The CVV Loophole of Credit Card Fraud is Closed for Business
One of the things I like to do when interviewing job candidates is to ask them questions about the world of fraud. I don’t expect them to prove that they’re certified fraudsters when they come in, but it can flesh out many paradigms that the candidates may already have. For example, I’ve noticed that most people who come from the technical world immediately associate the word vulnerability with a technical vulnerability – an exploit that allows a hacker to breach the system.
However, when we’re dealing with fraud, a vulnerability does not always involve technology or a data breach of millions of credit cards. In this world, a vulnerability is often a gap in procedures that allows a fraudster to swindle banks relatively easily. Once discovered, it usually creates a spike in the amount of phishing attacks targeting that bank and the demand for the bank’s credentials in the underground economy.
In some cases, these vulnerabilities are derived from poor policies such as not authenticating the user properly. In others, the organization is not doing what it is supposed to do. The case of CVV authentication, or “CVV loophole” as fraudsters called it, is a perfect example. While it is somewhat technical, it does not illustrate a breach.
First, a short tutorial just to make sure that we’re all on the same page. On a credit card’s magnetic stripe there are three tracks. Each track contains different information and is used for different purposes. The first track is mainly used to print the card details on receipts. The third track is a read-write track, and in most countries, it isn’t being used at all. The second track, which is the most relevant to fraud prevention, is the track used to authenticate the transactions.
One of the values on track 2 is the CVV, or “Card Verification Value” (not to be confused with the CVV2, which is the three-digit number on the back of the card). The idea behind the CVV is that its value is not known by the cardholder (most are not even aware it exists) and therefore cannot be provided, even if it is requested. The authentication of the CVV in every transaction prevents card cloning using information that can be obtained from the cardholder over the phone or through phishing sites.
This is all well and good, except that a few years back there were many financial institutions that were not authenticating the CVV. Through trial and error, fraudsters realized that they could write anything on the parts of the track 2 that were used to authenticate transactions and the transaction would still go through. All they needed to clone a card was the credit card number, expiration date and the PIN code (referred to as “PINs” in fraudster terminology) – information they easily obtain via phishing attacks or over the phone. And so they did. Over time, “BIN lists” were created, listing many of the cards that were known not to authenticate the CVV.
The fraudsters who identified this loophole realized that this scheme was so easy, that anyone with a card reader/writer (which can be legally obtained on eBay and other places online) could clone cards themselves, go to an ATM machine and withdraw wads of cash. In order to ensure that they would still get a piece of the action, these fraudsters invented the “algos” myth. According to them, they had special “algorithms” that they created that made cloning of certain cards possible. Those special few were known as “PINs cashiers” as they were the ones able to cash out PINs credentials. Before long, “rippers” (fraudsters who rip off other fraudsters) started selling these fake lists of algos for a lot of money.
The larger banks that encountered this kind of fraud were relatively quick to react, leaving only small banks and credit unions to populate fraudsters’ BIN lists. For us, it was a fairly common sight; a small bank that was never targeted by phishing all of a sudden finds itself bombarded by attacks attempting to lure its customers to provide their data. The phishing sites always ask for the same thing – credit card number, expiration date and PIN code. Once those banks flicked the switch and started authenticating the CVV, the phishing attacks completely disappeared.
Today, the algos myth is long gone, as the “CVV loophole” is almost closed. Why almost? Because there are still small banks and credit unions that are still failing to authenticate the CVV. Peaks of phishing attacks driven by the loophole are becoming less and less common, but they haven’t disappeared completely.
An organization should always evaluate its infrastructure for potential breaches. But in the end, it could be a cashier not checking the ID, a rule issue, or forgetting to flick on a switch or set up a system rule that results in fraudsters hitting pay dirt.
Comments
I like the article as it exposes the carelessness of issuers who then claim to be victims
Probir Sengupta
This is great information for people to know. I had no idea that we had three different “tracks” on our credit card bars. It’s also scary to know that there are so many vulnerabilities for these hackers. It’s at least good to know that they have “almost” closed out one loophole. Unfortunately I am sure there are a million more. Thanks for this blog post, I am glad I came by it
Jeremy
