In Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?, a new paper in IEEE Security & Privacy, researchers from the University of Newcastle demonstrate a technique for guessing secruity details for credit-card numbers in six seconds -- attackers spread their guesses out across many websites at once, so no website gets enough bad guesses to lock the card or trigger a fraud detection system.
The researchers believe this method has already been used in the wild, as part of a spectacular hack against Tesco bank last month. They disclosed their findings to various payment processors in advance of the paper's publication and gave them time to attempt to remediate the problem before going public.
Mastercards are not vulnerable to this attack because "MasterCard’s centralised network detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multiple websites)," but Visa cards are, because "Visa’s payment ecosystem does not prevent the attack."
The attack relies on the fact that different websites require different authentication data to process transactions -- some ask for addresses, others don't. So information gleaned from one website can be used to build up enough data to start guessing at a difference website, gradually building up the entire corpus of authentication details for the target card. For example, websites that only require card number and expiry can be used to glean the expiry date in no more than 60 guesses (because cards are only valid for a maximum of 60 months) and then this card number/expiry pair to can be used to guess the three-digit CVV in no more than 999 guesses.
Addresses are harder to guess, but the fact that card numbers are region-coded (the first six digits indicate the issuing bank and can be used to figure out the card's country of origin) allows for quick narrowing down. Many websites only require postal codes, and these can be narrowed down by confining guesses to locations near the card's issuing branch or the place from which the card number was stolen (by a skimmer, for example).
The authors propose mitigating this risk by standardising on requiring more checkout data, slowing down successive guesses, limiting the total number of failed guesses, and using IP address filters (rather than CAPTCHAs), and using secondary security tools like Verified by Visa, and suggest that payment gateways can implement some of these measures rather than leaving it all up to merchants. Ultimately, the fact that Mastercard can detect these attacks and Visa can't suggests that Visa could fix the problem at a much lower level, but as its process is largely opaque to the public, the researchers could not make specific recommendations.
To prevent the attack, either standardisation or centralisation
can be pursued (some card payment networks already provide
this). Standardisation would imply that all merchants need to
offer the same payment interface, that is, the same number of
fields. Then the attack does not scale anymore. Centralisation
can be achieved by payment gateways or card payment networks
possessing a full view over all payment attempts associated with
its network. Neither standardisation nor centralisation naturally
fit the flexibility and freedom of choice one associates with the
Internet or successful commercial activity, but they will provide
the required protection. It is up to the various stakeholders to
determine the case for and timing of such solutions.
Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? [Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel/IEEE Security & Privacy 2017]
Criminals can guess Visa card number and security code in just six seconds, experts find
[Tom Wilkinson/The Independent]