In a new research paper entitled “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” published in the academic journal IEEE Security & Privacy, researchers from the University of Newcastle explains how online payments remain a weak spot in the credit card security which makes it easy for fraudsters to retrieve sensitive card information.
The technique, dubbed Distributed Guessing Attack, can circumvent all the security features put in place to protect online payments from fraud. The similar technique is believed to be responsible for the hack of thousands of Tesco customers in the U.K last month.
The issue relies on the Visa payment system, where an attacker can guess and attempt all possible permutations and combinations of expiration dates and CVV numbers on hundreds of websites.
- Online payment systems do not detect multiple incorrect payment requests if they’re performed across multiple sites. They also allow a maximum of 20 attempts per card on each site.
- Web sites do not run checks regularly, varying the card information requested.
Newcastle University PhD candidate Mohammed Ali says neither weakness is alone too severe, but when used together and exploited properly, a cyber criminal can recover a credit card’s security information in just 6 seconds, presenting “a serious risk to the whole payment system.”
Here’s how the attack works:
So, instead of brute-forcing just one retailer’s website that could trigger a fraud detection system due to incorrect guesses or lock the card, the researchers spread out guesses for the card’s CVC number across multiple sites with each attempt narrowing the possible combinations until a valid expiration dates and CVV numbers are determined.
The video demonstration shows that it only takes 6 seconds for a specially designed tool to reveal a card’s secure code.
Once a valid 16-digit number is obtained, the hacker use web bots to brute force three-digit card verification value (or CVV) and expiration date to hundreds of retailers at once. The CVV takes a maximum of 1,000 guesses to crack it and the expiry date takes no more than 60 attempts.
“These experiments have also shown that it is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system,” researchers explain in the paper.
“Combining that knowledge with the fact that an online payment request typically gets authorized within two seconds makes the attack viable and scalable in real time. As an illustration, with the website bot configured cleverly to run on 30 sites, an attacker can obtain the correct information within four seconds.”
The attack works against Visa card customers, as the company does not detect multiple attempts to use a card across its network, while MasterCard detects the brute force attack after fewer than 10 attempts, even when the guesses are spread across multiple websites.
How to Protect yourself?
The team investigated the Alexa top-400 online merchants’ payment websites and found that the current payment platform facilitates the distributed guessing attack.
The researchers contacted the 36 biggest websites against which they ran their distributed card number-guessing attack and notified them of their findings. As a result of the disclosure, eight sites have already changed their security systems to thwart the attacks.
However, the other 28 websites made no changes despite the disclosure.
For Visa, the best way to thwart the distributed card number-guessing attack is to adopt a similar approach to MasterCard and lock a card when someone tries to guess card details multiple times, even tried across multiple websites.