Human-based Computation Games, also known as Games with a Purpose, have been used by the software industry to accomplish tasks that although trivial for human beings, still pose a big challenge for even the most advanced computing mechanisms. GWAPs take advantage of the human willingness to collaborate or simply desire to have fun in order to collectively solve large-scalecomputational problems through online games.
GWAPs have proven its value by helping to develop areas as diverse as security, computer vision, adult content filtering and Internet search. One of the closest examples to the security industry is reCAPTCHA, which are used to stop bots while helping to digitize books and turning words that cannot be read by computers into CAPTCHAs easily solved by people.
Recently, our fraud-intelligence team detected the emergence of web pages which included pieces of code intended to generate credit card numbers from diverse banking institutions. A closer look to such codes led us to realize the presence of some kind of “Games with fraud purpose”.
These pages invite people to join the quest of guessing active credit card numbers collectively. Whether you want to make easy money with stolen cards, fight the system by supporting a gang of anarchists, or simply have some fun by trying to guess numbers, you are welcomed to join the game.
The odds of randomly generating a valid credit card number together with a valid expiration date and CVV are rather low. And even if you feel adventurous enough as to start guessing numbers, you still have the problem of determining if a generated CC is active or not. Historically, this could only be done by going to an online merchant and try a card-not-present transaction, but that’s no longer the case.
With the advent of mobile and on-line payments, the ability to setup a payment channel for your application has been oversimplified. Companies such as Stripe, Braintree and Paymil are offering developer-friendly payment gateways that will have you testing your new payment channel within minutes at no cost. All you need is an email address, a bank account and no more than five minutes of coding. It is the natural evolution for a world where people will be able to buy and sell online whatever they want.
Now the fraudsters are all set. All they need is a bunch of accounts registered with a payment gateway in order to start testing their guesses. This is when criminals appeal to the human nature and use GWAP to accomplish their purposes. The only requisite for players to join is to open an account with a payment gateway. A YouTube video walks you through the steps to set up an account using a disposable email address and some fake data and you get ready to use the payment gateway as an oracle for the guesses.
To play the game, the person has to enter a BIN (Bank Identification Number) which is used as a pattern to generate random credit card data. Then, each combination of card, CVV and expiration is tested with a single dollar transaction and the gateway will either accept or decline the transaction. If the transaction goes through – you’ve got yourself a winner.
Who wins the game? The player partially wins because this is cheap entertainment and eventually will leave with a stolen card. But technically, the criminal is the real winner. Consider that the more people who enter the game, the more chances the fraudster has to find a valid combination.
Who loses the game? The account holders whose cards are guessed are definitely out of luck, though their banks may be forced to respond for these fraudulent incidents. The payment gateway providers also lose. Considering their goal is to facilitate payments, they are also facilitating the way valid credit card information can be uncovered. Technically speaking, they are giving unrestricted access to an oracle in a scenario where a brute-force attack could eventually become highly feasible. The worst scenario is where a player manages to take photos of credit cards and the only missing information is the CVV. If we assume a test rate of one card per second, an attacker can be sure of getting a valid card in about fifteen minutes.
For starters, this is the perfect example of how EMV technologies will not solve electronic fraud as card-not-present transactions continue to be massively adopted and more technologies to facilitate online payments become available. Secondly, it only takes one good card to make these whole scheme worthwhile for everyone involved. Worst case scenario is that a corporate card is uncovered and the impact of that could be devastating for any organization.
If there is a safety factor in this saga, it lays in the assumption that the creativity of online criminals is absolutely infinite. To solve this, the payment systems need to work together to overcome these challenges. Securing the pieces without thinking of the whole picture will only open the door for more opportunities for hackers to take advantage of the disconnects and as such, increased fraud losses for banks, enterprises and end-users.