Decryption card is fraudulent: online payment of money-laundering, extremely difficult for a consumer to recover-bank cards, fraudulent online paying-IT information

Has always been regarded as "black industrial chain" card is fraudulent, are now near-walking in the Sun.

"Stolen brush of people in various channel public selling steal of bank card information, then got bank card of people through game points card, and phone recharge card, and attractions tickets, and tickets, various channel put Cary of money wash go," from Beijing, and was stolen brush has near million yuan of Zhang Mr told reporter, " was stolen brush of victims, to caution to in Bank, and paid platform, and businesses platform Zhijian communication, and negotiations, is always worried himself of money or back . ”

In July 2016, a bank card was fraudulent. Materials issued by the ICBC show that the card by YeePay's payment channels, where consumption nearly 4000 Yuan, ctrip consumption of about 5000, tickets, in addition to buying 300 yuan prepaid recharge cards. Among them, only 2000 transaction is blocked, other transactions are complete consumption, and more difficult to recover. According to third party platform 21CN poly the complaints statistics, March 2015 to March 2016, poly-complaint platforms has received 17,000 complaints involving fraudulent complaints total 1046, ratio of total complaints over 6%. Poly-complaint platforms Chief Editor Pan Jun珺 told reporters: "every day, added a lot of fraudulent complaints grew more and more quickly. ”

Huge industrial chain of fraudulent

Fraudulent bank cards that keep the huge industrial chain.

In QQ groups retrieved "CVV", you can get 3,651 QQ Group. Among them, the large group of more than 60 thousand people, more than 500 people QQ Group of more than 200, and to maintain a high level of activity. In addition, the CVV groups more than 800 of the more than 100 people. Almost every group of notes in the introduction to "CVV, wash four channels, banks, block" fraudulent industries such as the common language .

CVV refers to the credit card security code. A system of card number, date, the credit card CVV full info in the industry known as "materials", "materials" category including credit cards, bank cards, payment card, micro-purse, and most have bank cards, identity cards, mobile numbers, passwords and other critical information.

"" Diversity of sources, 360 heads of network attack and defense laboratories William Lim told reporters: "many online platforms or the paying agent will store the user's bank card basic information, but the security mechanisms are generally vulnerable, once information leaks, comes out a lot of complete user information. "In addition, Telecom fraud, cell phone Trojan also creates a lot of disclosure of credit card information, while many bank cards with Flash function, can also be in close contact with the specific terminal to read the user information.

Some balances, text message interception, password "information" being sold. And a few are out of date or the balance of the "information", is in Excel form to the group file, journalists through such information in a file attempts to contact parties, marked by bank cards, identity cards, home address, occupation, phone number, name, right, who do not know that their information had been leaked.

Sell high quality "materials", "materials" 30%-50% can get the balance. Of course, there are "material" according to the balance of 1% per cent, the proportion of costs.

The remaining amount, then went to "wash" the hands. Traditional transfer, withdrawal, POS machines stolen brushes because regulators in the form of a long strike and increasingly expensive, the vast majority of "washing" go home a variety of third-party payment platforms will get bank cards stolen goods.

"Domestic various chaos of paid channel lack effective security regulatory, more or less are exists some risk control Shang of vulnerability," Cheetah mobile security experts tiejun for example told reporter, "to we last year followed up of a ' wash material channel ' case for cases, Beijing a third party platform of paid channel was black produced groups using, short number months of time within injured user up to thousands of people, loss amount from dozens of to tens of thousands of ranging. "From victims to trace consumer records, cash flow including the purchase of play money and lottery tickets, recharge, air tickets and other" wash "method, some credit cards also were found by consumption abroad get funding.

In many QQ groups, may have some business bulk charge cards, prepaid cards, tickets, hotels, air tickets and other products, and "wash" people buy such products through third party platforms, based on 50 percent-70 percent sold to tenants and occupiers of commercial properties to be sold at slightly less than formal channels to the end consumer.

While links may seem cumbersome, but are actually "washes" people buy products to almost reach the final consumers of the product are achieved in a very short time, and publicly available information from the QQ Group, by default all the links to complete loot time within 25 minutes to 2 hours .

Difficult to pay

"This fraudulent channels, small, hot and hard to recover the amount. "Poly-complaint platforms Chief Editor Pan Jun珺 told reporters that the complaints on the platform, the single largest consumer is buying a TV. But most of them are fraudulent user accounts within a short time in the Bank gateway, fast payments, third party payment platforms, and multiple transactions across multiple e-commerce platform.

In Hubei financial industry work of he ladies of ICBC card in March 2016 was stolen brush 45,000 yuan, consumption records displayed, the account through EZ pod paid, and fast money paid, and Lacarra, and Beijing East network silver online, 13 a third party paid platform produced has 78 pen consumption, "which maximum of consumption from Beijing East platform, to each minutes 3 pen of speed, in Beijing East continuous brush has 48 pen 490 Yuan of game currency", he ladies told Reporter: "find each a a channel complaints, They all say it is fraudulent due to reasons of your own, the platform does not pay. "Obviously, YeePay agreed to pay 50%, but request the he committed" without exposure to the media and complaints "and other conditions, was rejected by the Royal ladies.

