What You Need to Know About Fraud: How Thieves Get Your CVV
Your card verification value (CVV) is the 3-digit code on the back of a credit or debit card. Merchants you use this card at aren’t allowed to store your card number or CVV, so how do fraudsters get this information? Well, there are more ways than you think. The most common is phishing and installing software on the merchant’s online site, both of which allow the attacker to access and download customer data.
Kenneth Labelle, one of the regional directors at the insurance company Burns-Wilcox, was quoted wondering how “card not present transactions are possible” after the information on it was stolen. These usually occur by hacking into a point-of-sale system, so all data that pass through it get sent to the fraudster. But even if the compromised card was swiped on this device, the magnetic strip doesn’t store the CVV number. So how do hackers get your CVV? Clearly, they have found a way around Kenneth’s concerns.
It’s pretty easy to buy compromised cards. Dumps (stolen credit or debit card accounts, usually from hacked point-of-sale systems by malware or skimmers) can go for an average of $20 in the underground cybercrime world. Buyers can then use the dump to forge a physical copy of the original card that they can use to remove cash from ATMs or buy items from large corporations and then resell. That’s a lot of trouble after purchasing a stolen card account, can you use the account for online purchases instead? Not exactly. Most cyber crooks stay away from targeting online stores with dumps. This is because online retailers usually need you to input the CVV and dump sellers don’t usually bundle the card’s CVV with the dumps.
Online fraudsters are still not deterred by this and instead turn to “CVV shops” — dubious cybercrime platforms that sell bundles of cardholder data that they need. These data packages usually include the customer’s name, complete card number, CVV, expiration date, and zip code. Interestingly, these bundles are much cheaper than the dumps by themselves, usually between $2 and $5 apiece. While the price is an incentive to buy these bundles, they’re priced so low because they’re only valid for online transactions, use a more complicated process to “cash out,” and it’s harder to make money from them.
It’s easier to steal this kind of information nowadays, and hackers usually use web-based keyloggers to do so. It’s a relatively uncomplicated program that acts much like most malware (think of a banker Trojan on a compromised PC), but it steals data from web-based applications. PC Trojans, let’s take ZeuS as an example, funnel browser information by downloading stored data (like passwords) or newly uploaded information before it can be encrypted. Web-based keyloggers can do the latter, ripping data people submit once they visit a compromised site. This data can include names, phone numbers, credit card information, addresses — anything a customer submits during the online checkout process.
These kinds of attacks drive home an important fact about malware’s role in compromising “secure” connections. Whether you’re on a web server or using your device, once the connection’s security is jeopardized, it’s game over. While PC banker Trojans are awful, the malware focuses on the customer’s information pre-encryption, so there are ways to avoid an attack. However, during a pre- or post-encryption stage, website attacks mean you will need to increase surveillance techniques to prevent hackers from successfully stealing information.
If you’re in charge of website security or maintenance, it may help administrators get involved in local groups that help administrators with this. There is plenty of support for you when you need it. If you’re a professional or semi-professional who would like to know more, feel free to stop by local chapter meetings of any of these meetups:
- OWASP: a non-profit that aims to improve the security of software through community-led open-source software projects
- CitySec: informal meetings where you directly get to the root of your questions or advice each time
- ISSA: In addition to new techniques, your membership gives you access to professional networking and career development opportunities
- Security Bsides: a community-driven group where you get to choose the events and conversations