26
Apr 16

All About Fraud: How Crooks Get the CVV

A longtime reader recently asked: “How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The answer: If not via phishing, probably by installing a Web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

Kenneth Labelle, a regional director at insurer Burns-Wilcox.com, wrote:

“So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on the magnetic strip. So how in the world are they committing card not present fraud when they don’t have the CVV number? I don’t understand how that is possible with the CVV code being used in online transactions.”

First off, “dumps” — or credit and debit card accounts that are stolen from hacked point of sale systems via skimmers or malware on cash register systems — retail for about $20 apiece on average in the cybercrime underground. Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell, or to extract cash at ATMs.

However, when cyber crooks wish to defraud online stores, they don’t use dumps. That’s mainly because online merchants typically require the CVV, criminal dumps sellers don’t bundle CVVs with their dumps.

Instead, online fraudsters turn to “CVV shops,” shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2 and ZIP code. These CVV bundles are far cheaper than dumps — typically between $2-$5 apiece — in part because the are useful mainly just for online transactions, but probably also because overall they more complicated to “cash out” or make money from them.

The vast majority of the time, this CVV data has been stolen by Web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking Trojan does on an infected PC, except it’s designed to steal data from Web server applications.

PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the Web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: Whether resident on a Web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that Web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these Web site attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).

If you’re responsible for maintaining or securing Web sites, it might be a good idea to get involved in one or more local groups that seek to help administrators. Professional and semi-professionals are welcome at local chapter meetings of OWASP, CitySec, ISSA or Security Bsides meetups.

Tags: , , , , , , , , , ,

53 comments

  1. I use IBM’s Trusteer Endpoint Protection (Rapport) which is supposed to block these key loggers either on my computer or on the server I’m connecting to. My understanding is that they encrypt the keystrokes before the SSL encryption and the encryption continues on the server after the SSL encryption has been removed. I have no idea if it works except I have no problems with online transaction fraud (which really doesn’t prove that it works).

  2. Brian, I’m not sure I understand how the CVV dumps are not worth as much as the normal card shops. It seems the CVV dumps has everything you’d get from a card shop plus the CVV2 and zipcode. Why wouldn’t you be able to fabricate a physical card from that data just as well as you could from card shop data?

    • The CVV Dumps are worth less because they have not been compromised physically, only digitally. Carders using the cloning method wouldn’t be comfortable trying to clone a card they weren’t sure had been physically compromised because there is not proof that the card will be active still. Who’s to say the cards caught I’m the CVV dumps haven’t been used in other ways by other crooks where they tend to keep physical dumps much more private, selling once, maybe twice.

      • Actually, a CNP dump doesn’t have all of the information necessary to create a physical card. A common point of confusion is that there are actually two CVVs per card – one is encoded only on the mag stripe (the “CVV” or “CVV1”) and the other is printed physically on the back of the card (the “CVV2”, which is what most people refer to as the “CVV”). Consumers cannot enter the CVV1 to complete an ecommerce transaction as they have no idea what it is. Likewise, no brick-n-mortar merchant I know requests consumers enter the CVV2 during checkout. So, a dump obtained from an ecommerce merchant cannot be used at brick-n-mortar retailers and vice versa. And since ecommerce fraud is, all things being equal, trickier to monetize those dumps are worth less.

        • I actually have seen stores enter the CVV2 code into their POS system. These stores usually have a sign “show the card to the cashier” or the like.

          • Can’t speak for the stores you visited, but when I worked retail and had to ask for the card, it was basically a minor security measure (checking that the signature on the card matched the signature on the pin pad). To prove that we had taken the card from the customer (and I suppose as another level of security against a badly made counterfeit), we had to punch in the last four digits of the card number. However, we never touched the CVV.

            • And most cashiers have no idea why they’re asking for that “last 4” (beyond “because I’m supposed to”), so most buyers just say the last four digits–thus totally voiding any theoretical security value to the process, alas!

          • Entering the CVV2 at point of sale is now supported as a form of additional verification that a card is genuine.

          • Joe – most stores that require you to hand over the card are entering the last 4 digits printed on the card and the POS is validating they match the last 4 digits from the track data. This makes is a bit more difficult to cash out dumps as you need to have a card that the last 4 digits match track data or it fails this transaction. Simple effective process. Now if we only start using the PIN portion for EMV…probably at the same time we adopt the metric system.

            • LOL

              I agree, and although America should be using strictly PIN and no signature, Americans should at least currently have a choice between signature or PIN rather than just forcing the insecure use of signature with the new chip cards.

