orange arrow

Online Card Enrollment: A Fraudster’s Handy Tool

intro image

Written by Dima Khrustalov

Executive Summary

  • In the cybercriminal underground, the term “payment card enrollment” refers to the process of registering a payment card on an online account management service offered by the issuing bank.
  • The enrollment of a payment card allows the accountholder, or in our case the fraudster, to view online statements and balance, review transactions, pay bills online, manage and update account information, and more. The most important feature for fraudsters is the ability to change the accountholder’s details (address, phone, etc.).
  • Payment cards that are or can be enrolled in online account management are in high demand by fraudsters and cybercriminals committing reshipping fraud (purchasing goods online using stolen payment cards). With these cards, fraudsters can more easily bypass anti-fraud controls such as AVS (address verification system), SMS / phone call verification, and mini-deposit verification.
  • Not all issuers offer online card account management services, and some online card account platforms do a good job of detecting and blocking unauthorized registrations. As such, fraudsters and cybercriminals are constantly seeking financial institutions and specific BINs that are easier to enroll.
  • By monitoring fraudsters and cybercriminals in underground forums and communities, we have discovered what financial institutions are being targeted due to the perceived higher likelihood of payment card enrollment.

Recommendations

  1. Contact us to learn how fraudsters view your institution. Are you a target for payment card enrollment?
  2. Review your online card account management platform; identify opportunities to enhance controls to detect unauthorized card enrollment.
  3. Implement rules to flag and verify certain online account updates (e.g., address change).
  4. Monitor the Digital Underground on an ongoing basis to identify and flag compromised payment cards.

What is Reshipping Fraud?

One of the most common types of fraud using stolen payment cards (whether directly using compromised payment cards, or indirectly taking over e-commerce accounts with linked payment cards) is “reshipping fraud”. Reshipping fraud is quite straightforward - a fraudster steals a victim’s payment card and uses it to purchase an expensive product online. The product is shipped not to the victim’s address, rather to the address of a reshipper or mule, an individual who then ships the product to an address specified by the fraudster. The US Postal Service defines reshipping fraud as follows1: “Criminals operating primarily from Eastern European countries and Nigeria have been conducting widespread, international schemes involving bogus job offers, fraudulent credit card orders, and the reshipping of illegally obtained products. The scam begins when criminals buy high-dollar merchandise — such as computers, cameras, and other electronics — via the Internet using stolen credit cards. They have the merchandise shipped to addresses in the United States of paid “reshippers” (who may be unaware they are handling stolen goods). The reshippers repackage the merchandise and mail it to locations2 in Russia, Ukraine, Estonia, Lithuania, Romania, and Germany. Victimized businesses include such well-known companies as Amazon, eBay, and other Internet auction sites.”

An underground service offering parcel mules to receive stolen packages
An underground service offering parcel mules to receive stolen packages

Value of Enrolled Payment Cards

Payment card enrollment, i.e., registering a payment card on an online account management service offered by the issuing bank, is an important step in facilitating successful reshipping fraud. Numerous threat actors on underground Russian-speaking cybercriminal and fraud forums are either offering such cards for sale or looking to buy them. We have seen regular, active discussions about payment card enrollment in these underground communities. What is the reason for the high popularity of enrolled payment cards among fraudsters and cybercriminals?

A threat actor is seeking to buy enrolled payment cards with an option to turn off region lock and change cardholder's phone number to Google Voice number
A threat actor is seeking to buy enrolled payment cards with an option to turn off region lock and change cardholder's phone number to Google Voice number

The enrollment of a payment card in an online account management service allows the accountholder to view online statements and balance, review transactions, pay bills online, and more. But that is not what fraudsters and cybercriminals are interested in.

They are interested in executing the following:

  1. Accountholder Address Change: A common anti-fraud control is AVS (Address Verification System), which compares the accountholder’s billing address with the shipping address entered during an online transaction. If the addresses differ, the purchase may be flagged as suspicious. By changing the accountholder address via the online card account management tool, the fraudster ensures that the mule (or reshipper) address matches the accountholder billing address.
  2. Accountholder Phone Number Change: Banks or e-commerce retailers may require verification via SMS or phone in order to approve certain transactions. By changing the accountholder contact phone number via the online card account management tool, the fraudster ensures that any verification requests will be received and processed by him.
  3. Mini Deposits Verification: Another card verification method used by some online payments platforms (e.g. PayPal) is conducting 1 or 2 micro-transactions to the accountholder’s payment card. After these transaction are processed, the accountholder is required to enter the exact sums of each transaction to confirm his ownership of the card. With access to the online card account, the fraudster can view these transactions and verify the mini deposits.
A threat actor discussing AVS system of US e-commerce retailers
A threat actor discussing AVS system of US e-commerce retailers

The Process of Enrollment

In most cases, online enrollment for payment cards is done using the PAN (Primary Account Number) and some of the accountholder’s PII (Personally Identifiable Information), including SSN (Social Security Number), DoB (Date of Birth), MMN (Mother’s Middle Name), billing address, etc. It is worth noting that many underground carding markets today sell compromised cards together with the cardholders’ PII. However, even if a card is sold without the cardholder PII, fraudsters and cybercriminals can easily obtain it using various services, both underground and legitimate. After the fraudster manages to enroll the payment card online, it can take five to seven days until the changes are applied to the account, and then the card can be used for reshipping or other fraud.

Cybercriminals prefer payment cards that have not been previously enrolled by the accountholder. In that case, the cybercriminal can enroll the card and have the sole access to online account management. But even if the accountholder has already enrolled the card, cybercriminals can attempt to take over the online account. Of course, such enrollment is considered less “safe”, since the cardholder may try to login, discover that he no longer has access to the account, and contact the bank to report the issue.

The Process of Enrollment

Understanding Your Risk

Not all issuers offer online card account management services, and even those that do may only offer the service for certain card types. Furthermore, some online card account platforms do a good job of detecting and blocking unauthorized registrations. As such, fraudsters and cybercriminals are constantly seeking financial institutions and specific card BINs that are easier to enroll. Information regarding what BINs of which banks can be enrolled online and tricks and tactics for successful enrollment is highly valuable and guarded among cybercriminals and fraudsters. This information is rarely publicly discussed on underground forums and communities, and many fraudsters are willing to pay a pretty penny for it. Through our deep coverage of underground forums and communities, we have discovered what financial institutions are being targeted due to the perceived higher likelihood of payment card enrollment. We recommend the following:

  • Contact us to learn how fraudsters view your institution. Are you a target for payment card enrollment?
  • Review your online card account management platform; identify opportunities to enhance controls to detect unauthorized card enrollment.
  • Implement rules to flag and verify certain online account updates (e.g., address change).
  • Monitor the Digital Underground on an ongoing basis to identify and flag compromised payment cards.
1 https://about.usps.com/publications/pub300a/pub300a_v04_revision_072019_tech_022.htm
2 Our intelligence suggests that many items are reshipped within country.
Discover how Q6 Cyber’s targeted and actionable intelligence can help prevent threats before they materialize into damaging breaches resulting in fraud losses by reviewing our current solution offerings .

About the Author

Dima Khrustalov is a senior analyst at Q6 Cyber’s Tel Aviv office, covering global cybercriminal activities on the Dark Web and Deep Web. Prior to Q6 Cyber, Dima was an Anti-Money-Laundering and Due Diligence analyst. Dima holds a BA in Communications and Business Administration from the Hebrew University of Jerusalem.