Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Interesting Credit Card transactions, are you seeing similar? - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Interesting Credit Card transactions, are you seeing similar?

In my day job we get involved in payment systems, credit card transactions etc. We are also asked to investigate and explain incidents as well as "unusual" activity.

When looking at credit card payments there are always payments for people like lkjsdflkjs and "famous person name", usually small value transactions $2, $5, $10 although recently we've started seeing $60 transactions.  These are easily identified and the motive is very clear, test the card.  If the transaction goes through the card number and CVC (if needed) or other details are correct.

Recently however I've been seeing more interesting transactions. The transactions start with a high value and step down until the transaction is accepted.  ie. we start with a charge of 10K, the next transaction 9K , 8K ......3K, $1000, $900, $800, ....$100.  The process is automated so if the limit on the card is high enough multiple transactions are sometimes accepted. Again these transactions are easily identified, however the motive eludes me. We looked at a number of possibilities:

  • identify the upper limit on the card. - The process however results in the card being maxed out. The issuing bank or card brand blocks the card. The number now no longer has any value. You know the upper limit, but can no longer use the card.
  • purchases for resale - This was the obvious one, but in the cases I worked on, none actually deliver physical product to the purchaser.   
  • Refunds? - Another scenario we looked at is that after the transactions are done the organisation is called by the fake cardholder and a refund is requested. Because their bank has blocked the card they'd like to be refunded to a different card or some other payment mechanism. Looking at refunds and refund requests through customer service avenues allowed us to discard this scenario in the cases we worked on.
  • Credit Card DOS - A third scenario was a DOS on cards,  max out the card and as many as possible and irritate either the bank or the card brand, or the proper cardholders. The volumes however would be annoying for the merchant and issuing bank, but were certainly not on epic scales. Unless of course we were only seeing one small part of a much larger distributed effort.

So what I'm asking those of you that deal with credit card payments is this.  Have you seen similar behaviour in your payment systems?  Multiple transactions on the same card, starting with a big value, stepping down in increments to lower values until the transaction is accepted and in some cases beyond. Those of you that deal with donation sites or online delivery (i.e. no physical product) are more likely to see these.

If you have other ideas on what the point of these transactions is by all means share, either as a comment or through the contact form.

Regards
Mark H  (markh.isc at gmail.com)

 

Mark

391 Posts
ISC Handler
Perhaps you should pass this question on to Brian Krebs.
Anonymous
Just a guess, but if a blocked card means the rightful user cannot log in to see his account, then it could be used to forestall his seeing a fraudulent transaction made shortly *BEFORE* the DOSsing transaction?
Moriah

133 Posts
Moriah has a valid point.

Maybe simply to see how fast different card-issuers react.

Wonder if it possible to block the card, yet still obtain authorisation for transactions (thru differing payment handling companies) made via in-store point of sale terminals or third party cash ATM's for an 'unspecified' period of time after the card-issuer blocked the card? It shouldn't happen, but..
Moriah
12 Posts
I assume the card is stolen and the attacker has a number of cards.

The attacker anticipates bank security will analyze and eventually shut down the card.

A descending maximum maximizes payout before detection. An ascending series gives minimum payout in the short term.

Is smash-and-grab in credit theft most common, or are there good case studies where a compromised cards are milked over a long period to larger effect?
Moriah
1 Posts
If a number of cards were stolen then this would be a good way to determine the value of the cards. Sacrifice one to determine the value of the rest.
Moriah
1 Posts
Could it be a blackbox attempt to determine fraud alert thresholds/algorithms for one or more card vendors?
Korwyn

1 Posts
I think it serves a few purposes. It verifies the credit limit available on the card, if the card has been reported lost or stolen, and may provide some insight into the usage pattern of the card.
The authorization will eventually age off of the card, be removed, and all of the credit will again be available. If a small authorization is run after and succeeds that will then show the card has still not been reported as compromised, may indicate it is not used much, and they now know about how much credit is available. Just a thought.
David

1 Posts

Sign Up for Free or Log In to start participating in the conversation!