06/27/12

E-Commerce in the Black Market

gAtO hAs - found that e-commerce in the Black Market in the Tor-onion network is a little different than e-commerce in the clear web. Places like the Silk Road that deal with illegal drugs and other black market marketplaces have a lot to think about when they do business and the customers of these services have similar problems that can open them up to being caught and prosecuted. There a few thing that we must examine to understand e-commerce in the deep dark web. Once again gAtO does not recommend doing business with the black market but from a technical and SE view of how these transactions happened we may learn something. I have learned that China,Iran and Syria look for Tor traffic because of the fingerprint of the traffic stream – Tor traffic is padded to 512 byte size packets, normal VPN is not. But we know that the Tor-Project team is working on new and better ways to hide Tor fingerprint so everything is evoling.

Here are a few notes I found that makes you think – mAyBe sI-nO:

Conceal your membership (VERY IMPORTANT FOR VENDORS)

Using Tor by itself is not enough to protect you, particularly if you are a vendor. Membership revealment attacks combined with rough geolocation intelligence can lead to a compromise! The gist of a membership revealment attack is easy to understand. The attacker merely determines everyone who is connecting to a particular network, even if they are incapable of determining where the traffic being sent through the network is destined for. Tor does a good job of preventing an attacker who can see exit traffic from following the stream back to your location. Unfortunately, if you ship product the attacker can determine your rough geolocation merely by determining where you ship product from. If the attacker already knows your rough geolocation and they are capable of doing a membership revealment attack to determine who all in your area is connected to Tor, they can likely narrow down your possible identity to a very small set size, possibly even a set size of one.

This is not likely to be useful for evidence but it will provide strong intelligence. Intelligence is the first step to gathering evidence. The attacker may put everyone in your area who they detect are connecting to the Tor network under meatspace surveillance looking for evidence of drug trafficking activity. For this reason it is highly important that you protect yourself from membership revealment attacks!

Membership revealment attacks are less a worry for customers (provided financiall intelligence is properly countered to avoid an attacker finding rough customer geolocations!) than they are for vendors. There are a few reasons why this is true. First of all a customer is likely to reveal more about their identity when they place an order than the attacker will be able to determine with a geolocation + membership revealment attack. Secondly, the vendors allowed to operate on Open Source have been highly screened to significantly reduce the probability that any of them are federal agents, but the customers on Open Source are not only anonymous but they are also not screened at all. Third of all, the organizational structure reduces the risk for customers; a customer may work with a few vendors but each vendor is likely to be working with hundreds or thousands of customers. Customers sourcing from Open Source are at minimal risk even if they have products delivered directly to there own residence, vendors working on Open Source at particularly vulnerable to membership revealment attacks due to the open nature of the site.

The primary concern for customers is that they load finances anonymously and the vendor decentralizes their financial network. If a vendor is using a star network (centralized) financial topology there is a risk that an attacker could map out the geographic locations where customers loaded funds. After determining where funding was loaded the attackers could do anonymizer membership revealment attacks in an area around the load point and filter out everyone who is not using an anonymizer. This will likely leave the customer and few others. The attacker may even be able to compare CCTV footage of the load to the users of anonymizers in the area and look for a facial recognition match. To counter this it is important for customers to make use of good financial counter intelligence techniques (E-currency layering being one). Customers may also choose to utilize transients by paying them a fee to load currency, this way the customer avoids being on CCTV at any point. If vendors decentralize funding points (ditch the star network topology) customers will be strongly protected from such attacks, however it is impossible for a customer to ensure that a vendor is using a 1:1 customer to account/pseudonym identification ratio.

There are several ways you can protect yourself from a membership revealment attack, if you are a vendor it would be foolish to not take one of these countermeasures. The primary way to protect from a membership revealment attack is to make sure you do not enter traffic through the same network you exit traffic through. As all traffic to Open Source ‘exits’ through the Tor network, entering your traffic through a VPN first will reduce your vulnerability to membership revealment attacks. The attacker will have to determine who all in your area uses any anonymizing technology and put all of them under meatspace surveillance, there are likely to be far more people in your area using some sort of proxy system than there are people using Tor in particular. This will substantially increase the cost of putting all ‘potential targets’ under surveillance.

Using a VPN is helpful but it is not the most ideal solution. Your crowd space against a membership revealment attack will increase but perhaps not by much depending on the particular area you work out of. Also, a particularly skilled attacker may be able to determine you are using a VPN to connect to Tor by fingerprinting traffic streams. Tor traffic is padded to 512 byte size packets, normal VPN traffic is not. By filtering for 512 byte streams, an attacker can determine who all is using Tor in a given area. VPN’s protect from IP routing based membership revealment attacks but not from traffic fingerprinting membership revealment attacks. However, it is less likely that an attacker will be able to do a traffic fingerprinting membership revealment attack. The Chinese intelligence services apparently are still using IP address based attacks to block access to the Tor network. This is not nearly as effective as traffic fingerprinting based attacks. This could be an indication that traffic fingerprinting membership revealment attacks are more difficult to carry out (likely), however it could also be due to a lack of skill on the part of Chinas intelligence services. It could also be that China is not particularly interested in blocking/detecting all Tor traffic and IP address based attacks meet their requirements.

A better option than using a VPN would be to set up a private VPS and then enter all of your Tor traffic through this. Doing this will make you much more resistant to IP address based membership revealment attacks because now the attacker will not even be able to narrow you down to all people in your area using any anonymity technology. This is still weak to traffic fingerprinting membership revealment attacks!

Perhaps the best option to avoid membership revealment attacks is to use open or cracked WiFi from a different location + Tor every single time you connect. You could even use open Wifi + VPN/VPS + Tor for very high security from membership revealment attacks. Using random (not your neighbors) open/cracked WiFi greatly increaces your resistance to a wide variety of identity revealing attacks. An attacker can still do membership revealment attacks on users of open WiFi but they can no longer gain useful intelligence from the attack. If they detect that an open WiFi connection unrelated to you is using Tor it can not be used to put you under meatspace surveillance unless they manage to identify you (facial recognition from CCTV cameras, etc).

If you are operating as part of a group you can avoid membership revealment attacks via smart organizational policy. The person responsible for communicating with customers should be different from the person shipping orders. Now the customers are incapable of determining where your actual rough geolocation is because product is sent from a different geographic area than you communicate from. Your shipper should be aware that they will potentially come under scrutiny via a geolocation + membership revealment attack, especially if they use Tor to enter traffic.

Another option is to configure Tor to use a bridge. Tor bridges are designed to allow people in nations such as China the ability to connect to the Tor network. China uses IP address based blocking to prevent users from connecting to known Tor nodes. Bridges are Tor entry guards that are not publicly listed and have a limited distribution mechanism. You can get some Tor bridge IP addresses from the Tor website. We do not suggest you use Tor bridges because they replace your entry guard and they are under crowded. This will lead to a lot less multiplexing on your Tor circuit and can hurt your anonymity in other ways, although it will indeed offer some level of protection from membership revealment attacks. China has managed to detect about 80% of Tor bridges, it is likely that NSA knows all of them. Police agencies in the West are probably not yet particularly worried about locating bridge nodes but they can probably do so with near the same accuracy as China. In our opinion it is not smart to rely on a Tor bridge to protect you from membership revealment attacks in most cases.

Step Four: Know how to do safe product transfer, handle finances safe

Note: Although customers sourcing from Open Source are encouraged to take the best security measures they can, it is not likely required for them to utilize advanced operational security regarding mail (such as fake ID boxes, tactical pick utechniques, etc). Because the vendors allowed to be listed here have been highly screened it is likely safe for customers to have product delivered directly to their homes. If you only work with highly trusted and trusted vendors your biggest concern will be a package being intercepted!

 

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

 

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

 

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

Whew. A lot of editing. I’ll post the remainder in a bit.

 

 

Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transactions and fraud reduction. I’ll detail several companies verification procedures below.

While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit

  • AVS
  • CVV
  • IP/GEO/BIN
  • Cardholder Authentication (VbV/MSC)
  • Phone Verifications
  • Manual Order Reviews
  • Chargebacks & Representments
  • PCI Compliance & Data Security

 

AVS – Address Verification Service

How It Works

  • Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.

Benefits

  • Easy to implement Limitations
  • Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
  • A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.

Recommendation

  • If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.

 

CVV – Card Verification Value

How It Works

  • A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
  • Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.

Implementation

  • Available on any Internet merchant account and virtually any Payment Gateway.
  • Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.

Benefits

  • Works for virtually ALL cardholder accounts – both U.S. and international.
  • There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
  • Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.

Limitations

  • CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.

Recommendation

  • CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.

 

IP/GEO/BIN Scrubbing

How It Works

  • Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
  • Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
  • Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.

Implementation

  • Custom direct integration into a service such as MaxMind.com
  • Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
  • Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.

•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.

Benefits

  • Fast, Cost Effective and Non-Intrusive
  • Provides merchants with an excellent “do the pieces fit consistently?” analysis.
  • Can block up to 89% of all fraud if properly implemented

Limitations

  • Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
  • Proxy database is always in a real-time process of being updated as new proxies open up.

Recommendation

  • IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.

Examples of what IP Geo-Location can tell you:

YELLOW ALERTS

  • Free E-mail Address: is the user ordering from a free e-mail address?
  • Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
  • BIN Country Match: does the BIN # from the card match the country the user states they are in?
  • BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
  • BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?

RED ALERTS

  • Country Match: does the country that the user is ordering from match where they state they are ordering from?
  • High Risk Country: is the user ordering from one of the designated high risk countries?
  • Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
  • Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
  • High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
  • Ship Forwarding Address: is the user specifying a known drop shipping address

IP/GEO/BIN Scrubbing (Continued)

Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.

26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from an open/anonymous proxy.

High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.

Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.

Results that speak for themselves:

ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.

MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.

Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.

365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.

This is only a small part of the e-commerce as you can see there are lot’s of opinions on how to do business in the Black market and understanding how it’s done can help us to figure out solution for legit business in the future. - gATO oUt