Contactless Dining Brings New Fraud Landscape

Introduction

The COVID-19 pandemic has massively impacted the way we interact with people. Most of all, it has changed how the service industries work. Pubs, cafes, and restaurants have all had to adapt to new rules, implementing new channels of interaction with customers.

Can you remember the last time you visited a pub? Perhaps not! Before all local restrictions purchasing a meal or a drink went something like this: ask the bartender for a drink, the bartender rings up your order at a till or terminal, you pay in cash or card and leave with your drink in hand.

Since the introduction of new local restrictions, this kind of interaction is becoming less frequent. Now, when you go to the pub, al fresco dining is preferred, and ordering takes place differently, and more pubs and restaurants have introduced contactless ordering. Simply scan the QR code on arrival, make a note of your table number and order online or in a mobile app. All this means you never have to leave your table and get your first drink within 5 minutes.

This new way of ordering and paying caught our attention. In particular, there is no 3D Secure verification in many of these implementations. In the UK and Europe, it is now mandatory to use only secure forms of payments. This has, as a result, provided a number of new possibilities for fraud, which we will explore further.


Secure payments

In 2019, a new set of payment rules became effective, called the Payment Service Directive (PSD2), which sets out a number of important steps that need to be taken by issuers, acquirers and payment service providers. This directive affects all transactions made in Europe and the UK.

One of the significant changes PSD2 brought about is that all payments should be made only in a secure way. For physical cards, this means that magstripe cannot be used; only chip or contactless transactions can be made.

For online payments, this means that all merchants should verify transactions with a 3D-Secure one-time code. As a result, some European and British banks are planning to restrict payments from being made on websites that do not support 3D-Secure in the near future.

Now all businesses operating in Europe and the UK must comply with PSD2 requirements, making the world of payments a much safer place. For pubs and restaurants that are adopting new payment processes, this is somewhat a new world. Perhaps that is why it appears that merchants don't even know that they need to comply with PSD2 requirements, and why 3DS is not implemented everywhere.

Unfortunately, this particular set of circumstances allows for fraudsters to exploit immature merchants. Next, we explore how attackers can guess Card Security Codes (CSC) through these restaurants and pubs and how they can extract money from stolen card details.


1. Guessing CSC codes

CSC is the three-digit code written at the back of your card. Banks use it for card authentication. In addition to this, if an online store does not support 3D-Secure, it is the only security mechanism that protects your card against illicit online payments made by someone else.

The CSC guessing attack is also known as a "BIN master attack". This attack is possible if your bank does not protect your card against CSC enumeration and the online payment service provider does not protect the payment flow against velocity. If these conditions are present, then it is possible to guess a CSC within 999 attempts. This attack can have devastating effects, as shown by Tesco bank in 2016. Thousands of customers were affected, and the bank lost £2.5M and was later fined another £16M by the UK financial authority.

If you'd like to read about this further, researchers at Newcastle University have described how this distributed guessing attack is not only possible but feasible.


2. Monetising on stolen cards

For cards with guessed CSC, attackers can use this information to make fraudulent purchases. Even better, because some merchants have not implemented 3D-Secure, an attacker can use these merchants to extract value from stolen cards. Until the moment that a chargeback request occurs, affected merchants will not be aware of this attack.


How much can this loophole be exploited? Quite a lot as it happens. Scams that make use of this loophole are documented in the press. Fraudsters open a dedicated "discount website" or Instagram page and start offering pizza at a reduced price. They use the stolen card details to pay for pizza on the affected website that does not support 3D-Secure. And after that, fraudsters enter the Instagram customer's address and get a return of approximately 50%. This is how fraudsters clean money and monetise on stolen cards.


Conclusion

The card not present payment market has been flooded by new customers who have had to adapt to post-pandemic reality and try to manage their customers with the payment instruments they were given. Merchants are keen to streamline the customer experience and make the most of an already reduced customer number. Many do not understand that new technologies come with new attack surface. The fact that the service industry is struggling to implement 3DS is the tip of the iceberg of a much larger problem; regulation does not guarantee implementation.


This game of cat and mouse runs 50 years. The payment industry tries to manage the security of payments, but some areas are taking much longer than others to implement.

Yes, Europe and the UK are far ahead of the USA and their archaic forms of payments. But the bright new future that PSD2 promised is not quite here yet. Until then there will be plenty of room for malicious actors.

We wish you a secure month!