3D Secure is a protocol based on XML. It is designed to provide extra security for online debit and credit card transactions. A second version of the 3D Secure was unveiled in 2016. The 3D Secure 2.0 allowed more data such as transaction history or email address to be sent to the client’s bank for verification and assessment of the transaction risks. The client only needed to pass the authentication process. One recent scam involves Netflix, where victims are involved in a phishing scam that informs them of disruption of services due to issues with the victim’s method of payment.
What is 3D?
Merchants are highly encouraged to make use of 3D Secure to gain a higher level of protection against fraud. The financial authentication is pegged on a 3D (3-domain) model, which are:
- Acquirer Domain, which is the bank and merchant receiving the payment
- Issuer Domain, which is the bank that issued the particular card
- Interoperability Domain, which is the infrastructure credit card schemes provide for supporting the 3-D Secure protocol. When a customer enters his/her debit or credit card number while shopping online, a 3DS merchant submits the customer’s account number to a directory server that the card schemes provide. This is to confirm if the card issuer is registered for 3DS. If registered, the Directory Server sends the card issuer’s ACS (Access Control Server) to the merchant. The Server Plug-in for the merchant then submits a request for authentication to the ACS via the card owner’s browser. The ACS authenticates when the customer types in his or her 3DS password
3D Secure 2.0
3D Secure 2.0 makes use of an SMS OTP (One Time password) to save users the trouble of remembering or storing passwords by sending it to the clients’ registered cell phone number. The SMS OTP feature is a stumbling block for cyber-thieves as it forces them to look for ways to bypass the OTP passcode for them to access customers’ payment data. Bypassing this feature forces the criminals to include a second step in a 3D Secure SMS-OTP phishing scam that prompts the victim to submit, albeit inadvertently, their SMS OTP passcode.
This SMS OTP used by financial institutions for the authentication of online purchases is also known as an mTAN(mobile transaction authentication number) Before the mTAN, card owners used static PIN codes which were easier for hackers to authenticate once they discovered the static PIN.
Once the user submits all their data and authenticates the OTP, their payment details are sent to an email address that is controlled by the hacker. The email is logged to a particular .txt file on the fake website that hosts the fraudulent Netflix page. The victim is redirected to Netflix’s homepage after pressing a confirmer button in the final step of the scam.
Problems with ACS Implementations of SMS OTP
Most people do not understand how hackers use the stolen payment card information and the OTP. It is easy to assume that the SMS with the OTP is limited to one merchant and transaction requesting the 3DS ACS (Access Control Server). The opposite is however true and the SMS OTP process is not a standardized one for all 3DS ACS Providers. Attackers could exploit some issues for particular 3DS ACS providers who have the following characteristics:
- The payment card number generates the SMS OTP and not the merchant ID
- The SMS OTP generated is valid for 180 seconds.
A typical OTP Attack Scenario
A typical scenario for an OTP attack fall along with the following:
- The victim is sent a phishing email in regards to a service such as Spotify or Netflix’s limitation because of non-payment or other payment issues.
- The victim clicks on the provided link and loads the fake service page that requests for their data and payment information and submits it. The victim is informed that an SMS with a passcode will be sent to them.
- At this time, the hacker’s tools utilize the personal information and submitted payment to at once start a transaction with the brand the hackers are using such as Netflix
- The underway transaction triggers an SMS with the 3DS OTP passcode that is then sent to the victim’s mobile phone. The victim then submits the passcode to the fraudulent page and is directed to the brand page such as Netflix
- The attacker has a short window frame for reusing the SMS OTP passcode and makes a fraudulent purchase using the submitted payment card data. The OTP is already authenticated, so it does not make a difference if the transaction or merchant price is similar to the first transaction.
The major problem is that the OTP is not a unique generation for every transaction. It is instead generated via the number of the payment card, which allows the short window where the criminal can use the payment data at a different merchant he/she identifies.
Phishing pages and other malware are detectable by website owners using file monitoring services, which detect alteration to the website files.
The OTP passcode helps to mitigate fraud. When clients make an online purchase using their debit or credit card, they receive a pop-up message on their screen asking them to enter the OTP. The OTP is then sent to their mobile phone by way of SMS. Some banks may prefer to use hardware tokens, email, or mobile phone apps that generate OTPS.