This type of fraud may be reduced if more nations adopted Strong Customer Authentication as a legal requirement, for example, in the EU. It's similar to two factor authentication in that it doesn't matter if a hacker has your card details because a digital payment with the card can't be done without, say, an electronic id, a personal pin code, or a 2fa text message to the card's owner's phone. You could argue that the hacker could simply create a fraudulent popup to force you to fill out the form, but the process always takes you to your bank's website, where you must complete the 2FA. Furthermore, the bank informs you of the destination of the payment as well as the amount of the transaction. Once the two-factor authentication is complete, you've only granted your card for that one specific transaction, for that one amount of money, and no others.
Or... you know.. cryptocurrency? Bring security to ALL payments, and discard the global banking cartel in the process. There is no card. You scan a QR code, and approve the payment from your wallet. Simple as that.
@@hydrochlor I'm in the EU. Now, in my country we rarely use creditcards. Services like iDeal which use a debit card and paypal are more popular here. Let's be honest, the US with their magnetic strip credit cards are way behind the curve.
@@hydrochlor I was suprised to find out that american cards don't have a one time pin for every transaction. Its common here in Africa, the pin can be generated thru hard token, sent to your phone or through bank app.
For years i have been using a dedicated debit card for online stuff. I just transfer money from another account into it when i want to buy something. The rest of the time it only has about 10-20$ in it to cover things like icloud subscriptions etc.
Since day one, or back when the internet was revealed to be as vulnerable as it is in the nineties, credit card companies have done so little to make information transfer secure. Just watching this video, I thought of a security feature which would thwart this kind of attack. Depending on the average frequency of transactions, a cc company could essentially "ping" transactions at odd intervals and insure that the transaction is processed through the proper channels. But like all financial instruments, credit card companies are relieved of responsibility before anyone else. But keeping criminals fat and happy is probably what has kept the U.S. financial system afloat. It certainly is criminal to turn the onus of opsec into an externality by shifting it to the consumer or the retailer.
To add to that, credit card companies charge an "admin fee" to retailers for each chargeback. I wouldn't be surprised if they were making more money than they are losing from fraud.
Or maybe the simpler solution: you tell your cc company to give the marketplace the money; and not tell the marketplace info to take all the money from you, possibly later.
Idk if credit cards are something mainly used in the US but I've (from NL) have only used a bank card to date, you can set limits on in-store and online transfers and you can require the use of an e-dentifier (device that returns confirmation you have the bank card) for transfers over a certain amount
So what's the new format compared to the old? I've watched every video for a quite long time and I fail to see any difference, except for the removal of the intro that happened long time ago.
Interesting how cc numbers sell for as little as 15 cents, which happens to be pretty much the same amount Ticketmaster got fined - 13.3p x 9.4M victims. No wonder protecting personal data is such a low priority. The banks would have had to reissue 9.4M cards, include postage costs and that's an order of magnitude greater than the 'fine'...
There is another interesting similiar approach where you fake a Browser inside the Browser window to ask for login details. It even detects if you use chrome or safari and if its windows or mac for the designs. But this Checkout Popup is a wild one!
Every payment processor in the EU is required to have 3d secure enabled thanks to the DSP2 directive, same with India. This is really effective at countering carding, since it's a thing to make a purchase with a stolen credit card, but this becomes nearly impossible when the payment processor requires you to enter a personal code on your own phone before allowing the payment.
1. the actual french site is un-redacted for a frame or so in the video 2. changing just the last number for a credit card won't actually affect much, it's a check digit and can easily be fixed.
Thanks :) I would focus on making sure damage is minimised if you are caught in something like this, as they're sometimes impossible to spot. Sometimes millions of creds are scooped up before anyone realises.
5 time's in 9 months I have had to replace my debit card because of this. I have ALL kinds of security settings set up with my bank now. I get notices for everything even if it a$1.00 now. Fortunately , they have not profited from me yet. It is just very annoying to call all the people who are on prepaid payments for my responsibilities.
