How would one apply following common ATM fraud scheme to the online world?
Old school, in real life: On a Thursday, visit a bank and open a checking account. Ensure to acquire a temporary debit card. On the weekend, preferably Sunday, visit N+1 ATMs. Please ensure to visit different financial institutions. Withdraw the max amount on each ATM. Quickly jump to another ATM. Wash, rinse, repeat until the time of check occurs – typically the following Monday when the financial institutions reconcile their debits and credits. This used to be a very successful fraud scheme. The financial institutions are a bit wiser and have worked out different ways to mitigate this fraud scheme. But in the online world, it isn’t as clear as governance is hard, especially in complex systems between different entities.
In complex systems, strewn with partners and disparate systems, transactional processing is hard. Especially if transactional guarantees are not built into the underlying data structures and services or concurrent systems are utilized. When does the application process a transaction? How and when do two distinct systems process a transaction? If two competing transactions occur, which one is applied first to which system? How do the two systems reconcile differences throughout the transaction? Time and order sequencing is extremely important. All one needs to do is to exploit the timing by introducing delays or latency. Besides, if one is able to find race conditions, one may be able to exploit the business logic for financial gain.
Imagine if the black box allows two different experiences within the same identity at the same time. Once one gets the timing down, all they will need to do is submit the fraudulent transaction at the same time. Assuming there is no time of use, time of check transaction governance, one is able to perform the same transaction twice yet only recorded as once.
Or perhaps one wants to pay for a Macallan 18 from XYZ online liquor store. Unfortunately, the store doesn't accept the payment method. Thankfully, their payment provider does. Typically, the merchant notes the shopping cart identity and the amount to be collected. Meanwhile, while the individual wearing a ski mask is attempting to pay, the ski mask lover needs to interact with their shopping cart.
Why yes, I would like a few more Macallan 18 yr scotch bottles. Then only proceed to pay for 1. Why? That was the amount sent to the payment gateway and the merchant's software is checking to see if I paid, not paid resulting amount. Worst case, in an automated fashion, if the payment gateway and online store do not reconcile the amount paid vs. the shopping transaction's final amount, it may? be caught at month's or quarter's end.
The impact isn't straight forward. These patterns are not well known, well guarded, and not easy to find. But once the generic transaction fraud patterns are known, they are easily applied. When the TOCTOU vulnerabilities are exploited, the business risk and impact may be critical if there are no compensating controls. These controls are typically found within the contractual language or a hard governance limit.