Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

12/2/2016
05:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds

Attack works only on Visa network, Newcastle University researchers say.

This story was updated on 12/5/2016 at 12.30 pm with a comment from Visa Inc.

Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.

Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.

The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.

The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.

All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.

The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.

These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.

The guessing attack worked only on Visa’s network. MasterCard’s network - the only other network that the researchers tested - quickly detected the guessing in even across different networks.

To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.

For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.

With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.

As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper.

"The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close-to-impractical attack," they said.

Getting the cardholder’s address is a little more involved and requires the attackers to first identify the issuing bank. But even here, online databases are available that reveal a card’s brand, type, and issuing bank name. This gives the attacker a starting point to begin guessing the correct postal card for the card. Because address verification is usually only done on numerical values—like the street number and zip code—there is no need for the attacker to have the actual street name.

Similarly, it is also possible to generate valid card numbers from scratch using only the first six digits of a PAN—which are the same based on card type and other factors—and an algorithm called the Luhn’s algorithm for validating card numbers.

In a statement, Visa downplayed the severity of the problem. 

"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world," Visa noted.

Mechanisms like Verified by Visa, based on the 3DSecure standard have bolstered security for e-commerce transactions and Visa works closely with card issuers and acquirers to make it difficult for anyone to obtain and use cardholder data illegally.

"Visa welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system," the statement said. "Along with our own internal monitoring and testing, this enables Visa and the payments industry to make payments ever more secure."

Related stories:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RetiredUser
100%
0%
RetiredUser,
User Rank: Ninja
12/4/2016 | 11:59:30 PM
Awaiting Response with Baited Breath
At a minimum I would expect Visa and any other credit card vendor with similar configuration to immediately announce they have programmed blocks for multiple incorrect responses as described in this paper.  And "frighteningly" should be changed to "rediculously" because I can't believe for a second that such a rediculous and lax configuration is in place.  It is almost as if it was done intentionally as an invitation to exploit their credit card data.  As with all things commercial, once the speed with which customer money hits your bank is of more importance than the security of your customer's money and data, you have already screwed your customers and your own business.  Well done, Newcastle.  
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3035
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
CVE-2021-3036
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
CVE-2021-3037
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
CVE-2021-3038
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
CVE-2021-3506
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...