Scammers no longer need your CVV code to steal money from your bank card
May 27, 2021
An expert from Kaspersky Lab talked about how criminals use publicly available data for their purposes.
Most of the thefts of money from bank cards require CVV – the code printed on the back of a card. Kaspersky Lab expert Sergey Golovanov spoke about the techniques of theft that do not require these data.
The cardholder’s name, card number and telephone number can well be obtained from open sources. How to get CVV and card expiration date? In some cases, the CVV code can be simply guessed.
For example, in an online store, they enter the available information about the card and try to make a purchase by selecting the CVV numbers from 001 to 999. If the payment is made, it means that the CVV number is correct.
According to the expert, scammers can brute force the code automatically using special programs and scripts. An SMS about a purchase may not come at all: in some online stores, you don’t need to enter a one-time password from SMS to make purchase – money is transferred immediately.
In addition, criminals may try to duplicate the SIM card.
Unfortunately, not all employees of cell operators are scrupulous enough. Some of them may be just lazy, so they do not bother to thoroughly check identity of all people who request issuing a duplicate SIM card – e.g., allegedly lost. As a result, two SIM cards appear on the network, and the original one may work for some time before it is blocked.
In addition, fraudsters can hack into a victim’s personal account on the website of a cellular operator. This may allow them to read all SMS addressed to the victim – just from the browser.
This scheme is quite popular, despite the fact that some cellular operators, after changing the SIM card, are already blocking the possibility of receiving and sending messages for a day – just to combat this type of fraud.
Fortunately, it is not yet technically possible to copy SIM cards using computer tools, like copying telephone numbers using IP telephony.
However, it is possible to hack a cellular operator. For example, there are so-called SS7 protocol attacks, in which traffic is redirected through another country, as if in case of roaming. A new cellular operator appears in the network, and the home cellular operator transfers calls and messages to it.
The expert recommends company executives pay more attention to training their employees, and everyone else should not forget about protecting mobile devices and be more careful.
If you received an SMS message about a money transaction from your card, but you did not perform any operations with it, it may mean that the card data leaked to the scammers.
As soon as possible after the bank has notified you of the withdrawal of the money, you should do the following: immediately block the card, inform your bank about the theft of money, and write a statement of disapproval of the transaction.