Friday, May 22, 2009

New RSA Fraud Report Offers Details On 'Card Checking'

RSA Online Fraud Report - February/March 2009

In February 2009, the RSA Anti-Fraud Command Center traced a new tool designed by online fraudsters that can validate compromised payment cards (e.g. credit cards or debit cards) that are illegally obtained through the underground fraud supply chain. Fraudsters typically test the viability of illegally obtained payment cards before they are used to make fraudulent purchases through a variety of “credit card checkers,” also known as “card checkers” or “cc checkers”. Card checkers are services or tools designed by fraudsters that enable other fraudsters to check the accuracy of compromised payment card data.

RSA found the source code of a desktop application on an online merchant’s website that functions as a payment card checker that can be employed on a mass scale – creating what are called “mass card checkers”. This desktop application can check payment cards by manipulating and attacking a legitimate online merchant’s Address Verification System (AVS) check. An AVS check is a standard system that verifies whether or not a billing address entered online matches the billing address registered to a payment card. In addition, the AVS check returns a result without the need to complete a financial transaction.

Mass card checkers are shared within the fraudster underground for free and can grab the username and password within a legitimate member’s account on an online merchant’s web site. Card checkers are not a novel approach to validate stolen payment cards, but the mass card checker discovered by RSA is new in that it consists of a desktop application solely dedicated to the abuse of an online merchant’s AVS check.

No comments:

Post a Comment