How do the hackers obtain the credit card information when almost all new browser have CORS disabled by default, which prevents data being send from a legitimate website to a fraudulent website?
how are the bad actors able to inject the malicious code? surely they cant be compromising the buyer's end they have to exploiting a vulnerability in the magento shopping cart software and the server?
They are, in fact, compromising the buyer's end for the most part. All they need is an entry point, which in one case was a compromised chat widget. From there, it's as simple as just editing the HTML markup to include their own checkout form. As long as they can load their own JS they can do whatever.
thank you for the heads-up! That's crazy. Do I understand correctly that there is no way to tell from a regular end-user's perspective? Would it help to always cancel the first payment gateway window that opens and click on the payment again, or not really?
If you check the Network section of Chrome's DevTools, you can get information on the domains your browser is connecting to, which might reveal a malicious domain. But from an end user perspective, it's often completely invisible.
@@Seytonic This sounds like something that might be better done using a web extension - you could detect payment modals and then when they are submitted, give people a heads up if the request is going to be sent to an unrecognised domain (ie not a major payment processor company, and not the website you're currently on). Obviously there's a big risk of false positives, so you wouldn't want to block it entirely, but having an "it looks like this payment request is going to [website address], do you want to allow it?" could be a great solution, since it's unlikely that bad actors bother buying legit seeming domains for payment processing. At the very least it'd increase the barrier to entry for the bad actors and make them have to spend more time and money to seem legit.
If this template had already been used alot so far a new one will appear soon You should make a vidoe as a update on the newer ones since that's probably what will be in circulation more since this 1st templete has been noted to be fake
@@Seytonic sure, i understand, but is injection coming unsecure cookies? On my site i give authorisation cookie token and small experience date and do prepare statement? Do i need to something more?
Plus high charge back rate means the vendor will be "higher risk" so they get screwed (usually based on % by volume) and sometimes can't find any processors to take them. Jerk move to small businesses
Thank you, the content is good but I honestly really dislike this format. The ratio of sponsors/length of video is insane, and when removing the intro you realize there is like 2 or 3min of actual content.
This sponsor spot is longer than I would like for this format - though I agreed on the spot before the format change, in the future it won't be as long. There is still 4:46 of content though :) I plan on putting these out on a more regular basis, so it will tally up to more content in general. Thanks for taking the time to leave some feedback :)
honestly wish the internet adopted crypto as standard payment, yes its got its faults and yes its a volatile market but the ability to create new wallets easily alone sets it way above credit cards but also you being the one that sends the money rather than them pulling the money through gives the buyer much more control.
Stuff lately I suppose feels "low-stakes".I guess I'm just another sensationalism seeking simpleton. I'm not unsubbing. Just noticed the last few vids didn't hit the spot like usual. Whatever the case, didn't mean to offend.
@@honeypotts5125 No offence taken, was just curious to know more. But yea, in fairness news has been a bit slow recently. Next one should be good though :)
countries need to learn from Iran, our banking system is way more secure, to start, no one can withdraw any money from your bank just by knowing your credit card information and anything about yourself..
Most Interesting about channels like this is they never offer real working solutions to these problems. These types of attacks are preventable and easily detected and stopped.Wondering why the working solutions are never presented 🤔
unless you regularly visit that french traveling site, how could you possibly even tell that that modal was fake and malicious? I *highly* doubt you click on terms of service to read them before checkout lol
@@Seytonic Lets say I did start to share. What would you do with the the Information 🤔 Where would it end up 🤔 Who would see it and Analyze it for more Vulnerabilities than can be exploited🤔 Playing Cat and Mouse Games with Cyber Security is a fools task that QUICKLY leads to new Threats on existing solutions. 😲 Without Knowing you I am confident in saying You are Well aware of that aspect. It is the same thing as asking a Bank for the Blueprints and security measures being used. Wonder if they would Share 🤔 😈👺☠
@@urbanws1234 you’re weird. I pray never to meet someone in IT like you or at least be able to fire them. Pathetic. Especially since CTI is a basic part of cybersecurity
Virtual credit cards just keep looking more and more like a compelling option...
