Researchers have detected discussions on the dark web between cybercriminals concerning methids ways to bypass the most common security measures for online card-based transactions (opens in new tab).
Experts from Gemini Advisory found that threat actors have adopted a strategy of using a combination of social engineering and phishing (opens in new tab) attacks to circumvent the 3D Secure (3DS) security measure.
While there are two versions of 3DS on offer, with the latter one being more technically resilient, the report notes that “phishing and social engineering schemes often transcend technical upgrades.”
- These are the best payment gateways (opens in new tab) currently on offer
- Here’s our list of the best money transfer apps (opens in new tab)
- Take a look at the best credit card processing service (opens in new tab)
Social engineering attacks
The 3DS protocol is a popular fraud prevention mechanism that adds an additional layer of verification to ensure the authenticity of online card-based transactions. 3DS 2 is the latest version of the protocol that’s designed to accommodate smartphones.
According to reports however, the original 3DS version is still widely used, which makes it easier for attackers to circumvent the security measures.
What makes 3DS 2 more resistant to fraud, according to Gemini, is that it makes use of over a hundred key data points, including relevant contextual data from the merchant to validate the nature of the transactions.
Worryingly however, the researchers note that “while 3DS 2 is more difficult for cybercriminals to bypass, it is not impervious to well-honed social engineering skills.”
So instead of directly brute-forcing their way through its security safeguards, cybercriminals instead work around them by crafting the right kind of social engineering campaign.
“Gemini Advisory assesses with moderate confidence that cybercriminals will likely continue to rely on social engineering and phishing to bypass 3DS security measures,” conclude the researchers, in a way hinting that in the end it’s up to the users to make sure they don’t fall prey to a well-designed social engineering scheme.
- We’ve also rounded up the best eCommerce hosting providers (opens in new tab)