Menu
‘Distributed guessing’ attack lets hackers verify Visa card details

‘Distributed guessing’ attack lets hackers verify Visa card details

Armed with a card number, researchers tricked websites into helping them guess the expiry date and CVV

Add credit card fraud to the list of things that distributed processing can speed up.

An e-commerce site will typically block a credit card number after 10 or 20 failed attempts to enter the corresponding expiry date and CVV (card verification value), making life difficult for fraudsters who don't have a full set of credentials.

But there are plenty of e-commerce sites out there, and it's possible to obtain missing account details by submitting slightly different payment requests to hundreds of them in parallel.

It takes less than six seconds to perform the "distributed guessing attack," according to the researchers at Newcastle University in the U.K. who figured out how to do it.

Guessing the expiry date of a valid card isn't all that difficult: Cards are typically issued for five years at most, so sending the 60 possible values to different websites will get a confirmation from one of them. The three-digit CVV is a little harder, involving spreading 1,000 requests across multiple websites.

"Practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts," wrote the researchers, Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel.

The title of their paper asked the question: "Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?"

Their answer is emphatically yes -- at least for Visa cards, for which they were able to submit sufficient requests to obtain the missing values.

MasterCard's centralized payment network, on the other hand, detected their attack on a card account after fewer than 10 authorization attempts.

Ali and colleagues studied 389 websites drawn from the 400 most-visited according to Alexa.com. Of those, just 47 used the 3D Secure authorization system, making them immune to the attack.

The weak links in the system were the 26 sites that required only the card number and the expiry date to validate payment. The 20 of them allowing at least six guesses provided ample capacity for guessing such an easy answer.

A further 291 sites would validate a card number with just the expiry date and CVV -- but with 238 of them allowing six or more guesses, the CVV could soon be obtained.

Even the cardholder's address, required by 25 sites along with the expiry date and CVV, could be guessed in some cases, the researchers explained. Some banks encode branch details in the card number, making it possible to guess at post codes around the branch, they said in the paper. Two of the sites examined allowed unlimited attempts at guessing the address -- and also the expiry date and CVV, they found.

To see how concerned the sites were about the problem, the researchers divided them into three categories based on the information they required to verify card numbers, and contacted the 12 with the most users in each category.

Of those 36 sites, 28 replied within four weeks, and eight of them patched their sites to reduce the risk of information disclosure. The patches included limiting the rate of requests either by IP address or card number, adding Captchas, and requiring additional data to verify a card number and expiry date.

They questioned the usefulness of those patches, noting that testing addresses without limiting the number of queries merely opened up another avenue of attack. Likewise, using Captchas and throttling the number of submissions merely slowed down the attack, but did not stop it. None of the patched sites introduced a hard limit on the number of tests relating to one card number, they found.

Ultimately, the only way to secure payment systems against distributed guessing attacks are to centralize -- as Mastercard has done -- or standardize, with all sites requiring the same information to validate card numbers. In this way, the attack cannot be scaled, the researchers wrote.


Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Featured

Slideshows

Kiwi channel comes together for another round of After Hours

Kiwi channel comes together for another round of After Hours

The channel came together for another round of After Hours, with a bumper crowd of distributors, vendors and partners descending on The Jefferson in Auckland. Photos by Maria Stefina.​

Kiwi channel comes together for another round of After Hours
Consegna comes to town with AWS cloud offerings launch in Auckland

Consegna comes to town with AWS cloud offerings launch in Auckland

Emerging start-up Consegna has officially launched its cloud offerings in the New Zealand market, through a kick-off event held at Seafarers Building in Auckland.​ Founded in June 2016, the Auckland-based business is backed by AWS and supported by a global team of cloud specialists, leveraging global managed services partnerships with Rackspace locally.

Consegna comes to town with AWS cloud offerings launch in Auckland
Veritas honours top performing trans-Tasman partners

Veritas honours top performing trans-Tasman partners

Veritas honoured its top performing partners across the channel in Australia and New Zealand, recognising innovation and excellence on both sides of the Tasman. Revealed under the Vivid lights in Sydney, Intalock claimed the coveted Partner of the Year 2017 (Pacific) award, with Data#3 acknowledged for 12 months of strong growth across the market. Meanwhile, Datacom took home the New Zealand honours, with Global Storage and Insentra winning service provider and consulting awards respectively. Dicker Data was recognised as the standout distributor of the year, while Hitachi Data Systems claimed the alliance partner award. Photos by Bob Seary.

Veritas honours top performing trans-Tasman partners
Show Comments