This story was updated on 12/5/2016 at 12.30 pm with a comment from Visa Inc.
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.
Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.
The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.
The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.
All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.
The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.
These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.
"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," said Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science, in a statement.
The guessing attack worked only on Visa’s network. MasterCard’s network - the only other network that the researchers tested - quickly detected the guessing in even across different networks.
To verify the attack, the researchers used their own cards and ran a website bot and an automated script against 400 top merchant sites to see if they could guess their own Visa card details.
For the paper, the researchers began with the PAN for each of their cards and tried to see if they could guess the CVV, expiration date, and address associated with each. The attack works even when the PAN number is not available.
With a valid PAN, all that an attacker has to do to guess the expiration date is to look for merchant sites that require only the card number and expiry date field. Because most cards are valid for five years, an attacker needs only 60 attempts spread across multiple merchant websites to guess expiration month and year. With the expiration date on hand, it takes less than 1,000 attempts to get the 3-digit CVV again by spreading the guesses over multiple sites.
As a result, with as few as 1.060 automated guesses, it becomes possible for an attacker to get the CVV and expiry date on any card. At the same time, if all merchants required cardholders to input the same three fields—the PAN, CVV, and expiration date, it would take as many as 60,000 attempts to get each field, the researchers said in their paper.
"The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close-to-impractical attack," they said.
Getting the cardholder’s address is a little more involved and requires the attackers to first identify the issuing bank. But even here, online databases are available that reveal a card’s brand, type, and issuing bank name. This gives the attacker a starting point to begin guessing the correct postal card for the card. Because address verification is usually only done on numerical values—like the street number and zip code—there is no need for the attacker to have the actual street name.
Similarly, it is also possible to generate valid card numbers from scratch using only the first six digits of a PAN—which are the same based on card type and other factors—and an algorithm called the Luhn’s algorithm for validating card numbers.
In a statement, Visa downplayed the severity of the problem.
"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world," Visa noted.
Mechanisms like Verified by Visa, based on the 3DSecure standard have bolstered security for e-commerce transactions and Visa works closely with card issuers and acquirers to make it difficult for anyone to obtain and use cardholder data illegally.
"Visa welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system," the statement said. "Along with our own internal monitoring and testing, this enables Visa and the payments industry to make payments ever more secure."
- Was Theft Of Money From 20,000 Tesco Bank Customers An Inside Job?
- Flaws In EMV Chip And PIN Undercut Security