Hi everyone! Let me introduce myself. My name is Tim and I’ve been researching sophisticated card fraud cases for the last 1.5 years. My field of interest is payments, I started carrying out online banking systems security assessments, and later moved to more unusual vulnerabilities, and attacks directed at ATMs (https://www.slideshare.net/a66at/7-sins-of-atm-protection-against-logical-attacks), and Apple Pay (https://www.peerlyst.com/posts/apple-pay-replay-attacks-the-future-of-cardless-fraud-tim-yunusov).

I have always been passionate about money. I get an actual adrenaline rush every time I work on a banking system during another security assessment and when I see how the system can be abused or misused to get money out. Almost every online banking and mobile banking system I’ve assessed contained such vulnerabilities. But I never imagined how big this attack surface would become once you get more instruments in your hands, such as POS terminals and payment cards. Later this year we will release a whole set of different articles and videos about payment security and payment fraud from the attacker’s point of view, and from our experience in this area. We will cover a various amount of topics, including EMV and NFC payments, online and offline acquiring, mobile wallets, card not present payments, following the history of each topic, myths, fraud vectors and so on.

But for now, I would like to share with you a story which happened to me right after my colleague and I began planning a series of educational payment videos and articles. I will call this story,

“How to lose money during payment research”.

By the end of 2018, I was a proud cardholder of as many as 6 different debit cards of the most popular fintech startups across Europe and the UK. The reason for holding them was simple — to find vulnerabilities in payment processes. Only recently have I begun looking into “money movement” fraud. The main idea of money movements is to move money out of one account to another account, whilst at the same time getting some benefit from this process. For example, to withdraw cash from a credit account without any fees and charges.

Another purpose of money movements might be to receive cash-back or a bonus. Essentially creating money from money simply by moving the same amount of money back and forth an infinite amount of times.

In order to create a testing environment for these kinds of attacks, I use online acquiring (such as card2card services, which you can find on the Internet, like PaySend). Another way of doing this is to get a POS terminal and obtain a merchant account. Last year Leigh-Anne Galloway and I shared our experience of this market and the vulnerabilities in mobile Point of Sales terminals (https://www.youtube.com/watch?v=acBSfc9Csew)

At some point during those checks, we took one of the cards, which “allows you to spend money from any of your accounts using just one * Card”. We linked another debit card to this account and set this up as the default account for this card. The idea was simple, to see whether we could get cash-back for the card by doing a simple card2card operation to the original card. This shouldn’t be allowed due to the conditions of use set by the card provider. Still, we wondered if it was possible to get some kind of monetary gain by abusing the logic of these systems.

Here’s the scheme of my not-so-sophisticated attack.

Following this plan, I sent £100 from the card *1234 to the card *5678, using card2card service PaySend, which I’ve used in the past.

For reference: sometimes PaySend allows you to make payments without any fees, sometimes it will be £1 fee. To minify the fee scale, I’d decided to make a £100 payment with £1 fee.

And as planned, £100 was withdrawn from my *5678 card. All I had to do now was to wait for the money to transparently move through the card *1234, and back into the deposit account, which was set as the starting point *5678. There is a £1 fee for the £100 value so I was expecting to have £99 deposited back into the account. And I was hoping to receive cash-back for this transaction.

Instead, a further £99 left the account!

Wait… WHAAAT???

Double spending attack on my own funds for *5678 card

Card *1234 for some reason doesn’t have a genuine £100 transaction in history but has second £99 withdrawal.

I waited patiently for 5 days, for the transaction status to change from “pending” to “completed”. I then wrote to both financial institutions (bank *1234 and *5678).

After two long conversations, all I could get is that for both banks it was just a regular transaction. WTF?!

Bank *1234, first response

Bank *1234, the second response

Bank *1234, the third response

Bank *5678, first response

Bottom line: for everyone it’s a normal transaction, not topping up one, and intermediate bank doesn’t hold any of my money. But where are they then???

Just to let you know, I did get my cashback in the end — 0.1%, which was £0.10,

Woohoo, I’m rich!

Further steps.

I decided to dig a bit deeper into different types of refunding operations. I refunded two payments from different POS. After 2 weeks of waiting, I got my money back. Ok, that’s something. Then I decided to use different cards, linked to *1234 account and different card2card services, to understand where the fault might be in this process. All of them resulted in multiple spending transactions.

Different card2card service, another linked card. Same story.

Third card2card service, third linked card. Same story again…

Interesting fact about the double spending scenario — is that you never share *5678 card’s information, enough to make a Card Not Present transaction — all you enter normally is just PAN (card number) and sometimes an expiry date.

So, to summarize again what has happened — I expected to move back and forth £100 and get a cashback for that operation, instead of that I had been withdrawn twice and my balance now is -£200 =(

As the outcome, there many good fintech startups who can help to counteract with old fashioned high street banks — big mammoths, and provide all modern features and satisfy the required needs of customers. However,