and sanitizer in search of a deficit the victims themselves were in the hands of fraudsters.
In the analyzed scheme, the data entered by the buyer on the fake payment page used at real time to access the public P2P services banks. So, by entering code
confirmation on the 3DS page, the user has not confirmed the purchase in the online store, and the transfer to the account of the attacker. To conceal the use of third-party P2P services from user,
the criminals changed the URL to return the result of authorization and information about the merchant PaReq to the payee, to visit 3DS to enter an SMS code is displayed causes the victim
suspicion information, for example, “Oplata”.
To prevent fraud of this kind is Group-IB recommends that banks go to 3DS 2.0, in which the vulnerability is eliminated. The problem also can be solved with additional
the authentication step in the form of a captcha or technology based on behavioral analysis that would ensure the integrity monitoring page, collecting further information on what
the domain she is, what her content, forms and elements.
information security, cybersecurity, fraud with Bank cards
Group-IB
