From: LSC Card Services
The Fiserv Risk Office has tracked an increasing frequency of so-called brute force attacks with potential impact to debit and credit gateway programs.
What is a Brute Force Attack?
A brute-force attack is a trial-and-error method used by fraudsters to obtain payment card information such as an account number, card expiration date, PIN or Card Verification Value 2 (CVV2).
How is it executed?
This typically begins with an attack against a valid merchant’s retail terminals or its website’s online payment system using malware installation, phishing schemes, or a combination of both to obtain the access privileges needed to carry out the attack.
Once access has been gained to the network, the merchant’s terminal or system can then be exploited as a venue for performing robotic test transactions until the hacker receives a valid authorization. These submitted authorization requests can accumulate into the thousands in a very short period of time.
Using the valid authorization information, the criminal can then combine the valid card verification value, expiry date and card numbers obtained via the brute force attack to perform fraudulent card-not-present transactions via e-commerce, POS keyed, or mail order/telephone order channels or to create counterfeit cards for use in the card-present POS/ATM environment.
How do you know if your institution is experiencing a brute force attack?
Risk Office is taking extra steps to monitor these brute force attacks. There are also steps that clients can take.
• Look for or take note of a significant increase in the number of denials from one or multiple merchants in a short window of time with the following response codes:
• 014 – Denied for invalid cardholder account number information, CVV/CVC or CVV2/CVC2 mismatched. This is a PINless transaction.
• 054 – Card is expired
• 077 – Record cannot be located
• 590 – General denial. When accompanied by message type 120, this indicates the network has stepped in and is denying the transactions.
• Research using Transaction Journal’s Response Code search field
• Download and check your results
• Identify any card numbers that received approvals and block them immediately
• If you see multiple transactions, often more than 100, back-to-back on a single card from the same merchant with a denied response code of 014, this indicates that fraudsters have the card information and are attempting to acquire the 3-digit CVV or CV2 code via a CVV brute force attack. A few declines across a few card numbers does not indicate such an attack.
• If you see many sequential card numbers, existing or expired (054) or non-existent (077), with single attempts from one particular merchant, that indicates a BIN attack, in which the fraudsters have your BIN number and are auto-generating sequential card numbers robotically, attempting to find valid card numbers.
What to do if you confirm either form of brute force attack:
• Block all card numbers that received approvals.
• Keep in mind that these attacks are random; new card numbers or new BINs offer no protection from being compromised at some point in time.
• If you have an assigned risk analyst, provide them with the name of the merchant you are seeing and some card or case numbers. Keep in mind that they should be on multiple cards in sequential order, or there should be multiple back-to-back attempts on individual cards.
What does Risk Office recommend?
• Work with your assigned risk analyst to ensure that you have good basic rules in place to stop the actual fraud that can occur if a test transaction does get approved.
• Remember that the vast majority of these tests are being declined, and that fraudsters do not know what the decline reasons are. Even if a valid card number is hit on, if the test transaction is denied, the fraudster will simply move on to the next number regardless, never knowing whether or not the card number was actually valid.