Fullz and Credit Card Fraud
If you’ve come across any part of the security space dealing with fraud, you’re probably already familiar with the term “fullz.” Often heard in association with credit card fraud operations, “fullz” are what cybercriminals use to refer to personal information which can be used to make fraudulent credit card purchases, take over accounts to sell later, or commit wire transfer fraud and tax fraud. Known more commonly as “identity theft” to a layman, fullz are what allow criminals to pretend to be their victims.
Carding forums are rife with the “fullz” term. Credit card fraudsters and data resellers use it to refer to “full” packages of a victim’s personal information. These packages usually contain a victim’s birth date, social security number, physical address, mother’s maiden name, and any other data that can be used to verify the victim’s identity. Given the general difficulty of pulling off credit card fraud with the modern security countermeasures, when it comes to fullz, the more information, the better.
On the inside of a carding forum, one may come across a few common terms besides “fullz.” “Dumps” refer to the raw data which is read from a credit card’s magnetic strip by point of sale (PoS) terminals. This information can be stolen physically using a credit card skimmer or even through the use of PoS malware installed on payment terminals in stores, restaurants, gas stations, and anywhere else that someone can swipe a credit card to make a purchase.
Fraudsters can then duplicate and reprint dump data onto fresh fraudulent credit cards for their own use. This is what’s known as physical carding, or counterfeit credit card fraud. Criminals profit when they sell the goods they buy using the fraudulent credit card.
Naturally, the carder’s objective is to avoid having fraudulent transactions flagged by the credit card companies. This is exactly why fraudsters now pay more attention to the credit card’s CVV (card verification value code) within carding communities as credit card companies develop better security features. Initially introduced as a countermeasure against credit card fraud, a credit card’s CVV is a three- to four-digit code that is supposed to ascertain that a customer making an online purchase actually has the card in hand.
In terms of credit card fraud, fullz are valuable because they allow fraudsters to make online purchases using the CVV code. It doesn’t take a fraudster to know that anyone ordering online needs to provide the physical billing address or zip code associated with the credit card as well as the CVV to make a purchase. In case these details aren’t enough to validate the transaction, or they tip off fraud alerts, having more personally identifying information (PII) about the victim is necessary when the buyer is required to verify his or her identity to unlock the account. If the fraudster’s stolen credit card doesn’t work, he can simply provide the victim’s social security number, date of birth, or mother’s maiden name to the credit card company before resuming business as usual.
More recent innovations in security have made credit card fraud more difficult. In doing so, however, they’ve also raised the value of fullz. EMV chips, also known as “chip” cards, contain embedded information that is supposed to, like the CVV number, act as a “something you have” second factor to prevent dumps and fullz from being enough to make a successful credit card transaction occur. More specifically, the chip combats fraud because it contains a cryptographic key which verifies the legitimacy of the card via the generation of a one-time code. This one-time code, unlike a CVV, is ephemeral, and therefore can’t be used again and again across multiple transactions.
According to a study from Visa, EMV cards may have helped curtail credit card fraud tremendously. In March 2018, Visa claimed that counterfeit (physical) credit card fraud was down 46 percent for all U.S. merchants since September 2015. For merchants who had already implemented the use of EMV chip readers, credit card fraud had decreased by nearly 75 percent. Unfortunately, the ubiquity of EMV chip makes fullz more valuable than ever before from the perspective of a credit card fraudster. Fraudsters now need to get creative in order to pull off their transactions. Not surprisingly, it is expected that criminals will not just go away but will adapt their fraud techniques to overcome EMV technology in the near future.
Because EMV technology is most effective against counterfeit credit card fraud, online retailers will likely see an increase in card-not-present credit card fraud using dumps and CVVs. In these cases, having good, fresh fullz is paramount to a fraudster. If a fraudster has the victim’s mother’s maiden name, social security number, date of birth, physical address and possibly a few other data points, he can more easily perpetrate a successful fraudulent transaction. Given this, it’s likely the demand for fullz will increase within underground carding communities.
Fullz and Account Takeover
Fullz aren’t just useful to perpetrate credit card fraud. They can also be used to take over higher-value financial accounts as well as common merchant and personal accounts. Of course, these accounts are also markedly more difficult to take over than lower-value accounts which can be cracked using rudimentary cracking tools.
In fact, markets already exist for the sale of various types of accounts that can be obtained fairly easily through credential stuffing.
SpyCloud published reporting on this topic in our blogs Criminals are using these tools to “crack” your website and How the Grinch Stole Your Customer’s Account.
Whether these accounts offer access to unlimited Uber rides or someone else’s savings account, those seeking to exploit them largely do so for financial gain.
Novice criminals may enjoy the cheap thrills of going after ride-sharing, pizza delivery app accounts, and other low-hanging fruit. Criminals take over these lower-value accounts by spraying large sets of breached credentials against web applications until the automated testing yields a match. If the victim hasn’t yet set up multi-factor authentication, the account can be taken over fairly easily. Criminals familiar with the prevalence of password reuse between accounts may leverage cracked password across multiple accounts. Once an account is cracked, successful attackers can enjoy the service for free.
These types of accounts may be easier to take over, but they still often require some outside information. If, for example, someone is able to take over an account that requires two-factor authentication, they may be stumped if they can only get the password. In that case, the criminal may click “I no longer have access to this device” and try to social engineer customer support representatives to obtain ownership of the account, claiming that they’ve lost their phone and can no longer obtain a password reset code. Naturally, such a conversation would require identifying information such as a date of birth, a physical address, a mother’s maiden name, or even a social security number in the case of higher-value accounts such as bank, insurance, or other sensitive accounts. In these cases, fullz are even more essential than they are for credit card fraudsters.
