As any online shopper knows, all credit cards have a 3-digit card verification value (CVV or CVV2) code printed on the back. Merchants are forbidden from storing this information — so how do online fraudsters manage to get hold of it? Here's what you need to know.
The short answer: if not via phishing, probably by installing a web-based keylogger at an online merchant so that all data that customers submit to the site is copied and sent to the attacker's server.
Kenneth Labelle, a regional director at insurer Burns-Wilcox.com, wrote:
"So, I am trying to figure out how card not present transactions are possible after a breach due to the CVV. If the card information was stolen via the point-of-sale system then the hacker should not have access to the CVV because its not on [the card data]. So how in the world are they committing card not present fraud when they don't have the CVV number? I don't understand how that is possible with the CVV code being used in online transactions."
First off, "dumps" — or credit and debit card accounts that are stolen from hacked point of sale systems via skimmers or malware on cash register systems — retail for about $US20 ($25.80) apiece on average in the cybercrime underground. Each dump can be used to fabricate a new physical clone of the original card, and thieves typically use these counterfeits to buy goods from big box retailers that they can easily resell, or to extract cash at ATMs.
However, when cyber crooks wish to defraud online stores, they don't use dumps. That's mainly because online merchants typically require the CVV, and criminal dumps sellers don't bundle CVVs with their dumps.
Instead, online fraudsters turn to "CVV shops," shadowy cybercrime stores that sell packages of cardholder data, including customer name, full card number, expiration, CVV2 and postcode. These CVV bundles are far cheaper than dumps — typically between $US2–$US5 apiece — in part because they are useful mainly just for online transactions, but probably also because overall they are more complicated to "cash out", or make money from them.
The vast majority of the time, this CVV data has been stolen by web-based keyloggers. This is a relatively uncomplicated program that behaves much like a banking trojan does on an infected PC, except it's designed to steal data from web server applications.
PC trojans like ZeuS, for example, siphon information using two major techniques: snarfing passwords stored in the browser, and conducting "form grabbing" — capturing any data entered into a form field in the browser before it can be encrypted in the web session and sent to whatever site the victim is visiting.
Web-based keyloggers also can do form grabbing, ripping out form data submitted by visitors — including names, addresses, phone numbers, credit card numbers and card verification code — as customers are submitting the data during the online checkout process.
These attacks drive home one immutable point about malware's role in subverting secure connections: whether resident on a web server or on an end-user computer, if either endpoint is compromised, it's 'game over' for the security of that web session.
With PC banking trojans, it's all about surveillance on the client side pre-encryption, whereas what the bad guys are doing with these website attacks involves sucking down customer data post- or pre-encryption (depending on whether the data was incoming or outgoing).