Monthly Archives: April 2016

How do hackers get the three security numbers from the back of your credit card >>CVV shops:

man handing over credit card image

Stolen card info, particularly from non-chip cards, is great for making phoney cards for use in stores. But how do crooks spend stolen money online?

A longtime reader recently asked: How do online fraudsters get the 3-digit card verification value (CVV or CVV2) code printed on the back of customer cards if merchants are forbidden from storing this information? The short answer: if not via phishing, probably by installing a web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker’s server.

Kenneth Labelle, a regional director at insurer, wrote:

“So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on [the card data]. So how in the world are they committing card not present fraud when they don’t have the CVV number? I don’t understand how that is possible with the CVV code being used in online transactions.”

First off, “dumps” — or credit and debit card accounts that are stolen from hacked point of sale systems via skimmers or malware on cash register systems — retail for about $US20 ($25.80) apiece on average in the cybercrime underground. Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell, or to extract cash at ATMs.

However, when cyber crooks wish to defraud online stores, they don’t use dumps. That’s mainly because online merchants typically require the CVV, and criminal dumps sellers don’t bundle CVVs with their dumps.

Instead, online fraudsters turn to “CVV shops,” shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2 and postcode. These CVV bundles are far cheaper than dumps — typically between $US2–$US5 apiece — in part because they are useful mainly just for online transactions, but probably also because overall they are more complicated to “cash out”, or make money from them.

The vast majority of the time, this CVV data has been stolen by web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking trojan does on an infected PC, except it’s designed to steal data from web server applications.

PC trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting “form grabbing” — capturing any data entered into a form field in the browser before it can be encrypted in the web session and sent to whatever site the victim is visiting.

Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.

These attacks drive home one immutable point about malware’s role in subverting secure connections: whether resident on a web server or on an end-user computer, if either endpoint is compromised, it’s ‘game over’ for the security of that web session. With PC banking trojans, it’s all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these website attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).



Henry Sapiecha

A day in the life of a cyber security expert

In part two of our three-part Stay Smart Online blog series, we meet Alexis Coupe, a cybersecurity analyst at nbn. Alexis talks to us about the importance of cyber security and shares his top security tip.

This week is Stay Smart Online Week, a government initiative to raise awareness amongst Australians about how they can help protect themselves and their businesses online.

To mark this, we are publishing a three-part blog series about cyber security.

In this post, we meet Alexis Coupe, a cybersecurity analyst at nbn, who talks to us about the importance of cyber security and shares his top security tip.

So Alexis, you’re an nbn Cyber Analyst, what does that actually mean?

A Cyber Security Analyst, to some extent, is like the cyber police.

alexiscoupe-1043-cyber-security-expert image

They help prevent cyber-attacks, primarily through their expertise in identifying a security event as an intrusion attempt or just common network traffic.

It’s the role of a cyber-analyst to understand the links between security and business threats (such as networks, databases, firewalls, web applications, etc) and offer proactive and dynamic solutions to identify threats and incidents.
Through constant monitoring and analysis of the network, we seek to detect the theft of sensitive information, spreading of malware, phishing campaigns, and the occasional network intrusion.

That being said, it’s not like CSI (Crime Scene Investigation): it’s 80 per cent cyber analysis and 20 per cent excitement!

What does a typical day look like for you?

Each day is different and that’s the amazing part of my work.

In theory, we typically cut a day into different sections:

I spend about 10 per cent of my time following the international security news and social networks in order to identify new threats as current phishing campaigns, or zero days which might be exploited on the internet.

dumb-password_600-change-it image sign


It is critical that our security systems are updated to help protect against hackers, and we have access to the latest security toolkits. This is to make sure we know what the bad guys are doing and occasionally, use the tools in our lab to see how they work.

Fifty per cent of my time is spent dealing with current detections and incidents.

We interpret a security event and identify it as either a real attack or normal traffic. Approximately 40 per cent of my time is spent on the detection of new threats and R&D, which I enjoy the most about my job!

We do a lot of internal development and it gives me the opportunity to help build the security operations centre.

If you could give everyone reading this article one cyber security tip, what would it be?

Get a good practice for password management! Passwords with at least eight characters containing a mix of lower-case, upper-case characters, numbers, and punctuation marks are ideal.

Most people register on numerous websites with the same credentials and – believe it or not – even share their passwords with others – a security no-no.

Usually, the same password or a derivative of it is used for online banking access, email address, or other sensitive data.

With multiple websites requiring sign-ons, similar or same passwords, it can make it pretty easy for a malicious person to steal data, sensitive information and even money.

Using different passwords for different websites ensures that even if a website is hacked and your credentials are disclosed on the Internet, there will be no impact to your other accounts.

What’s the coolest part of your job?

The coolest part of my job is certainly the detection of new threats!. To be able to do that effectively, we often need to think as an attacker and get creative.

When hackers decide to steal confidential documents, they try to make sure that they are not  detected by the security team so they can come back in the future.

We try and get ahead in the game by simulating those activities and then trying to detect it ourselves.

We have the chance to play two different roles in one job (attack and defense) which allow the cyber security analysts to enhance their skills.

New security toolkits and techniques are released into market every day. It’s a great job where the term “boring” doesn’t exist!

What’s your cyber security tip for businesses?

A good practice is to understand the threat relative to the business, have the ability to detect a theft or a breach when it happens, and establish an immediate response plan when an incident occurs to minimise the potential loss.

Once an organisation understands this challenge about security, it will be able to invest time and money on an adequate detection and response.

What’s your favourite piece of technology and why?

It’s difficult to answer this question as I’m very addicted to technology! I could say laptop, Raspberry pi, mobile phone, DSLR, Chromecast, but I’ll simply say: The internet!

I couldn’t live without Internet, just like many others. With this technology, we’re able to do anything from connecting with people, researching references in the biggest library in the world, booking a restaurant or a holiday.

It also gave me my job and my hobbies!


Henry Sapiecha