The use of bad-bots to further payment card not present (CNP) fraud.
According to Trustwave’s 2016 Global Security Report 60% of cybercrime incidents target payment card data. Half involve magnetic stripe data (generally stolen via point-of-sales devices) whilst the other half involves card not present (CNP) data; data stored by organisations that transact online.
Of course, any organisation that deals with CNP data should be PCI-DSS (Payment Card Industry Data Security Standard) compliant. Followed to the letter, this should put CNP data beyond the reach of cybercriminals. The real-world experience of many consumers suggests that all too often CNP data is being compromised and used fraudulently.
One of the reasons for this is that thieves do not need to rely on stealing complete and up to date payment card records. A CNP data record should consist of just three data items; the card holder name, the 16-digit primary account number and the expiry date (there is also a service code with magnetic stripe data). The CCV code, which is needed to complete many CNP transactions, should never be stored.
With a substantial heist, criminals can waste a lot of time trying to use card details that are no longer valid. However, they have a few tricks up their sleeve, such as using software robots (bots) to enrich their data. These techniques are described by OWASP (the Open Web Application Security Project) in its Automate Threat Handbook; carding, card cracking and cashing out.
Carding works through long lists of payment card data to checking each card number against a target merchant’s online payment process to find which ones are still valid. There are even specialist card checking sites for this. Card cracking enables missing or out-of-date expiry dates and CVC codes to be added by testing the range of possible values (which is small) against target sites. Cashing out helps with the monetisation of completed payment card records, often using multiple micro-payments.
Any of these techniques can turn even the most PCI-DSS compliant organisation into a victim. Sites may be targeted for validation purposes, impacting performance for other users, or may be targeted for monetisation. These payment card bots are just three of a broader set of automated threats listed by OWASP that can impact online resources. Fortunately, there are range of bad-bot mitigation techniques which are described in a series of e-books written by Quocirca and sponsored by Distil Networks.
Quocirca’s Transaction Fraud eBook can be viewed at this link:
For a full list of the Cyber-security threat Series of e-books follow this link: