If you take credit card payments, please note we have been made aware of brute force attacks targeting merchants.
These attacks target a merchant’s retail terminals or its website’s online payment system, and typically begin with the criminal using malware installation, phishing schemes, or a combination of both to obtain the access privileges needed to carry out the attack. Once the criminal hacker has gained network access, they attempt to determine the card validation code 1 (CVC 1) value for each previously stolen card account in order to create counterfeit cards for committing subsequent ATM or point-of-sale (POS) fraud.
A.) Mode of Attack
- The criminal introduces malware into a merchant’s network by targeting systems that may be vulnerable to compromise due to weak data security controls;
- Once installed on the merchant’s system, the malware can capture merchant account logon credentials;
- Alternatively, the criminal may use phishing techniques to trick merchants into divulging their account credentials.
B.) Test Transactions
Once the criminal hacker has gained network access, the merchant’s terminal or system can be exploited as a venue for performing test transactions. The hacker’s own computer programs submit numerous authorisation requests for small value amounts using stolen card account information from victims of other phishing scams in combination with sequential three-digit CVC 1 values (for example 999, 998, and 997) until the hacker receives a valid authorisation (that is, the CVC 1 value matches the stolen account number). These submitted authorisation requests can accumulate into the thousands in just a short period of time.
C.) Perpetuating the Fraud
Using the valid authorisation information, the criminal can then combine the valid CVC 1 value (found in a payment card’s magnetic stripe) obtained via the brute force attack with the phished cardholder payment account information to create a counterfeit card for use in fraudulent POS or ATM transactions.
D.) Merchant Best Practices
1.) Defending Against Phishing Attempts
- Use caution when providing sensitive information, such as user IDs and passwords;
- Do not provide sensitive information to anyone, unless certain of the credentials of the potential recipient of the information;
- Do not give out the merchant number, terminal ID, or acquirer’s bank identification number (BIN). If the merchant receives a call requesting this information, it is likely to be a phishing attempt by a criminal to gain terminal access. The merchant should call their providers Customer Services team and report the call;
- Avoid clicking on hyperlinks within email communications. Type the URL into the web browser instead;
- Do not download suspicious attachments;
- Do not to use business computers and workstations for non-business activities, such as web browsing or checking personal email messages;
- When reviewing or responding to email messages, verify that the sender’s information is correct. Be vigilant for slight misspellings, which may indicate a phishing attempt;
- If the merchant receives a phone call, email message, or repair technician visit that is suspicious, the merchant should not respond or provide any information;
- Beware of any unscheduled repair technician arriving at a merchant location requesting access to computers and servers used for card transactions. If a repair technician arrives unannounced, contact your providers Customer Service team immediately;
- Educate staff regarding anti-phishing strategies, such as only opening email messages from a known or trusted source;
- Limit employee access to the merchant number and terminal ID to help prevent unintentional leaking of this information to a criminal.
2.) Strengthening Network Security Against Malware
To protect merchant systems and networks against malware intrusion, merchants should adhere to the following:
- Ensure the merchant’s business operations are in compliance with the Payment Card Industry Data Security Standard (PCI DSS);
- Regularly update anti-virus applications;
- Perform a credential and password review;
- Identify any systems with weak or blank administrator passwords and remediate;
- Require regular password changes for users’ system access and privileges;
- Strengthen the merchant’s password policy;
- Remove generic or vendor default accounts;
- Require two-factor authentication for all remote access applications;
- Review the firewall rules across the merchant’s network;
- Review web-facing applications for structured query language (SQL) injection vulnerabilities or other web application vulnerabilities;
- Implement an IDS.
There are constant attacks on payment systems, passwords and websites. As business advisors our advice is to be vigilant when it comes to cyber security, put controls in place and ensure all staff report anything suspicious immediately.