Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:35 PM
Connect Directly

'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

Attack works only on Visa network, Newcastle University researchers say.

This story was updated on 12/5/2016 at 12.30 pm with a comment from Visa Inc.

Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.

Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.

The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.

The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.

All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.

The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.

These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.

The guessing attack worked only on Visa’s network. MasterCard’s network - the only other network that the researchers tested - quickly detected the guessing in even across different networks.

To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.

For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.

With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.

As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper.

"The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close-to-impractical attack," they said.

Getting the cardholder’s address is a little more involved and requires the attackers to first identify the issuing bank. But even here, online databases are available that reveal a card’s brand, type, and issuing bank name. This gives the attacker a starting point to begin guessing the correct postal card for the card. Because address verification is usually only done on numerical values—like the street number and zip code—there is no need for the attacker to have the actual street name.

Similarly, it is also possible to generate valid card numbers from scratch using only the first six digits of a PAN—which are the same based on card type and other factors—and an algorithm called the Luhn’s algorithm for validating card numbers.

In a statement, Visa downplayed the severity of the problem. 

"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world," Visa noted.

Mechanisms like Verified by Visa, based on the 3DSecure standard have bolstered security for e-commerce transactions and Visa works closely with card issuers and acquirers to make it difficult for anyone to obtain and use cardholder data illegally.

"Visa welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system," the statement said. "Along with our own internal monitoring and testing, this enables Visa and the payments industry to make payments ever more secure."

Related stories:


Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
Christian Bryant,
User Rank: Ninja
12/4/2016 | 11:59:30 PM
Awaiting Response with Baited Breath
At a minimum I would expect Visa and any other credit card vendor with similar configuration to immediately announce they have programmed blocks for multiple incorrect responses as described in this paper.  And "frighteningly" should be changed to "rediculously" because I can't believe for a second that such a rediculous and lax configuration is in place.  It is almost as if it was done intentionally as an invitation to exploit their credit card data.  As with all things commercial, once the speed with which customer money hits your bank is of more importance than the security of your customer's money and data, you have already screwed your customers and your own business.  Well done, Newcastle.  
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Cognitive Bias Can Hamper Security Decisions
Kelly Sheridan, Staff Editor, Dark Reading,  6/10/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-06-16
In words.protocols.jabber.xmlstream in Twisted through 19.2.1, XMPP support did not verify certificates when used with TLS, allowing an attacker to MITM connections.
PUBLISHED: 2019-06-15
The "Count per Day" plugin before 3.2.6 for WordPress allows XSS via the wp-admin/?page=cpd_metaboxes daytoshow parameter.
PUBLISHED: 2019-06-15
In OrangeHRM 4.3.1 and before, there is an input validation error within admin/listMailConfiguration (txtSendmailPath parameter) that allows authenticated attackers to achieve arbitrary command execution.
PUBLISHED: 2019-06-15
In Webmin through 1.910, any user authorized to the "Package Updates" module can execute arbitrary commands with root privileges via the data parameter to update.cgi.
PUBLISHED: 2019-06-15
formats/xml.cpp in Leanify 0.4.3 allows for a controlled out-of-bounds write in xml_memory_writer::write via characters that require escaping.