Some details about Fawry and LockBit 3.0 attack:
* CBE enforces all payment gateways to be PCI DSS compliant.
* According to PCI DSS standards, the whole card number (16 digits for Master and Visa, 15 digits for Amex), is never saved at any point in the payment transaction steps. *as long as there is no business need to save it*
* When a payer saves his card in a payment gateway portal (like Fawry) or online shop (like Amazon and Jumia, etc.), there is no actual number saved into the database, but what happens is the following:
- The cardholder (payer) enters all his card info at the first step (Card number, Exp Date, CVV).
- The payment gateway sends (via a secure channel) this info to its bank gateway (the acquirer bank). (Let's say payment gateway xyz has a merchant account with CIB bank for example).
- The acquirer bank passes the information to the card-network (a network that connects the four major card issuers Mastercard, Visa, American Express, and Discover).
- The information gets validated by the card-network. if the provided card info is correct, it generates a token as an identifier (for the this card + this merchant), and sends it back to the payment-gateway.
The payment-gateway stores the generated token and linked it to the user profile.
- PCI allows the payment-gateways and online-sites to show the first two digit an the last six (35XX-XXXX-XXXX-4562). (to allow the gateway to inform the user about which card had been used in the transaction or saved).
- The CVV is never being saved at all.
- When the cardholder login to the payment-gateway or the online-shop next time, it will be asked to provide the CVV only, and then the payment gateway uses token + CVV).
= For some service provider the acquire bank approves the service provider to use the token only with optional CVV (like amazon for example). but this is not the case with Fawry, as Fawry asks for the CVV.
= In the last few years, the card-network provided additional layer of protection and security which is 3-D Secure (3DS), which send OTP via SMS to the linked mobile number (for the cardholder).
Payment-gateways store different types of data, such as personal account information (name, phone, address, etc). (like the one in the screenshot) Also, payment history, and other information.
Such data is very precise and valuable. it is out of PCI DSS scope. It is the payment-gateway responsibility to save and secure such data.
The value of such data is that it can be processed and analyzed to produce a lot of different information:
You can know the lifestyle of everyone, in which areas he spends his money, at which time of the month. And where?
You can find important information about the areas of interest etc.
These hackers sell this data to the biggest buyers in the first place (chains, hotels, etc.), then to the lower level, till they sell it in the dark to regular users for something like 50$.
* According to PCI DSS standards, the whole card number (16 digits for Master and Visa, 15 digits for Amex), is never saved at any point in the payment transaction steps. *as long as there is no business need to save it*
* When a payer saves his card in a payment gateway portal (like Fawry) or online shop (like Amazon and Jumia, etc.), there is no actual number saved into the database, but what happens is the following:
- The cardholder (payer) enters all his card info at the first step (Card number, Exp Date, CVV).
- The payment gateway sends (via a secure channel) this info to its bank gateway (the acquirer bank). (Let's say payment gateway xyz has a merchant account with CIB bank for example).
- The acquirer bank passes the information to the card-network (a network that connects the four major card issuers Mastercard, Visa, American Express, and Discover).
- The information gets validated by the card-network. if the provided card info is correct, it generates a token as an identifier (for the this card + this merchant), and sends it back to the payment-gateway.
The payment-gateway stores the generated token and linked it to the user profile.
- PCI allows the payment-gateways and online-sites to show the first two digit an the last six (35XX-XXXX-XXXX-4562). (to allow the gateway to inform the user about which card had been used in the transaction or saved).
- The CVV is never being saved at all.
- When the cardholder login to the payment-gateway or the online-shop next time, it will be asked to provide the CVV only, and then the payment gateway uses token + CVV).
= For some service provider the acquire bank approves the service provider to use the token only with optional CVV (like amazon for example). but this is not the case with Fawry, as Fawry asks for the CVV.
= In the last few years, the card-network provided additional layer of protection and security which is 3-D Secure (3DS), which send OTP via SMS to the linked mobile number (for the cardholder).
Payment-gateways store different types of data, such as personal account information (name, phone, address, etc). (like the one in the screenshot) Also, payment history, and other information.
Such data is very precise and valuable. it is out of PCI DSS scope. It is the payment-gateway responsibility to save and secure such data.
The value of such data is that it can be processed and analyzed to produce a lot of different information:
You can know the lifestyle of everyone, in which areas he spends his money, at which time of the month. And where?
You can find important information about the areas of interest etc.
These hackers sell this data to the biggest buyers in the first place (chains, hotels, etc.), then to the lower level, till they sell it in the dark to regular users for something like 50$.
Comments
You can comment as Name/Url if you don't have accountPost a Comment