A few weeks ago, Thinkst launched a new Canarytoken type; real credit cards.
You are probably wondering what are Canarytokens?
Canarytokens are similar to web bugs, invisible images that track a user's data but for read files, databases, and log files. To put it simply, they are invisible image files that will alert you if your information is accessed by an intruder. The purpose of implementing a Canarytoken is to help you discover you’ve been breached by “having the attackers announce themselves.”
Canarytokens launched a credit card token. What that means is:
- They will give you a valid credit card number with expiration and CVC
- You will receive notifications if anyone attempts to use this card
How can merchants use Canarytokens to protect their business?
Thinkst recommends making your canaries look like something an attacker would deem attractive. The mantra is “Canaries should look valuable (instead of just vulnerable)”.
So it would be ideal to store Canarytokens amongst other saved credit card data or on payment gateways.
Attackers might avoid you altogether when they discover Canarytokens in your payments environment. Canarytokens calls this “conspicuous deception”.
Over the past number of years attackers who are aware of Canarytokens “were afraid to move beyond that system, paralyzed”.
High-profile, savvy attackers will consider the risk of destroying a set of data when they run test swipes on stolen dumps of credit cards.
They may look for bank identification number (BIN) patterns that Canarytokens uses and exclude them from their process. Canarytokens has proactively started discussing with banks to onboard their BINs to Canarytokens’ system to mix token cards with legitimate cards. Making it harder for attackers to commit fraud. Canarytokens' sell-argument for banks is as follows: “Would you like attackers to first remove your bank’s cards from dumps they steal?”
If banks begin participating, companies who have not deployed Canarytokens in their environment could even be protected. This deterrence works by deception where the more BINs that are covered, the less likely fraudsters will profile those cards.
On the other hand, low-tier attackers who will just keep trying cards without applying any tactic will no longer be able to profit as much from stolen credit card data.
This benefits merchants, and payment processors alike as they can now respond to fraudulent activity much faster than before. Banks and card companies usually discover breaches by examining fraudulent reports and looking for commonalities. Identifying where the card was used and who’s involved takes significant time whereas the token will instantly identify a breach.
This powerful tool can offer great detection of breaches while being very easy to deploy and cost-effective. To learn more about Canarytokens visit canarytokens.org