More complicated still are takeovers of investment and banking accounts which contain large sums of money. Thanks again to fullz, these accounts can also be taken over easier than many understand. Using a combination of social engineering of customer support and targeted phishing and/or insider recruitment, fullz can serve as fodder towards each new step in a multifaceted operation.
As an example, in order to get a bank employee to allow a fraudulent transaction or even unwittingly initiate one themselves, a fraudster may craft a convincing email from someone within the company whose credentials they have already compromised. In order to make the phish convincing, the fraudster will need to have certain information to both impersonate the employee and provide convincing instructions. This type of bank fraud also requires the login credentials for the victim’s online bank account. Although online banking authentication interfaces are more difficult to crack using traditional cracking tools, they can be obtained by crafting convincing bank login phishing pages.
According to the IRS, a particularly complicated scheme involved a criminal who crafted and sent a fake email from one of the target organization’s own employees to someone with access to payroll information. The email instructed the recipient to send them a list of all employees and their W2 forms. After receiving the list, the fraudster requests, with the appropriate sense of urgency, that a wire transfer be initiated to a certain account. This scheme gives fraudsters valuable fullz on all of the employees as well as bank funds which have been cashed out successfully to virtually untraceable mule accounts. The money is accessed, transferred and then laundered. Once inside, criminals can use the information they obtained from the W2s to contact other employees by spoofing an email account and initiating even more transfers.
The information from W2s can also be used to apply for accounts in a victim’s name for the purpose of buying goods to sell or committing tax fraud.
In this case, the end goal is to obtain the victim’s tax refund. Criminals essentially file the taxes for the victim. While victims don’t have to pay for an accountant, in this case, they don’t receive their tax refunds either.
The Future of Fullz
As businesses and even governments ponder how to tackle the crisis of password reuse and password security, new policies must take into account probable adaptations by criminals. The new NIST guidelines recommend that passwords should be “easy to remember” but “hard to guess.” They also recommend the use of second and third factors of authentication, such as soft and hard tokens. But with the advent of convenience-oriented services like Touch ID on MacBook Pro, “something you are” is now used as an authentication factor both outside and inside of the workplace.
A recent study estimated 57 percent of companies using biometric authentication. Biometric authentication was not lost on the new guidance released by NIST. NIST differentiated biometric authentication as probabilistic opposed to other factors, which were described as deterministic. And NIST’s interpretation was not limited only to fingerprints, facial recognition and the iris as characteristics for identification. The document also considered behavioral signatures such as typing cadence. NIST provided a caveat to their guidance on biometrics, even going so far as to recommend only their “limited” use. Moreover, NIST cautioned that “biometrics do not constitute secrets” and warned that they may be obtained without a victim’s knowledge, such as by taking a picture of them or by acquiring that information through other means without their permission or through subversion.
The problem with the ubiquity of biometrics used as additional factors of authentication is that, unlike a password, they cannot be changed or reset. If compromised, they give criminals access to an irrevocable piece of who we are.
Moreover, breaches such as the MyHeritage breach, provide a glimpse of what could happen if our most private information were to be compromised. The big news, of course, is that 92 million users’ email addresses and hashed passwords were exfiltrated. The potentially more alarming scenario is one in which MyHeritage’s analysis of the DNA would have been exposed. That data contains genetic insights, medical information, and analysis unique to who we are as humans. This information cannot be changed. Although MyHeritage claims that no genetic data was compromised, the hack represents an almost dystopian potential scenario in which fullz could leverage data that is inextricably linked to us forever.
Though fears of these “fullz on steroids” have not yet materialized, some databases containing biometric data have already been compromised. India’s biometric database, called Aadhaar, has already been compromised twice. Aadhaar was created in 2009 and stores biometric data including iris scans and fingerprints belonging to over 1 billion Indian citizens and residents. Each signature was assigned a 12-digit code and each fingerprint and iris scan is linked to someone’s personal identity. The intended purpose of Aadhaar was to create these identities as a way to easily organize everyone’s welfare, health and education status. But because it became difficult to verify the identities of Indian residents and citizens who didn’t carry any form of identification, India saw Aadhaar as a solution to the problem of verifying that persons traveling between states are who they say they are.
Unfortunately, the methods used to compromise the database were relatively simple. The attackers issued a malicious patch that disabled existing security features, allowing them to create their own Aadhaar identities as well as spoof its own biometric recognition features. This enabled them to impersonate nearly anyone in the system. It also allowed attackers to create false identities with false biometric data. The malicious patch reportedly could be purchased for only $35 U.S. dollars. Journalists were reportedly able to purchase root access to the database for only $8 U.S. dollars. Unfortunately, it’s possible that journalists weren’t the only ones eager to pay such a low price for such valuable data. Those who were compromised will be hard pressed to ever get their identities back. If there ever was such a thing as “personally identifiable information,” biometrics is the paragon.
As technology advances, we may start to use biometric features more often to prove we are who we say we are. We must also be aware that threat actors will continue to adapt and that the cost of convenience is often a shortfall in terms of security.
Though the thought of “super fullz” being sold to the highest bidder on the dark web may sound dystopian, it’s never too early to prepare for possible criminal adaptations to the technologies we create. We can start now by taking better steps to protect our information, especially by knowing the exposure of our first factor of authentication, the password, across criminal communities.