This type of fraud may be reduced if more nations adopted Strong Customer Authentication as a legal requirement, for example, in the EU. It's similar to two factor authentication in that it doesn't matter if a hacker has your card details because a digital payment with the card can't be done without, say, an electronic id, a personal pin code, or a 2fa text message to the card's owner's phone.
You could argue that the hacker could simply create a fraudulent popup to force you to fill out the form, but the process always takes you to your bank's website, where you must complete the 2FA. Furthermore, the bank informs you of the destination of the payment as well as the amount of the transaction. Once the two-factor authentication is complete, you've only granted your card for that one specific transaction, for that one amount of money, and no others.
Or... you know.. cryptocurrency?
Bring security to ALL payments, and discard the global banking cartel in the process.
There is no card. You scan a QR code, and approve the payment from your wallet. Simple as that.
@@hydrochlor I'm in the EU. Now, in my country we rarely use creditcards. Services like iDeal which use a debit card and paypal are more popular here. Let's be honest, the US with their magnetic strip credit cards are way behind the curve.
@@hydrochlor I was suprised to find out that american cards don't have a one time pin for every transaction. Its common here in Africa, the pin can be generated thru hard token, sent to your phone or through bank app.
@@hydrochlor Barclays in the uk has had PinSentry for quite a while, its a multi purpose 2fa, but it's not used for card transactions 😂
Magecarts sabotaging one another is actually funny
For years i have been using a dedicated debit card for online stuff. I just transfer money from another account into it when i want to buy something. The rest of the time it only has about 10-20$ in it to cover things like icloud subscriptions etc.
Since day one, or back when the internet was revealed to be as vulnerable as it is in the nineties, credit card companies have done so little to make information transfer secure. Just watching this video, I thought of a security feature which would thwart this kind of attack. Depending on the average frequency of transactions, a cc company could essentially "ping" transactions at odd intervals and insure that the transaction is processed through the proper channels. But like all financial instruments, credit card companies are relieved of responsibility before anyone else. But keeping criminals fat and happy is probably what has kept the U.S. financial system afloat. It certainly is criminal to turn the onus of opsec into an externality by shifting it to the consumer or the retailer.
To add to that, credit card companies charge an "admin fee" to retailers for each chargeback. I wouldn't be surprised if they were making more money than they are losing from fraud.
Or maybe the simpler solution: you tell your cc company to give the marketplace the money; and not tell the marketplace info to take all the money from you, possibly later.
Idk if credit cards are something mainly used in the US but I've (from NL) have only used a bank card to date, you can set limits on in-store and online transfers and you can require the use of an e-dentifier (device that returns confirmation you have the bank card) for transfers over a certain amount
@@the_steamtrain1642 I think NL is a special case, I was so confused in Amsterdam when shops wouldn't accept my Visa Card 😂
Cool to see you experimenting with the new format 👍
Thanks : ) The plan is to have these out more regularly. Sorry the last couple weeks have been slow!
@@Seytonicthese videos are always great, I don’t mind the wait 👍
Its quite good
So what's the new format compared to the old? I've watched every video for a quite long time and I fail to see any difference, except for the removal of the intro that happened long time ago.
@@anteshell New format is a single topic as opposed to multiple topics in a single video
Interesting how cc numbers sell for as little as 15 cents, which happens to be pretty much the same amount Ticketmaster got fined - 13.3p x 9.4M victims.
No wonder protecting personal data is such a low priority. The banks would have had to reissue 9.4M cards, include postage costs and that's an order of magnitude greater than the 'fine'...
I love how they stabotage one another. It actually is helpful, and also funny.
There is another interesting similiar approach where you fake a Browser inside the Browser window to ask for login details. It even detects if you use chrome or safari and if its windows or mac for the designs. But this Checkout Popup is a wild one!
I've covered a few cases of that kind of trick. It's damn good, could see myself being caught out by it.
@@Seytonic the fake browser window is good, but you can still spot it but if a website gets hacked your debit card will go goop mode
Saw one with Microsoft login
2FA and 3D Secure are essential, but also nullify some claims.
