3D Secure Passwords for Recharging Mobile Airtime

Phishers are known for developing different strategies with the motive of duping users into believing that the phishing site is authentic and secure. Phishing sites are now seen asking for a 3D secure number.

What is 3D secure?

A 3D secure number is a password that is only known to the bank and the buyer. In other words, during an online transaction, the merchant in question does not know this number. This number is essentially an additional password given separately to card holders specifically for the safety of online transactions.

Many online transactions typically involve the use of credit/debit card numbers and the number on the back of the card. If anyone happens to see the card and copies or writes down these numbers found on the card, the card holder would be at risk of having his or her money stolen in online transactions. The use of a 3D secure password prevents such a risk, as it is a number not present anywhere on the card. The fact that the card numbers are entered by the owner of the card helps in authenticating.

A 3D secure number reduces the risk in a situation where the card numbers are copied by other people. However, if the 3D secure number itself is given away by the user to a phishing site, the user’s money would still be at risk. Phishers are well aware of this and so prompt users to enter their 3D secure number along with other card details in phishing sites.

Recently, one such example was observed where the phishing site prompted the user for credit card details and their 3D secure number for an online transaction. The bait was mobile phone airtime purchased online. The phishing site targeted customers in Turkey and the phishing pages were in Turkish. Also, the credit card details requested were of banks based in Turkey. The required information was the mobile phone number, amount of mobile phone airtime to be recharged, name of the bank, card holder’s name, credit card number, expiration date, CVV, and 3D secure password. To increase the appeal, the phishing page offered customers of two particular banks  gifts worth $10 for every $20 purchased. Upon entering the information, the user was redirected to a page on the phishing site that asked for more user information.

The information asked in the second phishing page consisted of mother’s maiden name, card holder’s date of birth, customer or account number and password. The phishing page claimed that upon clicking the button at the bottom of the page, a password would be sent as an SMS to the user’s mobile phone. The user was warned that if incomplete information was entered, the operation would be disapproved, leading to the failure of the transaction. Below this button was a message stating that 3D secure card purchases are safe for online transactions and high encryption system provides protection against unauthorized use. This statement was obviously displayed to gain the user’s confidence.

The third page of the phishing site asks for the password previously claimed to have been sent to the user by SMS. The phishing page also notifies the user that the SMS may take one to five minutes to reach the user and requests that the page not be closed. Of course, this is just a ploy and the user wouldn’t have actually receive any password.

The phishing URL used IP domains (for example, domains like The phishing site was hosted on servers based in Orlando, USA.

Internet users are advised to follow best practices to avoid phishing attacks, such as:

•    Do not click on suspicious links in email messages.   

•    Avoid providing any personal information when answering an email.

•    Never enter personal information in a pop-up screen.

•    Frequently update your security software, such as Norton Internet Security 2011, which protects you from online phishing.


Thanks to the co-author of the blog, Avdhoot Patil.