Carding is one of the oldest and most conspicuous cybercriminal specialization. Internet users usually notice this threat once their bank account has been emptied by fraudulent purchases and withdrawals completed in places such as Russia, the USA or Thailand. Carding activity has been growing but yet it has barely developped since its beginning and is still attracting new players over the world.

The amount of carding related losses is constantly increasing. This kind of fraud significantly jeopardizes e-commerce websites’ reputation and harms client’s confidence in banks.

In terms of banking security, the situation in the USA is more than critical : each year, the national economy loses about 5 billion dollars [1].

Growth in Europe

The volume of losses is likely to increase in Europe. According to the 2013 FICO[2] report, the total amount of fraud related losses has exceeded the previous record of 2008 and to reach 1,5 billion Euros. The situation is mostly concerning in France and Great-Britain : both countries feature 62 % of losses among 19 European countries including Russia.

Carding Lexsi

Losses in France and Great-Britain represent 62 % of the total amount of losses in Europe.

Carding lexsi 7

In Europe, technical standard for payment cards and terminals are ruled by EMV security standard. Credit cards are configured with a secured chip and transactions have to be confirmed by a PIN code. European countries usually use terminals that read the information on the chip while a transaction is being processed.

Still, for international compatibility reasons, magnetic stripe remains on European cards which makes it possible for cybercriminals to steal the users’ data. They collect them and send them to countries that have not implemented EMV standards yet and are still using terminals that read only magnetic stripe. Therefore cybercriminals still manage to compromize European cards.

Carding Lexsi2

American financial institutions are aware of this issue as well. Under the pressure of the major card issuers (Mastercard, Visa and American Express), they have decided to massively adopt the EMV system from 1st October 2015 on. The losses caused by financial data theft are so high that they eventually accepted to spend a considerable amount of money in equipment changeover all over the country.

However, Americans have decided to adopt a system slightly different of the one commonly used in France. Instead of using a PIN code, American users must sign up when purchasing with their secured card. Since 1st  October, merchants are even liable for fraud if the are not equipped with a suitable payment terminal. This mesure should make it possible to reduce fraud in shops, even if it is less secure than a PIN code confirmation.

Still, losses due to carding will probably not decline since EMV system does not secure online payments. As a matter of fact, experience shows that cybercriminals are able to anticipate anti-fraud measures. Therefore, they can quickly set up new methods or shift their focus to other kind of frauds. E. g. since France and Great-Britain have begun using EMV system, online fraud through stolen banking data has been growing.

Carding Lexsi3

Inctroducing EMV standards has caused an increase in online fraud using stolen banking data.

In the USA, shifting to EMV system will take several years, which will give cybercriminals enough time to exploit new vulnerabilities and to change their methods to ensure stable earnings.

Cybercrime R&D always a step ahead

Cybercriminals set up a close watch over new technologies and therefore, they are aware of improvement methods very early. A few of them work on their own technical research while some others merely buy turnkey solutions to compromise banks and ecommerce computer systems.

How do hackers step head of institutional actors ?

Thanks to cybercrime R&D, cash dispenser fraud came back and grew even bigger though this kind of fraud had almost disappeared in France and hugely decreased in Europe and in the USA. Cybercriminals found a new way to physically introduce a malware into computers programming cash machines. One of these methods has been unveiled by Kaspersky : an infected cash machine could be handled to show how many notes were still into it and then, it was possible to launch the release of a profitable debit[4].

According to the results of EAST (European ATM Security Team), the amount of losses due to cash machine fraud rose by 18 % compared to 2014. They reached 156 Million Euros during the first half of 2015[5].

EMV standards is prompting cybercriminals to seek new fraud methods. E.g. a case of « shimming » has recently been reported in Mexico[6].

In 2010, a team from Cambridge University investigated on a potential vulnerability on chip cards and discovered it was possible to use a chip-enabled card without knowing the PIN code. The year after the study was published, a group of fraudster was identified : they had been using about fourty fake chip-enabled cards of their own making and had gathered almost 600,000 Euros thanks to 7,000 fraudulent transactions in several countries[7].

Always more sophisticated PoS malware

Malware attacks targeting point-of-sale devices have been existing for 6 years at least but media have been talking about them since 2013 and 2014 major thefts only[8]. Cybercriminals rely on the card data processing weaknesses of PoS devices – for example card numbers are sometimes stored in plaintext in PoS devices’ memory or processing servers – and losses keep growing.

Therefore, attacks against PoS devices are not likely to decline in the near future. Benefits are huge for hackers since a single device can collect thousands of banking data in a very short time[9].

Bypassing new payment systems

A few carders are switching to new payment systems like Apple Pay. Vulnerabilities in the banking confirmation system of iPhone credit card payments have been recently discovered. Cybecriminals simply needed to use personnal and banking data found from the underground market to purchase online. More than 6 % of purchases are estimated to have been fraudulent before this vulnerability was discovered.

Jawbone, a fitness tracker producer, declared that American Cards’ owner would be able to complete purchases using their bracelet. And though Kaspersky was able to hack those very trackers within a few hours[10].

NFC Technology is just starting to be adopted by private users and still, cybercriminals are already working on hijacking it : a 5,000 $ worth software is being sold on a famous carding forum. It makes it possible to pay via NFC using stolen banking data.

Carding Lexsi4

Solutions to reduce the number of attacks through the action of several actors along the payment chain do exist. Our last study focuses on detailing the ways to efficiently reduce losses. One of them is simply to watch and analyse cybercrime networks.

[1] http://www.infodsi.com/articles/155525/544-millions-euros-est-coutent-france-vols-donnees-cartes-bancaires.html
[2] FICO is a global leading analytics software company, specialised in risk management and fraud fighting. About 65 % of credit cards around the world are processed by FICO’s control systems and their fraud detection device protects 1.8 billion banking accounts.
[3] http://www.fico.com/landing/fraudeurope2013/
[4] http://securelist.com/blog/research/66988/tyupkin-manipulating-atm-machines-with-malware/
[5] https://www.european-atm-security.eu/files/European-ATM-Fraud-Incidents-up-15.pdf
[6] http://krebsonsecurity.com/2015/08/chip-card-atm-shimmer-found-in-mexico/
[7] http://www.securityweek.com/fraudsters-stole-680000-mitm-attack-emv-cards
[8] http://resources.infosecinstitute.com/pos-malware-is-more-effective-and-dangerous/
[9] http://www.net-security.org/malware_news.php?id=3158
[10] https://securelist.com/blog/research/69369/how-i-hacked-my-smart-bracelet