After public complaints process, he hopes Beijing East provide transaction information, but East to "protect business privacy" to refuse, and request the Royal Police investigation. "However, the amount of 50,000, alarming even get reported material for that, not to mention economic investigation, cross province investigation", he told reporters. At present, the Royal ladies fraudulent have recovered, there is a Bank promises to pay the 9000 Yuan has yet to arrive. "But I still don't know my card is in exactly which businesses to brush off. ”

Such cases abound, mentioned earlier told reporters: "at present, there are very many QQ Group on bank cards stolen rights, many thousands of people, leaving dozens of people. ”

However, the vast majority of human rights, and has failed to recover fraudulent. The poly-complaint platforms, 2015-2016-1046 complaints, only 332 resolved, complaint resolution is 30%.

In fact, the networks of the non-bank institutions according to the rules of the payment services regulations article 19th: the paying agent shall establish and improve the risk reserve pay system and trading system, and can not prove effective for customers causes loss of funds and timely full payment in advance, guarantees the customer the legitimate rights and interests .

According to ants ' gold service provides information, Ant accounts, identities, transactions, and served King behavior, relationships, facilities, location, preferences, risk scan 8 dimensions to identify and block many fraudulent behavior. "Currently, Ant capital loss rate of one out of 10,000 Gold suit, Paypal credit loss rate of about 2 per thousand, is 200 times times. ”

However, different institutions risk-control mechanism. Journalist test on the East Beijing, ctrip, the same credit card, in Beijing, United States two different IP addresses Terminal login, consumption, but without any need for additional verification link.

At present, the domestic third party payment license up to 270. Second half of 2015 to early 2016, including Chang bought three paying agencies, which diverted customers reserve licence was cancelled by the Central Bank of China to pay. On July 25, China's Central Bank announced on outstanding businesses real-name system, altering bank card transactions, outsourcing services and standardized communications pay business-two third party payment companies and China UnionPay 11.1 million Yuan and 26.537 million Yuan fine.

However, just started the reorganization and not straight away. According to gather complaints platform statistics, March 2016-July, 915 new fraudulent complaints, 5 months of growth, close to all of 2015-2016 complaints.

解密银行卡盗刷：线上支付洗钱，消费者极难追回 - 银行卡,盗刷,线上支付 - IT资讯

一直被视为“黑色产业链”的银行卡盗刷，如今已近乎行走在阳光下。

“盗刷的人在各种渠道公开叫卖盗取的银行卡信息，然后拿到银行卡的人通过游戏点卡、手机充值卡、景点门票、机票等各种渠道把卡里的钱洗走，”来自北京、被盗刷了近万元的张先生告诉记者，“被盗刷的受害者，要小心谨慎地在银行、支付平台、商家平台之间沟通、交涉，却始终担心自己的钱要不回来。”

2016年7月，张先生工商银行卡被盗刷。经工行出具材料证明，该卡通过易宝支付的支付渠道，先后在去哪儿消费接近4000元、在携程消费约5000元，均为景区门票，此外尚购买了300元话费充值卡。其中，仅2000元交易被拦截，其余交易均已完成消费，且难以追回。根据第三方投诉平台21CN聚投诉统计，2015年3月至2016年3月，聚投诉平台共接到1.7万件投诉，其中涉及盗刷的投诉共1046件，占总投诉比值超过6%。聚投诉平台主编潘俊珺告诉记者：“每天，都会新增很多盗刷投诉，增速也越来越快。”

庞大的盗刷产业链

盗刷银行卡，滋润着庞大的产业链。

在QQ群中检索“CVV”，可以得到3651个QQ群。其中，千人规模以上的群超过60个，500人以上的QQ群超过200个，且均保持极高的活跃度。此外，100人以上的CVV群则超过800个。几乎每个群的简介中都备注着“CVV、洗料通道、银行四大件、拦截”等盗刷产业中的常用语。

CVV是指信用卡安全码。一个包含卡号、日期、CVV完整信息的信用卡在这个行业称为“料”，“料”的种类包括各国信用卡、各行银行卡、支付宝、微信钱包，且大多具备银行卡、身份证、手机号、密码等关键信息。

“料”的来源多种多样，360网络攻防实验室负责人林伟告诉记者：“国内很多线上平台或者支付机构都存储用户银行卡的基本信息，但安全机制却普遍存在漏洞，一旦发生信息泄露，就会流出大量完整的用户信息。”除此之外，电信诈骗、手机木马也造成大量银行卡信息的泄露，而目前很多带有闪付功能的银行卡，也可以在近距离接触的情况下通过特定终端读取用户信息。

