Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Hackers Share Methods To Bypass 3D Secure For Payment Cards

Hackers Share Methods To Bypass 3D Secure For Payment Cards

Cybercriminals are constantly exploring and documenting new ways to go around the 3D Secure (3DS) protocol used for authorizing online card transactions.

Discussions on underground forums offer advice on how to bypass the latest variant of the security feature by combining social engineering with phishing attacks.

Individuals on multiple dark-web forums are sharing their knowledge on making fraudulent purchases on shops that implemented 3DS to protect customer transactions.

3DS adds a layer of security for online purchases using credit or debit cards. It requires direct confirmation from the card owner to authorize a payment.

The feature evolved from the first version where the bank asked the user for a code or a static password to approve the transaction. In the second version (3DS 2), designed for smartphones, users can confirm their purchase by authenticating in their banking app using their biometric data (fingerprint, face recognition).

Also Read: How Formidable is Singapore Cybersecurity Masterplan 2020?

Despite the advanced security features that 3DS 2 provides, the first version is still widely deployed, giving cybercriminals a chance to use their social engineering skills and trick users into giving the code or password to approve the transaction.

Social engineering gets the 3DS code

In a blog post today, analysts at threat intelligence company Gemini Advisory share some of the methods cybercriminals discuss on dark-web forums to make fraudulent purchases at online stores that implemented 3DS.

It all starts with full cardholder information, which includes at least the name, phone number, email address, physical address, mother’s maiden name, ID number, and driver’s license number.

Cybercriminals use these details to impersonate a bank employee calling the customer to confirm their identity. By offering some personally identifiable information, they gain the victim’s trust and request their password or code to complete the process.

The same tactic could work on later 3DS variants and make purchases in real-time. A hacker described the method in a post on a top-tier underground forum.

Using full cardholder details, a voice changer, and a phone number spoofing app, the fraudster can initiate a purchase at a site and then call the victim to elicit the needed information.

“In the final step, the hacker advises the victim that they will receive a confirmation code for final identity verification, at which point the cybercriminal should place the order at the shop; when prompted to enter verification code that was sent to the victim’s phone, the fraudster should retrieve that code from the victim” Gemini Advisory

Getting the 3DS code is possible through other means, like phishing and injects. When the victim makes a purchase on the phishing site, the criminals pass all the details to the legitimate store to get their product.

According to Gemini Advisory’s findings, some cybercriminals also add stolen credit card data to a PayPal account and use it as a payment method.

Another method is classic and involves compromising a victim’s phone with malware that can intercept the security code and pass it to the fraudster.

Alternatively, many stores do not ask for the 3DS code when transactions are below a certain limit, allowing fraudsters to get away with making multiple smaller purchases.

Also Read: Going Beyond DPO Meaning: Ever Heard of Outsourced DPO?

Most of these techniques work where earlier versions of 3DS are present. With 3DS 2 still a long way from being widely adopted. Europe is leading the transition to the more secure standard (PSD2 regulation – strong customer authentication fulfilled with 3DS 2), while in the U.S. the fraud liability protection for merchants using 3DS 1 expires on October 17, 2021.

However, Gemini Advisory believes that cybercriminals will also take a stab at the more secure 3DS 2 through social engineering.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us