Japan's Credit Card Fraud DebacleFraudsters Received 20 Percent Cash Back for Fraudulent Purchases
Do the stars sometimes perfectly align for credit card fraudsters? Late last year in Japan, that's exactly what happened due to two events that opened a huge opportunity for abuse.
The curious situation involves PayPay, a third-party payments app launched in June 2018. Pay Pay enables registered users to pay for items from their mobile phone by presenting a QR code, which is then scanned by a retailer in a bricks-and-mortar store. PayPay is a joint venture between Softbank and Yahoo Japan.
In December 2018, PayPay launched a generous promotion giving users 20 percent back of the purchase price for an item. It was extremely popular. The promotion was planned to run through the end of March, backed by a hefty 10 billion yen ($90 million).
Funds ran out on Dec. 14, just 10 days later. Parallel with the promotional window, PayPay started receiving complaints of payment card fraud, sometimes from users who never even signed up for the service. That's known as card-not-present fraud, where stolen card details are replayed for unauthorized transactions.
Spike in Stolen Cards
Unfortunately for PayPay, its promotion coincided with a sharp spike in stolen Japanese payment card numbers on the black market, says Stas Alforov, director of research and development with Gemini Advisory, a New York-based consultancy that specializes in monitoring underground hacking forums for stolen payment card data.
On average, only about 2,900 Japanese payment card numbers per month show up for sale on "carding" websites, where stolen card data is sold, Alforov says. What fraudsters are peddling are names, 16-digit card numbers, expiration dates and CVV codes - the three digits on the reverse of a card by the signature block.
For unknown reasons, the number of Japanese payment card numbers for sale began to rise in November to around 8,000, Alforov says. Then over the course of December, some 57,000 records flooded into carding websites.
It's tough to use stolen card data in Japan due to good security, Alforov says. Japan only sees small amounts of fraud compared to South Korea and China. Typically, cybercriminals try to use stolen Japanese card data on e-commerce sites in Europe and North America because retailers there are less likely to flag the transactions, he says.
But PayPay suddenly emerged as a juicy domestic target. It was later revealed that PayPay neglected to put in key security controls that would have slowed down card-not-present fraud. After PayPay launched its 20 percent back promotion, people who had not signed up for the service - as well as those who had - began complaining of fraud on their cards.
Fraudsters had registered PayPay accounts with other people's cards, then went into stores to make purchases. To use the PayPay app, a user enters the price of an item. The app generates a QR code that is scanned by the retailer. Because there's no card, there's no PIN that has to be entered, nor any other sort of ID check.
"You don't have to worry about having a chip transaction or cloning a chip card," Alforov says. "You're truly just uploading that CNP [card-not-present] record into your PayPay app, you're showing up to a store, you're letting them scan a barcode off your phone and you have made a purchase. There's no real verification."
Cashback for Fraud
To make the situation all the more onerous, fraudsters also received 20 percent of the purchase price back.
Alforov says it's difficult to say whether the PayPay hole discovered by fraudsters caused the subsequent flood of records onto the black markets. But Gemini concludes in its blog post on the incident that the two events are likely related.
As a result of the fraud, PayPay put in a set of new controls, including requiring that those who want higher spending limits authenticate the card using 3D Secure. 3D Secure, which is run by the card brands, asks cardholders to enter a password or PIN to provide more assurance they're the authorized user.
"You're truly just uploading that CNP [card-not-present] record into your PayPay app, you're showing up to a store, you're letting them scan a barcode off your phone and you have made a purchase. There's no real verification."
—Stas Alforov, Gemini Advisory
PayPay also began requiring identity documents, such as a driver's license or passport, to qualify for a higher transaction limit. It also put in place rate limiting for the entry of card details, another key control it failed to have the first time around.
It's unclear who was behind the fraud, Alforov said. But it likely involved groups that were able to have people on the ground in Japan, because the actual fraud had to be carried out in person in a store.
Alforov says Gemini has forwarded its findings about the card data to the Japan Cybercrime Control Center, an agency established in 2014.
PayPay appears confident that its security measures will prevent fraud. On Tuesday, it launched yet another cashback campaign, again worth $90 million. The campaign is scheduled to run through May 31, according to the Japan Times.