Completely unused bank card details stolen and used for online shopping - FNB explains how it happens

Groggyme

Well-Known Member
Joined
Apr 10, 2015
Messages
284
Unlikely...

1. You need to bypass 3D secure. There are legitimate ways to do this but none that I know of that don't require rigorous amounts of documentation, KYC info, etc. Simply put, you're not going to do this anonymously.

2. A card number is 16 digits long, expiry is 4, CVV is 3. With a bit of industry knowledge, you can reduce the number of combinations but there are still a LOT!

3. You cannot simply brute force card transactions and do hundreds of transactions per second (TPS) without either the bank or the aggregator you're using noticing as each transaction requires significant CPU and memory to process.
Yeah this is a problem at the printing place. Someone is getting their mitts on the cards before they get put into the envelopes.
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
6,380
Yeah this is a problem at the printing place. Someone is getting their mitts on the cards before they get put into the envelopes.
If that was the case they would have the CVV too? Or are they too dumb to flip the card over...
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
6,380
Are the envelopes carrying your unactivated card RFID-shielded? Whats to stop you pulling out a run-of-the-mill scanner and scanning it for the card number? I know there is encryption at play but I think thats only for transacting, it will give out its card number at least without authentication?
Extremely plausible.
 

j4ck455

Executive Member
Joined
Jan 2, 2006
Messages
6,827
“From time to time, these fraudsters target unsuspecting victims. Fortunately, with the increased levels of security controls, we proactively block these merchants from future attempts,” Ramdhani said.
But FNB did not do that: if FNB had been proactive, the customer would not have received numerous messages about an incorrect CVV, and would not have had to call the FNB Fraud Department (at least twice).

On Friday 13 August 2021, he received five notifications from FNB within 30 minutes that a transaction was declined due to CVV failure.
Two days later he received the same message in nine notifications within a 20-minute period.
The next morning he received about 20 more notifications of declined transactions due to the temporary block.
He called the FNB fraud department again and an agent blocked the card.
How is any of that an example of FNB being proactive in blocking (fraudulent) merchants?

And even worse, FNB told the customer that FNB hasn't got a fooking clue as to what merchant is charging transactions to the card in question:
He was informed that it was not clear who was charging the card.

Here you go FNB: https://lmgtfy.app/?q=proactive+definition&iie=1
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,124
Sounds like BS. Sure the chances of guessing an existing number is probably one out of a few million so with a couple of tries you can get there. But from an individual perspective it's one in 10 million billion. So the chances of continuously landing on new card numbers is virtually impossible. Something tells me this is an inside job.
 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
6,380
There are changes coming to banking systems. I won't go too much into detail.Suffice to say the accounts will be monitored with an AI pattern builder. When something takes place one your account or card which falls out of your patterns and habits, it will require a OTP. Even the ATM's will require a second pin if you suddenly go outside of your usual pattern and draw a large amount or your card is used at say 3am which you have never done before. One bank is testing this AI at the moment.

There are other security changes coming but won't go into that yet.
You're in for a surprise in many countries where card processing online and in stores don't need anything other than the card number and expiry even with ZA issued cards.
 

saor

Honorary Master
Joined
Feb 3, 2012
Messages
28,777
You don’t seem to understand how the fraud works.
It doesn’t matter who owns the card. Or whether it’s been printed yet.
Fraudsters simply run procedurally generated card numbers against escalating MMYY and random CVV.
Every bank is at equal risk.

I reckon the fraud is more noticeable on personalised cards that are sitting in their envelope. For instant issue type cards, people are probably not even seeing the transaction.
You don't seem to understand either tbh. I haven't heard of this approach for years now, mostly because running this attempt live would amount to essentially a DDOS-like attack on whichever login you're trying to force. And as @Napalm2880 suggested, servers would notice this behavior. Also absurd odds of getting a hit.
 

Totempole

Expert Member
Joined
Sep 21, 2011
Messages
4,470
Unlikely...

1. You need to bypass 3D secure. There are legitimate ways to do this but none that I know of that don't require rigorous amounts of documentation, KYC info, etc. Simply put, you're not going to do this anonymously.

2. A card number is 16 digits long, expiry is 4, CVV is 3. With a bit of industry knowledge, you can reduce the number of combinations but there are still a LOT!

3. You cannot simply brute force card transactions and do hundreds of transactions per second (TPS) without either the bank or the aggregator you're using noticing as each transaction requires significant CPU and memory to process.
I'm not sure if this is still the case, but in the past 3D secure only works for local online merchants. International purchases don't trigger the 3D secure challenge.