    • Using a card online usually means buying something and having it physically shipped somewhere other than the billing address. Merchants tend to flag those to begin with, and the criminal needs to have it shipped somewhere that can’t be connected to them. That’s spawned the whole mail-drop schemes that have been written about on this site, and means the scammer needs to convince someone to have stuff shipped to them and then ship it to the scammer.

      • Sounds like a good idea. But even a small online business can processes hundreds of credit card transactions per day. To limit buyers to ship only to their billing address limits fraud but also keep legit buyers from sending gifts, shipping to their job, girlfriend, boyfriends, parents house ect. Software flags some fraud transactions but the rest have to be manually reviewed.

    • Wow, thanks everyone for the responses. You’ve taught me a lot which will help keep me more secure!

  3. Another way of obtaining CVV info (although keyloggers and other malware is the lion’s share) is via skimmers that integrate cameras to take pictures of the cards as they’re being swiped.

  4. Brian writes “PC Trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser.” Does that mean if someone chooses to store passwords on their personal pc, a Trojan like Zeus can grab that information?

  5. There is nothing to worry about….
    Just update you OS and your browser and you will be fine.

    • Updating your OS and browser and keeping it 100% up to date will not do ANYTHING to stop a phishing attempt in your email that you click on because you think it’s from your bank. It won’t do ANYTHING to protect you against a zero day exploit on a malicious ad from a well known site that installed a keylogger.

      For instance just a few weeks ago:
      http://arstechnica.com/security/2016/03/big-name-sites-hit-by-rash-of-malicious-ads-spreading-crypto-ransomware/
      “It hit some of the biggest publishers in the business, including msn.com, nytimes.com, bbc.com, aol.com, my.xfinity.com, nfl.com, realtor.com, theweathernetwork.com, thehill.com, and newsweek.com.”

      You ever visit msn.com the default homepage set by IE?
      You ever visit BBC or newsweek or new york times websites?

      You can get hit with malicious ads from anywhere. You need to have more defenses than just “Oh I keep my OS and browser updated so I’m perfectly safe” or else you will get infected someday.

  6. And another source of compromise of course are the retailers that DO store CVV2, contrary to the rules, and have their databse hacked.

    • To be precise: merchants are allowed to retain the CVV1 or CVV2 until the transaction has been authorized. If the merchant is operating in “fallback” for a period of time (meaning, they are not able to connect to their acquirer to authorize the transaction – typically due to connectivity or network issues), they can retain this information (although it must per PCI DSS be encrypted while at rest) until the transaction is completed. The merchant is, of course, taking on a risk that the transaction is not authorized when connectivity to the acquirer is restored – but for business reasons many merchants accept this risk in the name of customer satisfaction.

      • Apparently, some merchants are allowed more, eg Steam keeps CVV2 for as long as they like for one-click orders.

        Amazon, on the other hand, doesn’t even ask for it at all. My friend with banking background (and good knowledge of PCI DSS) was shocked.

  7. I always wondered if CVVs couldn’t be extracted more easily at brick and mortar point of sale – where I live it’s common for salespeople to physically handle customer cards, so how hard could it be for them to either memorize the number or show it to a camera (either one put in specifically for this reason, or one of store’s surveillance ones)? This not only does not require advanced IT skills, but also makes detecting source of the leak harder.

  8. George Dragojevic

    Hey Brian, I definitely agree with you that everybody who are responsible for maintaining any website security should be seeking for help from other professional administrators.

    • No one is responsible for anything. Security will automatically come to you in the form of an update from Apple and Microsoft. Those who maintain websites only need to make sure they maintain their connections to their cloud based advertisers.

  9. re: Jerry’s remarks about the physical handling of cards

    My wife noticed recently that in contrast to the US, where the card disappears for various lengths of time, here in Germany card transactions are carried out at the table, counter or POS via wireless readers. The only time the card “leaves” your possession is when it’s inserted in the reader. You’re then given the reader to enter your pin number on a screened keyboard, whereupon a receipt is printed out by the gadget. I suppose it would be possible to note the CVV number with some skillful manipulation, but it surely wouldn’t be so easy or ubiquitous.

  10. If CVV is only needed for online purchases, can cardholders write down the CVV, keep it at home, and then scrape the CVV off the back of the card?

    • For the CVV2, yes – one could do that. If you can see it on your card, anyone who handles your card and has a good memory has access to the same information necessary to perform an ecommerce transaction. Well, except for your ZIP code and address, assuming the ecommerce merchant is performing address verification (which most now do).