一些具备余额、短信拦截、密码的“料”被不断叫卖。而少数已经过时或者没有余额的“料”，被以excel的形式上传到群文件中，记者通过此类文件中信息尝试联系当事人，所标注的银行卡、身份证、家庭住址、职业、手机号、姓名基本完全正确，而当事人却不知道自己信息已经泄露。

出售优质“料”，“料”主可以拿到卡内余额的30%-50%。当然，也有“料”主按照余额1%左右的比例收取费用。

剩余金额，则流入了各种“洗料”人的手中。传统的转账、提现、POS机盗刷等形式因为监管机构长期打击而成本越来越高，绝大多数“洗料”人会通过国内多种第三方支付平台将到手的银行卡销赃。

“国内各类混乱的支付渠道缺乏有效安全监管，或多或少都存在一些风险控制上的漏洞，”猎豹移动安全专家李铁军举例告诉记者，“以我们去年跟进的一个‘洗料通道’案件为例，北京某第三方平台的支付渠道被黑产团伙利用，短短数月的时间内受害用户多达数千人，损失金额从几十到数万不等。”从受害用户追查的消费记录来看，资金流包括购买游戏币、彩票、话费充值、机票门票等多种“洗料”方法，有些信用卡还被发现通过境外消费划走资金。

在诸多QQ群中，随时会有一些商户批量收点卡、充值卡、门票、酒店、机票等产品，而“洗料”人则通过第三方平台购买此类产品，以5-7折的价格出售给商户，而商户则以略低于正规渠道的价格出售给最终消费者。

虽然环节看似繁琐，但事实上从“洗料”人购买产品到该产品到达最终消费者手中几乎都在极短的时间内实现，而从各QQ群中公开信息可见，行业默认所有环节完成分赃的时间基本在25分钟到2个小时之内。

艰难赔付

“这种盗刷渠道，金额小、销赃快、难追回。”聚投诉平台主编潘俊珺告诉记者，在投诉平台上，单笔最大的消费也就是购买一台电视。但大多被盗刷用户的账户都是短时间内在银行网关、快捷支付、第三方支付平台上、在多个电商平台上产生多次交易。

在湖北金融行业工作的贺女士的工商银行卡在2016年3月被盗刷4.5万元，消费记录显示，该账号通过易宝支付、快钱支付、拉卡拉、京东网银在线等十三个第三方支付平台产生了78笔消费，“其中最大的消费来自京东平台，以每分钟3笔的速度，在京东连续刷了48笔490元的游戏币”，贺女士告诉记者：“找每一个渠道投诉，他们一开始都说这是因为你自己的原因造成的盗刷，平台不赔付。”其中，易宝支付同意赔付50%，但要求贺女士承诺“不向媒体曝光、不投诉”等条件，遭到贺女士拒绝。

在之后公开投诉的过程中，贺女士希望京东提供交易商家信息，但被京东以“保护商家隐私”为由拒绝，并要求贺女士报警立案调查。“不过，5万的金额，报警连报案材料都拿不到，更不用说到经侦、跨省调查了”，贺女士告诉记者。目前，贺女士盗刷款基本已经追回，尚有一笔工商银行答应赔付的9000元尚未到账。“但我仍然不知道我的卡是在具体哪些商家刷掉的。”

此类案例不胜枚举，前文所述张先生告诉记者：“目前，国内有非常多的关于银行卡被盗维权的QQ群，多则上千人，少则几十人。”

不过，绝大多数人维权不利，并未能追回盗刷款。在聚投诉平台上，2015-2016年度的1046件投诉中，仅332件得到解决，投诉解决率30%。

事实上，根据中国人民银行制定的《非银行支付机构网络支付业务管理办法》第十九条规定：支付机构应当建立健全风险准备金制度和交易赔付制度，并对不能有效证明因客户原因导致的资金损失及时先行全额赔付，保障客户合法权益。

根据蚂蚁金服提供信息，蚂蚁金服会通过账户、身份、交易、行为、关系、设备、位置、偏好8个维度进行风险扫描，识别并拦截大量盗刷行为。“目前，蚂蚁金服的资损率为十万分之一，Paypal的资损率约千分之二，是我们的200倍。”

不过，不同机构的风控机制不同。记者在京东、携程上测试，同一张信用卡，在北京、美国两个IP地址的不同终端登录，产生消费，却没有出现任何需要额外验证的环节。

目前，国内第三方支付牌照接近270张。2015年下半年至2016年初，包括畅购支付在内的三家支付机构因为挪用客户储备金被中国中央银行注销支付牌照。7月25日，中国中央银行宣布对存在未落实商户实名制、变造银行卡交易信息、外包服务不规范的通联支付和银联商务两家第三方支付公司处以1110万元和2653.7万元的罚款。

不过，刚刚开始的整顿并未能立竿见影。根据聚投诉平台统计，2016年3月-7月，新增盗刷投诉915件，5个月时间的增长量，接近2015-2016年全年的投诉量。