- Joined
- 16.01.21
- Messages
- 16
- Reaction score
- 30
- Points
- 13
.... A little bit of copypasta here, some JQueryUI datepicker there... Everything looks good... Check the billing and the shipping addresses aren't too far apart... Yeah, the CVV you bought has the phone number.. Sweet. Slap that sucker into the box, cross your fingers and hold onto your nuts cuz we're gonna CLICK... THAT... .BUY BUTTON! *click*
05 DECLINED
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."
Shit. What did I miss? Quick re-check shows nothing out of place on the form... You didn't use the marketplace checker when you bought it, so the issuer shouldn't be tripping out about the random USD $1.00 pre-authorization and immediate release from some weird Ukraine or Latvia-based webstore whose merchant account got hacked... Hm. Answer hazy, try again !
Fresh CVV, same locale, drop line A into box B... Double check, yup... yup... Click the Accept Terms checkbox... Finally, let's CLICK... THAT... BUTTON! !! *click*
05 DECLINED
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."
"We're sorry, please contact your bank for more information. Otherwise, please choose another form of payment."
SHIT! WHAT THE FUCK IS GOING ON? How many CVVs will you burn through, each new fresh CVV gets burned the same way. What the fuck is happening? Change browsers, clear cookies, re-route your VPN shit via the Moon and slingshot it out and back from Mars... Re-try another CVV, same thing. DECLINED.
Well bro, chances are a few things may be true about your operation and environment in which you've been conducting yourself. Enter the world of "device fingerprinting", which is just as strange as it sounds. Just like some of us have been gifted a surprise makeover complete with new jewlery, clothes, and even our own glamour photo shoot, your workstation has just been made VISA-famous! In fact, you might as well call the Internet 'Cheers', cause everyone out there will know your name! Not literally, yet - but if the honchos in charge get their way some day it might be so.
Just like the fingerprints on our hands are unique to each individual, a digital device fingerprint is unique to the machine it was generated for, and is most commonly derived by client-side JavaScript running on a payment gateway checkout page. Once it has been generated by the hashing of sub-millisecond audio samples, a varied mixture of environmental variables visible to the DOM, including viewport and window size, texel/sprite display generation timing, and other silly bitwise metrics. I have seen implementations that have a Flash script hook that allows it to jump through the Flash player's viewspace and greedily lick at the unprivileged variable stack that Flash uses to control itself in properly behaved ways and grab the CPUID or other physical machine metrics used in derivation of the fingerprint data.
Back in the old days, when payment gateways were great lawless glory holes in the walls of Heaven, it didn't matter what you were browsing and buying with. Hell, remember the short-lived technorati fetish-box the MSN Companion, or other set-top 'WebTV' machines? Yep. Smooth as silk - not even any chips yet to fuck us up right? Ahh... Those were some heady days of youth. Every month new pairs of Jordans hit my feet, maybe the same with you, but not anymore. Every click you take, they'll be watching you.
Since the fingerprinting algorithm uses physical properties of the environment, meaning it can query the DOM and the operation of the JS engine/vm reliably and reproduce the same hash repeateedly. This means that nothing you can do, except radically change hardware (think CPU, sound card, graphics card - a major overhaul) and it would please the powers that be nothing more than to have us rotate through hardware like they tip wine glasses, essentially waging a war of attrition.
TL;DR: What does all of that shit have to do with the Carding Army? Everyfuckingthing, sweetheart. Those of you that have a single operating environment on a machine, those of you who use burner phones and burner SIM cards, and anybody that just doesn't give a fuck and want free pizza delivery, you already have been or will be at some point facing this technique as an adversary in pursuit of that new pair of AF1's at the expense of some old lady in Idaho. VISA, Mastercard, and American Express have all rolled out device fingerprinting around the same time as 3D Secure systems came online. These methodologies have the endorsement of the major merchant processors like Authorize.net, National, Square, et cetera, and the majority of those not only use it on their side of the transaction to prevent further loss (as in early warning systems that provide data to the merchant requesting the authorization) or incorporate it into their development APIs and hook into JS routines on the payment date page that deliver the needed analysis data as a blob in the POST data - OR - several turnkey shopping carts have plugins that hook the needed data.
Coming up in Part II: 3D Secure (VBV/AC/SK), Merchant-side fingerprinting vs. Gateway/Interchange fingerprinting, and how AI/ML-derived heuristics data is used in early warning - STAY TUNED!
