Cybercriminals finding ways to bypass 3D secure (3DS)
Security researchers have noticed dark web exercises identified with bypassing 3D Secure (3DS), which is intended to improve the security of online credit and debit card transactions. Designed as an additional protection layer for these transactions, 3DS has seen a few releases, with the recent one, namely version 2.0, likewise intended to accommodate cell phones, allowing for authentication using a fingerprint or facial recognition.
In addition to different social engineering strategies that assailants can use to go around 3DS, phishing and scam pages permit them to fool victims into revealing their card details and payment verification information. Gemini’s security researchers say that vulnerabilities in prior renditions of 3DS might have been abused to bypass security. The utilization of a password for the transaction was one of these issues, as this was sometimes a personal identification number (PIN) that cybercriminals had been able to acquire utilizing different methods.
Utilizing different social engineering methods, for example, impersonating bank representatives, cybercriminals can collect a great deal of data from victims, including name, ID number, telephone number, physical and email address, mother’s maiden name, driver’s license numbers, and such. Armed with some personally identifiable information (PII), the assailant could fool the victim into sharing additional details.
One technique suggested by some cybercriminals for bypassing 3DS includes calling up the victim from a telephone number that spoofs the number on the rear of the payment card and fooling them into verifying a transaction currently being made by the fraudster by claiming it is needed for identity verification purposes. The utilization of phishing sites that copy real online shops can likewise permit hackers to gather the victims’ card data and trick them into approving a payment employing 3DS. Sometimes, the attackers may utilize malware to target clients’ cell phones and recover 3DS verification codes.
“The older versions of 3DS, such as version 1.0 (which is still widely used around the world), are susceptible to hackers who find ways to bypass their security features. Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” Gemini concludes.