For years the software industry has capitalized on people’s desire for easy entertainment to solve large-scale computational problems. Games with a purpose (GWAP) leverage the collective intelligence of humans to solve problems that computers can’t yet solve. Now, it seems would-be credit card thieves have found a way to use the concept of GWAP for their own purposes.
GWAP, or human-based computation games, have proven to be valuable across a variety of applications, including security, computer vision, adult content filtering and Internet search. One of the more popular applications is reCAPTCHA, a free service designed to protect websites from spam. By solving a CAPTCHA, users prove they are human (as opposed to a bot or spammer), and help digitize text, annotate images and build machine-learning datasets.
Generally speaking, GWAP are used for the greater good. However, the EasySolutions Fraud Intelligence Team recently discovered a new trend: web pages that include code intended to generate credit card numbers. This new version of GWAP has fraud as its purpose, as visitors to the site are invited to guess active credit card numbers.
Of course, thieves need more than a correct credit card number to commit fraud. They also need a valid expiration date and card verification value (CVV). The odds of guessing all three correctly are pretty low – and there’s still the issue of testing whether or not the number is active. Previously, this was done by attempting a card-not-present transaction with an online merchant. But that’s gotten easier, too.
Payment processors like Stripe, Braintree and Paymil offer developer friendly payment gateways that can be used to test card numbers within minutes – and at no cost. All it takes is an email address, a bank account and five minutes of coding to set up a payment channel. With multiple accounts registered with a payment gateway, thieves can begin testing credit card numbers.
The payment gateway is the lynchpin of the thief’s GWAP. Players simply open an account with the payment gateway using a disposable email address and fake data. A YouTube video walks them through the process step-by-step. To play, users enter a Bank Identification Number (BIN), which is used as a pattern to generate random credit card data. Each combination of credit card number, CVV and expiration data is tested with a single dollar transaction. If the gateway accepts the transaction the user wins – and so does the fraudster.
This game has two potential winners – and many losers. The credit card holders are, of course, at a disadvantage (although the financial institution that issued the card may be forced to pay for any fraudulent charges). The payment gateway providers also lose, as they are facilitating criminal activity. They could enable a brute-force attack. In a worse case scenario, a player takes photos of credit cards and only has to guess the CVV. Assuming a test rate of one card per second, an attacker could have a valid card in about 15 minutes. It only takes one ‘win’ to make the whole scheme worthwhile for the player and the game creator.
Unfortunately, little can be done to prevent this type of fraud, which will only increase as card-not-present transactions increase and additional online payment technologies become available. Payment systems providers must work together to address these risks in a holistic manner. If security is approached piecemeal, thieves will leverage the disconnects to their advantage.
By Javier Vargas, Research Manager at Easy Solutions
About Easy Solutions
Easy Solutions a security vendor focused on the comprehensive detection and prevention of electronic fraud across all devices, channels and clouds. Our products range from fraud intelligence and secure browsing to multi-factor authentication and transaction anomaly detection, offering a one-stop shop for end-to-end fraud protection. The online activities of over 60 million customers at 220 leading financial services companies, security firms, retailers, airlines and other entities in the US and abroad are protected by Easy Solutions Total Fraud Protection® platform.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.