Thieves can guess your secret Visa card details in just seconds
on
Get link
Facebook
X
Pinterest
Email
Other Apps
Distributed guessing attacks are surprisingly effective.
Dan Goodin
Thieves can guess your secret Visa payment
card data in as little as six seconds, according to researchers at
Newcastle University in the UK. Bad actors can use browser bots to
distribute guesses across hundreds of legitimate online merchants.
The attack starts out with a card's 16-digit
number, which can be obtained in a variety of ways. Attackers can buy
numbers on black-market websites, often for less than $1 apiece, or use a
smartphone equipped with a near-field communication
reader to skim them. The numbers can also be inferred by combining your
first six digits—which are based on the card brand, issuing bank, and
card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value
that most sites use to verify the validity of a credit card. Even when
sites go a step further by adding the card holder's billing address to
the process, the technique can correctly guess the information in about
six seconds.
The technique relies on Web bots that spread
random guesses across almost 400 e-commerce sites that accept credit
card payments. Of those, 26 sites use only two fields to verify cards,
while an additional 291 sites use three fields. Because different sites
rely on different fields, the bots are able to enter intelligent guesses
into the user field of multiple sites until the bots hit on the right
ones. Once the correct expiration date is obtained for a given
card—typically banks issue cards that are valid for up to 60 months—the
bots use a similar process to obtain the CVV number. In other cases,
when sites allow the bots to obtain the CVV first—a process that can
never require more than 1,000 guesses—the bots then work to obtain the
expiration date and, if required, the billing address.
"We came to an important observation that the
difference in security solutions of various websites introduces a
practically exploitable vulnerability in the overall payment system,"
researchers from Newcastle University wrote in a research paper titled Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?.
"An attacker can exploit these differences to build a distributed
guessing attack which generates usable card payment details (card
number, expiry date, card verification value, and postal address) one
field at a time." The researchers continued:
Each generated field can be used
in succession to generate the next field by using a different merchant's
website. Moreover, if individual merchants were trying to improve their
security by adding more payment fields to be verified on their site,
they potentially inadvertently weaken the whole system by creating an
opportunity to guess the value of another field, as explained later in
the article.
In an effort to make online purchases as easy
as possible, many websites allow prospective customers to make as many
as 50, and in some cases an unlimited number, of incorrect guesses. Even
in cases where the number is lower, the bots can still succeed by
spreading the guesses over a large number of sites. Surprisingly,
Visa—the world's biggest payment card service—didn't employ any
system-wide mechanism for detecting the mass guessing attack. The
Newcastle University researchers said that Visa competitor MasterCard,
on the other hand, did detect the distributed mass guesses and shut down
the attacks before they could succeed.
One of the tasks the bots carried out was to
create a fake account that could charge a credit card belonging to the
researchers and transfer the balance to a contact in India.
The researchers wrote:
Within minutes, we received a
confirmation e-mail for the order made, and our contact confirmed the
pick-up of the money. The time it took from the process of creating an
account to collecting the money at the destination was only 27 minutes,
which is short enough to avoid the bank reversing the payment.
The researchers said they contacted the 40
biggest websites used in the guessing attack to notify them of the
findings. As a result, some sites have already changed some of their
verification procedures. While that's a good start, a better solution
would be for Visa to implement the type of Internet-wide alert system
used by MasterCard and for online merchants to standardize the
verification process.
The findings provide another good reason for
people to closely scrutinize credit card bills each month for fraudulent
purchases. It's also a good idea to use a single non-Visa credit card
for all online purchases and to keep the spending limit on that card as
low as possible.
Comments
Post a Comment