Virtual Credit Cards Offer Digital Convenience; Here's How They can Also be Manipulated for Fraud
Banks are expanding their services and adopting technology to stay relevant in an increasingly digital world, but while these innovations promise convenience for customers, they also expose the industry to evolving fraudulent schemes. In this article, we look at one such case.
IBM Security Trusteer recently noticed a new trend within a Spanish retail bank where virtual credit cards were being created for fraudulent purposes, exploiting a relatively unprotected feature provided by the bank. Fraudsters used the method to deceive victims and drain their entire account balances.
How does it really take place?
The fraudsters kick off the attack by sending an SMS to the targeted victim, cleverly placing it in the same message thread as prior communications from the bank. They employ a tactic known as SMS spoofing, which plays a pivotal role in facilitating this fraud. Appearing as the bank, the fraudsters inform the victim about a supposed security issue via SMS and mention that a bank representative will call them shortly, providing a numeric identification code within the message. Subsequently, a fraudster contacts the victim, utilizing the provided code from the earlier SMS to "verify" their identity and discuss the alleged security problem. They claim that the victim's bank account has been compromised, and, to safeguard their funds, they need to transfer the money to a newly established bank account.
It's important to note that at this point, the fraudsters have established credibility through the SMS and by furnishing the identification code. The stressed victim unwittingly discloses login credentials, granting the fraudsters access to the banking account.
What medium do fraudsters use to siphon off money?
At this stage, the fraudsters have two options. They can attempt to deplete the victim's account using conventional wire transfers, but these are subject to daily limits, monitored for suspicious activity by the bank, and necessitate a fraudulent destination account, often referred to as a mule account. The alternative is to create virtual credit cards, which offer several advantages.
Virtual cards have a limit of several thousand euros, and the fraudster can generate as many as the victim's account balance allows. For instance, if the victim has 10,000 euros, the fraudster could generate multiple virtual cards, each with a limit of several thousand euros. This action requires authentication, but victims provide the two-factor authentication (2FA) code under pressure.
Once the credit card is established, the fraudsters employ it to purchase cryptocurrency, effectively exiting the traditional banking system. This MO emerged in early 2023 and gradually gained popularity, accounting for 41-48% of fraudulent "transaction" attempts.
Trusteer's approach to prevent scams
At present, the creation of virtual credit cards is exclusively accessible through the web browser rather than the banking app. To combat this type of fraud, cybersecurity providers examine user flow data (URLs) and transactional data.
User flow data, in general, serves as a valuable resource for identifying potentially risky and unauthorized activities within an account. This encompasses various actions, such as resetting passwords (often occurring prior to the actual login), modifying contact information like phone numbers, adjusting transaction limits, and enrolling new devices to receive soft tokens (2FAs).
Conducting user flow analysis necessitates complete visibility into all banking application flows and a risk assessment at the appropriate point during the session, whether it's pre-login or post-login.
In the specific case described, Trusteer promptly notifies the bank of any suspicious virtual credit card creations, enabling them to take necessary actions.
Enhanced banking security
By leveraging risk assessment tools, banks can gain the essential resources to stay ahead and promptly detect and prevent emerging fraud trends. This approach not only safeguards the banks but also preserves the trust of their valued clients.