      • why not just cover the CVV2 with black electrician’s tape? Easy to remove if you really need to use it, but covered otherwise.

    • Scraping off the number will protect you from a single source:
      Camera’s that capture this info at physically compromised sites like ATMs.

      It will NOT protect you if you have keylogger on your computer. It will NOT protect you if the retailer’s website is compromised and sending captured information to the thieves.

      • Unless of course you never ever type in or use the cvv2 for any purposes whatsoever.
        But then you are still vulnerable from identity theft, and skimmers, and many other sources, even if you never ever made any credit card purchase online.

  11. Many of card managements systems around the world suffered from fraudulent attack coming from Brazil.
    They using Bin attack technique and generate cards through card generation tools and send deferent authorization message one time as e commerce transaction, magnetic transactions and chip transactions looking for any bugs in authorization system.
    When they successful with any attempts they send thousands of trails with the same pattern when they got approval for any card they decode this data on card and send physical card to the market to make a lot of transaction though their gang members.
    They depend on authorizations system fail or security problem to do such of this transactions

  12. It makes me giggle how everyone likes to over complicate things. Keep in mind that just because a merchant has a field for CVV, it’s doesn’t mean they’re requiring a valid CVV that at their processor to accept the payment.

    There are multiple levels of card holder verification (including address verification) that may be used by the merchant when the transaction is authorized. If too many of their customers are having issues making payments, some of these may be disabled. It’s worth it to them to pay a higher price for processing within a higher fraud category, because they’ll make up for it in increased revenue. Especially online-only merchants who have customers in multiple countries.

  13. Some merchants are not honest about storing the CVC2 information. When the CVC2 information is sent to the issuer and/or processor for recurring merchants it can come across in two different ways. For your Netflix, and other subscription service you will see a straight up CVC2/CVV2 validation on the first transaction (sign up) and any other monthly transactions will display a different code which denotes that the CVC2/CVV2 was not passed. However, there are other subscription services we will see the validation of the CVC2 every single transaction meaning that the CVC2 is stored. Happens clockwork on the specific billing day that was set by merchant of that month.

    Now there is an exception to merchants selling tangible/intangible goods. Everyone who frequents some off brand website notices the button “save your card info”. Ok……, what I noticed while doing a test with one of my frequent personal merchants is that even though they saved it they still require the CVC2/CVV2 every time. I can’t speak for all. I do not know much about the keylogger situation, but when there is something of value…there is a means & method to steal it.

    • Indeed. And if you notice such a case, call 1-800-VISA-911 or 1-800-MC-ASSIST or 1-800-333-AMEX and report it. That’s a PCI violation.

      Of course, as others have noted, that doesn’t exactly call in an airstrike, or indeed guarantee *any* action. But it’s worth a try.

      • I normally send more severe issues, but they are quite lient on the merchants. They see the outcome codes the same as I do so no doubt they are aware. I can’t be a hypocrite here since I brought it up, so I will compile a list and send them my merchant list. Lets see where it goes. Thx.

  14. Keyloggers may be the easiest way to gather large quantities of CVV2 codes, but fraudsters have many options. Certain industries routinely collect CVV2 on paper forms, which are then either scanned or placed in long-term storage. When I’ve talked to merchants about it, it’s clear that they are conflating card-not-present transactions with *real-time* card-not-present transactions, then relying on some kind of warped folklore about what PCI says about CVV2 storage. Storage locker rentals and medical providers are the worst violators, in my experience. I imagine those businesses would be especially lucrative targets. Brick-and-mortar merchants don’t usually collect CVV2, but merchants under canvas sure do–I’ve also noticed that quite a few small merchants at various festivals and fairs will scribble down the CVV2 when processing a credit card transaction. I bet a fair number shady businesses just aim a camera at their counter and transcribe card information at their leisure. I’d love to see a hotline where consumers could report blatant PCI violations like these.

  15. Jim has it 100% right (who do you work for?). The article is pretty much ancient data and card security / card transaction risk mitigation professionals have known this for almost 20 years.

    PC attacks and communication compromises have been around since the beginning. It’s one of the reasons SET was written in 1996 (RIP). It’s also the reason why CVC / CVV is different from CVC2 / CVV2. It was designed to be different (except for wild chance).

    Chip card does NOTHING to prevent ecommerce fraud. It has been sold to the great unwashed masses as the final word in card security, but that 1993 EMV concept fails in today’s huge CNP environment.