There is no perfect solution when dealing with e-commerce fraud
Every payment processor in the EU is required to have 3d secure enabled thanks to the DSP2 directive, same with India. This is really effective at countering carding, since it's a thing to make a purchase with a stolen credit card, but this becomes nearly impossible when the payment processor requires you to enter a personal code on your own phone before allowing the payment.
@@dinred_ Right, but Fuck the EU.
1. the actual french site is un-redacted for a frame or so in the video
2. changing just the last number for a credit card won't actually affect much, it's a check digit and can easily be fixed.
Damn dude! Quality is getting too good! And voice overs are just on 🔥 fire!
Well, Mercadopago it's not a random payment processor, it's probably one of the biggest ones 😂
Hello, world!
I disagree
Hello, DJ Alex Parker!
@@penewoldahh goodbye pwa
GOTO 10
@@MeppyMan no
15£ admin fee for the bank for not spotting a fraudulent transaction on their multibillion pound computer
awsome vid mate. are u aware of any protections for this as a customer on these sites.
Thanks :) I would focus on making sure damage is minimised if you are caught in something like this, as they're sometimes impossible to spot. Sometimes millions of creds are scooped up before anyone realises.
5 time's in 9 months I have had to replace my debit card because of this.
I have ALL kinds of security settings set up with my bank now. I get notices for everything even if it a$1.00 now.
Fortunately , they have not profited from me yet. It is just very annoying to call all the people who are on prepaid payments for my responsibilities.
Finally video after long time ❤
Good info
How do the hackers obtain the credit card information when almost all new browser have CORS disabled by default, which prevents data being send from a legitimate website to a fraudulent website?
This sounds like the OG Zeus trojan
bring more videos like this
Willdo, thanks for watching :)
God damn it!
how are the bad actors able to inject the malicious code?
surely they cant be compromising the buyer's end they have to exploiting a vulnerability in the magento shopping cart software and the server?
They are, in fact, compromising the buyer's end for the most part. All they need is an entry point, which in one case was a compromised chat widget. From there, it's as simple as just editing the HTML markup to include their own checkout form. As long as they can load their own JS they can do whatever.
New vid Pog
Fr
How often do you guys look at you creditcard while having htop open?
I'm glad we barely use credit cards in the Netherlands
I can't believe payments without 2fa are still a thing in some places...
thank you for the heads-up! That's crazy. Do I understand correctly that there is no way to tell from a regular end-user's perspective?
Would it help to always cancel the first payment gateway window that opens and click on the payment again, or not really?
If you check the Network section of Chrome's DevTools, you can get information on the domains your browser is connecting to, which might reveal a malicious domain. But from an end user perspective, it's often completely invisible.
@@Seytonic Thank you for your reply and advice. That's scary.
@@Seytonic This sounds like something that might be better done using a web extension - you could detect payment modals and then when they are submitted, give people a heads up if the request is going to be sent to an unrecognised domain (ie not a major payment processor company, and not the website you're currently on). Obviously there's a big risk of false positives, so you wouldn't want to block it entirely, but having an "it looks like this payment request is going to [website address], do you want to allow it?" could be a great solution, since it's unlikely that bad actors bother buying legit seeming domains for payment processing. At the very least it'd increase the barrier to entry for the bad actors and make them have to spend more time and money to seem legit.
Maybe just put fake info in the first form.
I guess my bank card is now the safest payment method as it requires a pin from a table of stored pins, and also a pin verification sent to my phone.
Have you ever found anyone hacking into Amazon? I've not been on your channel long, so not sure.
Please bring back multi story videos
If this template had already been used alot so far a new one will appear soon
You should make a vidoe as a update on the newer ones since that's probably what will be in circulation more since this 1st templete has been noted to be fake
This is a youtube video. It cannot be updated to include the latest info when ever it pops up.
@@anteshell typed the wrong thing my grammar was a mess
@@ThatOneOddGuy No prob. Everyone makes mistakes once in a while. ;)
@@anteshell yeah man
Bro really just called the biggest South American e-commerce/payment platform "some random payment processor".
To a random French person, that's what it is.
