Thieves can guess your secret Visa card details in just seconds

Distributed guessing attacks are surprisingly effective.

Dan Goodin

Enlarge / A website bot as it distributes CVV guesses over multiple sites.

Ali, et al.

Share this story

Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers at Newcastle University in the UK. Bad actors can use browser bots to distribute guesses across hundreds of legitimate online merchants.

The attack starts out with a card's 16-digit number, which can be obtained in a variety of ways. Attackers can buy numbers on black-market websites, often for less than $1 apiece, or use a smartphone equipped with a near-field communication reader to skim them. The numbers can also be inferred by combining your first six digits—which are based on the card brand, issuing bank, and card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card. Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds.

The technique relies on Web bots that spread random guesses across almost 400 e-commerce sites that accept credit card payments. Of those, 26 sites use only two fields to verify cards, while an additional 291 sites use three fields. Because different sites rely on different fields, the bots are able to enter intelligent guesses into the user field of multiple sites until the bots hit on the right ones. Once the correct expiration date is obtained for a given card—typically banks issue cards that are valid for up to 60 months—the bots use a similar process to obtain the CVV number. In other cases, when sites allow the bots to obtain the CVV first—a process that can never require more than 1,000 guesses—the bots then work to obtain the expiration date and, if required, the billing address.

"We came to an important observation that the difference in security solutions of various websites introduces a practically exploitable vulnerability in the overall payment system," researchers from Newcastle University wrote in a research paper titled Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?. "An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details (card number, expiry date, card verification value, and postal address) one field at a time." The researchers continued:

Each generated field can be used in succession to generate the next field by using a different merchant's website. Moreover, if individual merchants were trying to improve their security by adding more payment fields to be verified on their site, they potentially inadvertently weaken the whole system by creating an opportunity to guess the value of another field, as explained later in the article.

In an effort to make online purchases as easy as possible, many websites allow prospective customers to make as many as 50, and in some cases an unlimited number, of incorrect guesses. Even in cases where the number is lower, the bots can still succeed by spreading the guesses over a large number of sites. Surprisingly, Visa—the world's biggest payment card service—didn't employ any system-wide mechanism for detecting the mass guessing attack. The Newcastle University researchers said that Visa competitor MasterCard, on the other hand, did detect the distributed mass guesses and shut down the attacks before they could succeed.

One of the tasks the bots carried out was to create a fake account that could charge a credit card belonging to the researchers and transfer the balance to a contact in India.

The researchers wrote:

Within minutes, we received a confirmation e-mail for the order made, and our contact confirmed the pick-up of the money. The time it took from the process of creating an account to collecting the money at the destination was only 27 minutes, which is short enough to avoid the bank reversing the payment.

The researchers said they contacted the 40 biggest websites used in the guessing attack to notify them of the findings. As a result, some sites have already changed some of their verification procedures. While that's a good start, a better solution would be for Visa to implement the type of Internet-wide alert system used by MasterCard and for online merchants to standardize the verification process.

The findings provide another good reason for people to closely scrutinize credit card bills each month for fraudulent purchases. It's also a good idea to use a single non-Visa credit card for all online purchases and to keep the spending limit on that card as low as possible.