As for the rest, I think the FNB staffer is talking out of his ass. There's no way this isn't an inside job. What they're suggesting is the equivalent of trying random keys in order to break into someone's house.
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,124
I'm not sure if this is still the case, but in the past 3D secure only works for local online merchants. International purchases don't trigger the 3D secure challenge.
It's merchant implemented. All of the SA merchants are mandated to require it. I haven't seen any international ones use it however but they can. Paypal even skips the CVV. It's probably for the same reasons Americans still use cheques.
 

Totempole

Expert Member
Joined
Sep 21, 2011
Messages
4,470
It's merchant implemented. All of the SA merchants are mandated to require it. I haven't seen any international ones use it however but they can. Paypal even skips the CVV. It's probably for the same reasons Americans still use cheques.

But also the reason they can file a chargeback through their banks at the blink of an eye.
 

RandomGeek

Expert Member
Joined
May 14, 2015
Messages
2,196
Why is 3D Secure used (or not)? It adds an extra layer of costs per transaction for the merchant. But if it does its job, it drastically reduces the chance of fraud happening.

So apart from the costs, it may increase the friction (i.e. effort on customer's side) to finalise the transaction.

Still, given the scale of fraud on the Internet, I'm still surprised that many places don't implement it
 

Swa

Honorary Master
Joined
May 4, 2012
Messages
30,124
Why is 3D Secure used (or not)? It adds an extra layer of costs per transaction for the merchant. But if it does its job, it drastically reduces the chance of fraud happening.

So apart from the costs, it may increase the friction (i.e. effort on customer's side) to finalise the transaction.

Still, given the scale of fraud on the Internet, I'm still surprised that many places don't implement it
The benefits outweigh the negatives. If it's implemented it becomes virtually impossible to do a chargeback except in the case where it's the merchant doing the defrauding. It's mind boggling why all merchants don't implement it.
 

supersunbird

Honorary Master
Joined
Oct 1, 2005
Messages
57,257
You don't seem to understand either tbh. I haven't heard of this approach for years now, mostly because running this attempt live would amount to essentially a DDOS-like attack on whichever login you're trying to force. And as @Napalm2880 suggested, servers would notice this behavior. Also absurd odds of getting a hit.
It has happened:

 

quovadis

Executive Member
Joined
Sep 10, 2004
Messages
6,380
It's merchant implemented. All of the SA merchants are mandated to require it. I haven't seen any international ones use it however but they can. Paypal even skips the CVV. It's probably for the same reasons Americans still use cheques.
It’s processor/gateway implemented and mandated.
 

"D"

Expert Member
Joined
Oct 20, 2006
Messages
3,222
people would need to see the CVC and you cant get that from rubbing (CVC is not raised)
When last I looked,
and found cards with raised numbering,
@Groggyme and me were still in our primes,
and not as often slumbering.
Prostrated and castrated we dreamily dwell on our past crimes,
and, presently, adult diaper shopping got us hooked.
 

das Toktokken

Honorary Master
Joined
Jul 18, 2008
Messages
54,119
FNB customer's card details stolen without the card ever being used — How it happened

FNB customers should be aware of the increase of "enumeration" or "account testing" used by criminals to identify their bank card details and steal their money.

This issue was recently brought to MyBroadband’s attention after fraudsters attempted to use an FNB customer’s new and unused debit card to transact online.
So where are the DOS timeouts that make this method unfeasible? Come on!
 

saor

Honorary Master
Joined
Feb 3, 2012
Messages
28,777

Craig_

Honorary Master
Joined
Feb 22, 2016
Messages
24,303
There are changes coming to banking systems. I won't go too much into detail.Suffice to say the accounts will be monitored with an AI pattern builder. When something takes place one your account or card which falls out of your patterns and habits, it will require a OTP. Even the ATM's will require a second pin if you suddenly go outside of your usual pattern and draw a large amount or your card is used at say 3am which you have never done before. One bank is testing this AI at the moment.

There are other security changes coming but won't go into that yet.

In 2019 after my mother passed away we went to Oudtshoorn for the funeral, when my wife got to the second shop to buy clothes on my FNB card the bank called me to verify that the transaction is genuine. I also once put fuel in at the caltex in George, merchant swiped my card multiple times, all transactions went through, few minutes later I got an sms that my card is blocked and they reversed all the transactions besides the first one.

So I'd think they have been doing this for a while.
 
Top