  16. Keith appleyard

    A colleague here in the UK once showed me an Excel-based Invoice he had received from a small Retailer which contained all of his Card details, including the CVV. He didn’t know who the Merchant Acquirer was, so as a public-minded citizen I wrote to all of the major players in the UK on the off-chance they’d react. Only 1 responded to me (HSBC), and suggested I take it up with the Merchant myself. Barclays, Lloyds, Natwest & RBS never even replied to me – that’s how seriously they took it.

  17. I guess “keylogger” for server-side malware would be the wrong terminology but I understand the concept.

    Server-side formgrabber?

  18. “if merchants are forbidden from storing this information?” – Yes. Merchants are forbidden from storing this info… but most of them still do. I have had a lot of companies try to write the CVV on the invoice for sake of convenience.

  19. It’s pretty easy to get the CVC2/CVV2. There are only 999 possibilities. Card numbers have only so many possibilities if the first 6-8 are fixed and the last one is a check digit. With a card number, all you need is a bunch of websites that check the cvc2/cvv2 (every ecommerce site in existence) and check the 1000 possibilities, brute force. You don’t check the same site twice from the same attacker and you don’t check the same card twice at the same site. You use a bot net that can work on this 24×7 until you’ve cracked the cvv/cvcs for the lot.

    However, it’s often easier to just crack the users password at a retailer’s site and add a new address, change the email, change the password, order stuff, send to new address, and then clean up, and put things back. Or not, and resell the account.

    You’d be amazed at what mortgage refinance companies leave unprotected in the cloud and on their systems.

    • Wouldn’t work, would kill the card making it useless for faudsters.

      • Works just fine if you have a lot of cards. Think big DB dump(s). That way you can limit the number of guesses per card – even with just a single guess per card, you’d get 1000 valid CVV2s from a dump of a million.

  20. its end of the card chips anyways, in near future we all will have micro chips under our skin,thats so simple this is nothing jet

  21. It would be interesting to shift the burden to the acquirer by forcing websites to inject iframes to the acquirers portal (Chase / Paymentech – Orbital). Then the only point of compromise is the acquirer or the users PC. I only use online ordering from about 5 large vendors. After that I use Paypal or generate a 1 time use (or 1 month use) virtual card. I believe all major banks have that ability. That way compromise of a card is does not impact my physical card and is time, transaction or dollar bound so minimal impact. It would be really nice for the banks to create the one time payment via the injected iframe and only send trx and auth data to merchant so no chance for them to lose the data.

  22. I use a program called KeyScrambler, which according to their website: Encrypts in real time your keystrokes on all websites and keeps them safe through the operating system to protect your privacy/identity, even on infected computers. I use the free personal version. It gets good reviews. I hope it works as advertised. Link: http://www.qfxsoftware.com/download.htm

  23. I don’t know if BK himself keeps up with all comments, but I’d like to thank him for mentioning local memberships of OWASP. I’ve looked at their sites before but had no idea they were an organization you could join like a professional association.

    I work with some PCI-compliant-ish code and I’m setting up new web-facing stuff with MVC, and between this site and Ars Tecnica, I’ve come to take security about 10,000% more seriously than the others at work, including our “PCI compliance officer.”

    Joining OWASP and using their security-101 site seem like really good ideas to help make sure my work doesn’t suck. I’m mentioning OWASP here but I don’t exclude the others BK mentioned.

    This is why we visit KOS. All hail BK and I’ll be sure to donate again this year.

  24. I believe if the processor offers P2PE (Point to Point Encryption) with Tokenization, everything is encryption, including keyed transactions.

  25. Don’t forget local ISC2 Chapters!

  26. William Hugh Murray, CISSP

    Consumers should prefer online merchants that support checkout proxies like PayPal, Amazon, MasterCard MasterPass, and Visa Checkout. If they enter their CVV at enough on line merchants, they will hit one that is compromised.

    Merchants should support these proxies rather than accept credit cards themselves. The proxies will provide the merchant with all the advantages of accepting credit cards, improve customer convenience, speed checkout, and provide both merchants and consumers with improved security.

    • Not until there’s adequate legal and regulatory frameworks in place to keep these processors in line. Paypal is well known for being a target of fraud both in the theft of its accounts and ridiculously one-sided chargebacks (although as someone who isn’t too long out of law school, the word between my friends is that their PLLCs tend not to lose chargebacks like when they were selling things on eBay that they sent without tracking numbers). Ultimately everyone is trying to cover their own ass but the end user is the one least able to. Going through Paypal or Amazon or a bank just can screw the end user, business or customer, just as easily merely in different ways.