Vulnerabilities / Threats

05:35 PM
Connect Directly

'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

Attack works only on Visa network, Newcastle University researchers say.

This story was updated on 12/5/2016 at 12.30 pm with a comment from Visa Inc.

Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.

Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.

The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.

The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.

All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.

The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.

These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.

The guessing attack worked only on Visa’s network. MasterCard’s network - the only other network that the researchers tested - quickly detected the guessing in even across different networks.

To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.

For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.

With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.

As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper.

"The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close-to-impractical attack," they said.

Getting the cardholder’s address is a little more involved and requires the attackers to first identify the issuing bank. But even here, online databases are available that reveal a card’s brand, type, and issuing bank name. This gives the attacker a starting point to begin guessing the correct postal card for the card. Because address verification is usually only done on numerical values—like the street number and zip code—there is no need for the attacker to have the actual street name.

Similarly, it is also possible to generate valid card numbers from scratch using only the first six digits of a PAN—which are the same based on card type and other factors—and an algorithm called the Luhn’s algorithm for validating card numbers.

In a statement, Visa downplayed the severity of the problem. 

"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world," Visa noted.

Mechanisms like Verified by Visa, based on the 3DSecure standard have bolstered security for e-commerce transactions and Visa works closely with card issuers and acquirers to make it difficult for anyone to obtain and use cardholder data illegally.

"Visa welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system," the statement said. "Along with our own internal monitoring and testing, this enables Visa and the payments industry to make payments ever more secure."

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
12/4/2016 | 11:59:30 PM
Awaiting Response with Baited Breath
At a minimum I would expect Visa and any other credit card vendor with similar configuration to immediately announce they have programmed blocks for multiple incorrect responses as described in this paper.  And "frighteningly" should be changed to "rediculously" because I can't believe for a second that such a rediculous and lax configuration is in place.  It is almost as if it was done intentionally as an invitation to exploit their credit card data.  As with all things commercial, once the speed with which customer money hits your bank is of more importance than the security of your customer's money and data, you have already screwed your customers and your own business.  Well done, Newcastle.  
Julian Assange Arrested in London
Dark Reading Staff 4/11/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
The Single Cybersecurity Question Every CISO Should Ask
Arif Kareem, CEO, ExtraHop,  4/15/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-04-18
In Motorola CX2 1.01 and M2 1.01, users can access the router's /priv_mgt.html web page to launch telnetd, as demonstrated by the address.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. The router opens TCP port 8010. Users can send hnap requests to this port without authentication to obtain information such as the MAC addresses of connected client devices.
PUBLISHED: 2019-04-18
An issue was discovered in Motorola CX2 1.01 and M2 1.01. There is a command injection in the function startRmtAssist in hnap, which leads to remote code execution via shell metacharacters in a JSON value.
PUBLISHED: 2019-04-18
An XML External Entity vulnerability in the UEM Core of BlackBerry UEM version(s) earlier than 12.10.1a could allow an attacker to potentially gain read access to files on any system reachable by the UEM service account.
PUBLISHED: 2019-04-18
PrinterOn Enterprise 4.1.4 contains multiple Cross Site Request Forgery (CSRF) vulnerabilities in the Administration page. For example, an administrator, by following a link, can be tricked into making unwanted changes to a printer (Disable, Approve, etc).