By Brett Williams
The team of researchers, led by PhD student Mohammed Ali, call the method “the Distributed Guessing Attack.” It’s a simple approach: a thief generates random numbers to guess combinations of card numbers, expiration dates and CVV codes (that three-digit number typically found on the back of the card). The video below demonstrates just how easy it is to generate all of these fields quickly:
Next, they test their combinations on multiple online payment services one field at a time. Since many websites ask for different variations of data for their payment-entry fields (there’s no minimum security requirement for online vendors), it’s easier to use the process of elimination to find each number individually rather than hoping to nail the set together in one go. According to the paper, there are three levels of data fields used by web merchants: Card Number + Expiry date; Card Number + Expiry date + CVV; Card Number + Expiry date + CVV + Address.
Bombarding multiple vendors’ sites also allows the thieves to dodge individual site limits on purchase attempts and avoid triggering fraud protection measures.
“… the current online payment system does not detect multiple invalid payment requests from different websites,” said Ali in the news release that accompanied the paper’s publishing in IEEE Security and Privacy. “This allows unlimited guesses on each card data field, using up to the allowed number of attempts — typically 10 or 20 guesses — on each website.”
It takes shockingly few attempts to guess the data once the hack is put into motion with an active card number. Most cards are valid for 60 months, so guessing the expiration date takes at most 60 attempts.
The CVV is a bit more difficult to find, but not by much: the team estimates about 1,000 attempts at most. “Spread this out over 1,000 websites and one will come back verified within a couple of seconds,” Ali said.
The Newcastle team tested the methods by using their own card data and a bot to carry out the attacks.
This is a major issue unique to Visa’s security, as the team found that MasterCard’s online fraud protections detected the guessing attack after 10 attempts or fewer, even spread out over multiple sites. That said, only Visa and MasterCard were included in the study, so the jury’s out regarding the safety of other credit card providers from a Distributed Guessing Attack.
In response to the paper’s revelations, The Guardian reports that a Visa spokesperson was dismissive of much large-scale risk from the vulnerability and placed the responsibility on vendors. They said that Visa is “committed to keeping fraud at low levels, and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally … There are also steps that merchants and issuers can take to thwart brute force attempts.”
Those steps include employing 3D Secure systems like Visa’s “Verified by Visa” technology, which adds extra steps to the online verification process. The paper concluded that sites that employ those measures are protected from the attacks — but out of 400 of the internet’s largest retail sites, only 47 had the protections.
Still, the Visa rep was receptive of the research. “Visa welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system,” they said.
But consumers are still at risk. According to Dr. Martin Emms, one of the paper’s co-authors, there’s no way to protect from these attacks, only steps to take to limit the damage of a security breach. Only using one card online can help limit risk, along with staying alert for unverified purchases.
“However, the only sure way of not being hacked is to keep your money in the mattress,” he said, “and that’s not something I’d recommend!”