I bet gpt mat he'd the css style for the modal in 3 seconds and generated all the common text
and thats why its better to just use stripe..
I think you should do more than one story because it feels so meah... or make more frequent videos
More frequent videos 💪 I appreciate the feedback :)
CANCELL myONLINE SHOPPING!😂😂
Can't steal my card info if I only use cash
Hahaha when i hear this it always makes me laugh 3:40
Well that’s the last time i don’t use paypal or something
finaly new video!!! thanks!!! 👏🇺🇸🇺🇸🇺🇦🇺🇦
Does anyone know how to make a drive by download website
YESSSSS
Still don't get it, how hackers injected there code
If you have access to the server you can modify the code running on the website, or add your own
@@Seytonic sure, i understand, but is injection coming unsecure cookies?
On my site i give authorisation cookie token and small experience date and do prepare statement? Do i need to something more?
💀
The thing i dont understand is... if they end up stealing your card details. Do they just buy stuff with it and send it to their house? Lol
Yup, many do. Police won't investigate crimes of small transactions.
Plus high charge back rate means the vendor will be "higher risk" so they get screwed (usually based on % by volume) and sometimes can't find any processors to take them. Jerk move to small businesses
All they did was rip the logo and the stylesheet of the original website 😂
Thank you, the content is good but I honestly really dislike this format. The ratio of sponsors/length of video is insane, and when removing the intro you realize there is like 2 or 3min of actual content.
This sponsor spot is longer than I would like for this format - though I agreed on the spot before the format change, in the future it won't be as long. There is still 4:46 of content though :) I plan on putting these out on a more regular basis, so it will tally up to more content in general. Thanks for taking the time to leave some feedback :)
@@Seytonic Thank you I appreciate the response :)
honestly wish the internet adopted crypto as standard payment, yes its got its faults and yes its a volatile market but the ability to create new wallets easily alone sets it way above credit cards but also you being the one that sends the money rather than them pulling the money through gives the buyer much more control.
fake rayban been up for times on facebook ur lacking now there is bitcoin campaigns mostly
I wonder how they bypass facebook is it once on check or every 1k hitts and scans ips for location etc
what if you made a malicious extension that would make a fake popup box, that you would enter your details into
What do you mean what if? You'd have made a malicious extension that you would enter your details into.
@@RokeJulianLockhart.s13ouq you could just disguise it as an adblocker or something
Idk what's different, but I like your videos a lot less these days...
Do elaborate if you can, was the topic not to your liking?
Stuff lately I suppose feels "low-stakes".I guess I'm just another sensationalism seeking simpleton. I'm not unsubbing. Just noticed the last few vids didn't hit the spot like usual. Whatever the case, didn't mean to offend.
@@honeypotts5125 No offence taken, was just curious to know more. But yea, in fairness news has been a bit slow recently. Next one should be good though :)
I hate 1 topic videos...
countries need to learn from Iran, our banking system is way more secure, to start, no one can withdraw any money from your bank just by knowing your credit card information and anything about yourself..
first
No
First
Most Interesting about channels like this is they never offer real working solutions to these problems. These types of attacks are preventable and easily detected and stopped.Wondering why the working solutions are never presented 🤔
I’m not aware of an easy catch all solution to this problem, please share
unless you regularly visit that french traveling site, how could you possibly even tell that that modal was fake and malicious? I *highly* doubt you click on terms of service to read them before checkout lol
@@Seytonic Lets say I did start to share. What would you do with the the Information 🤔 Where would it end up 🤔 Who would see it and Analyze it for more Vulnerabilities than can be exploited🤔 Playing Cat and Mouse Games with Cyber Security is a fools task that QUICKLY leads to new Threats on existing solutions. 😲 Without Knowing you I am confident in saying You are Well aware of that aspect.
It is the same thing as asking a Bank for the Blueprints and security measures being used. Wonder if they would Share 🤔
😈👺☠
@@urbanws1234 you’re weird. I pray never to meet someone in IT like you or at least be able to fire them.
Pathetic. Especially since CTI is a basic part of cybersecurity