24 March 2017
visit http://events.sap.com/gb/fsi-forum-2017/en/home

Guesswork alone can crack Visa card security - Newcastle University

05 December 2016  |  9773 views  |  12 Credit card

Working out the card number, expiry date and security code of any Visa credit or debit card can take as little as six seconds and uses nothing more than guesswork, new research has shown.

Research published in the academic journal IEEE Security & Privacy, shows how the so-called Distributed Guessing Attack is able to circumvent all the security features put in place to protect online payments from fraud.

Exposing the flaws in the Visa payment system, the team from Newcastle University, UK, found neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data.

By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data, they say.

Investigators believe this guessing attack method is likely to have been used in the recent Tesco cyberattack which defrauded customers of £2.5m and which the Newcastle team describe as “frighteningly easy if you have a laptop and an internet connection.”

“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” explains Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science and lead author on the paper.

To obtain card details, the attack uses online payment websites to guess the data and the reply to the transaction will confirm whether or not the guess was right.

Because the current online system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made by distributing the guesses over many websites.

However, the team found it was only the Visa network that was vulnerable.

“MasterCard’s centralised network was able to detect the guessing attack after less than 10 attempts - even when those payments were distributed across multiple networks,” says Mohammed.

At the same time, because different online merchants ask for different information, it allows the guessing attack to obtain the information one field at a time.

Mohammed explains: “Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.

It takes at most 60 attempts to guess the expiry date, he says, and up to 100o tries to uncover the three digit CVV code.

Newcastle University’s Dr Martin Emms, co-author on the paper, has this advice for consumers shopping online: "Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.

“However, the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend”

“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.

In response, Visa states: "We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts."

The card scheme points to upcoming improvements in security through the 3D Secure 2.0 specification and the liability shift to merchants that fail to implement the standard.

"For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability," it states.
KeywordsE-COMMERCE

Comments: (12)

A Finextra member
A Finextra member | 05 December, 2016, 11:28

Seems like a lot of effort to me and the 'reward' may be limited. Surely the key is to identify those cards with a high credit limit first. The next question is how best to exploit the lophole that they believe they've identified? Having successfully identified the card details, expiry date and CVV, repeat spending over a relatively short period of time will no doubt trigger a card issuers risk profile for that customer and stop any fraud fairy early on .....won't it?

Is this just scaremongering or a real and genuine threat that consumers should take note off? Personally for me, I think it's the former rather than the latter.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 05 December, 2016, 13:38

Again the world of academia shows how removed from reality they are.  How many requests would need to be generated in the "seconds" to determine and identify a valid set of PAN, CVV and Expiry Date - the (significant) TPS load this would generate would flag up something suspicous to system administrators - and most modern transaction processing environments would identify a significant velocity of declined transactions due to invalid data (pan, expiry date, cvv).

1 thumb up! 1 thumb up! (Log in to thumb up)
A Finextra member
A Finextra member | 05 December, 2016, 13:38

Time to get out the Tin Foil hat...

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 05 December, 2016, 15:19

Shows naivety and ignorance on part of the academics. The most basic Issuer Fraud Detection systems will spot this kind of attempts very quickly and block the card. 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 05 December, 2016, 18:35

Why is this study silent on the time taken to crack the cardholder name? I don't know too many websites that allow an online card payment to go thru' without that piece of info.

2 thumb ups! 2 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 06 December, 2016, 08:05

It's a bit disappointing to read comments like 'Again the world of academia shows how removed from reality they are.' when the article actually addresses most of the questions.

There are two essential parts to the study:

  • By combining different web sites -- some asking for just PAN and expiry date, some asking for PAN, expiry and CVV2, some asking for PAN, expiry, CVV2 and address, the data can be efficiently cracked. Instead of having to check 60 (months) * 1000 (CVV 2 values) = 60k combinations, first retrieving the expiry date (60 requests) and then retrieving the CVV2 (1000 requests) allows the attack to be much more efficient
  • Fraud detection systems for the tested VISA cards did not pick up on the fraud. The authors actually used Western Union to get funds from the card into their hands.
  • The tested Mastercard cards did get blocked.

 

However, it is likely that the difference between Mastercard and Visa here is rather a difference between two banks -- one with a better fraud detection system than the other.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Ketharaman Swaminathan
Ketharaman Swaminathan - GTM360 Marketing Solutions - Pune | 06 December, 2016, 10:51

If different fraud detection systems at different banks can cause the observed difference in "hackability between the two cards, then, IMHO (a) it's a bit irresponsible to tag the hackability difference by V / MC; and (b) a bit naive to select two such banks in the first place for conducting this test.

If anyone from the testing team needs any tips on finding a single bank that offers both V and MC cards and manages both of them on the same card management and fraud detection systems, they can feel free to contact me.

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Eli Talmor
Eli Talmor - SentryCom Ltd. - Haifa | 06 December, 2016, 11:10

The article shows the mechanism how credit-card data can end-up in the black market. This is not the only way - see all the breaches worldwide. The end of the story - one can buy these data for $5 :

http://www.networkworld.com/article/2995427/malware-cybercrime/how-much-is-your-stolen-personal-data-worth.html

All those in favour of believing that "few numbers in the cloud" are being save - are a little bit naive.

General public is probably less naive than we think ( 62% are afraid of buying online). 

 

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 06 December, 2016, 11:11 Publish the test data otherwise it is as conclusive as "eight out ten cats prefer Whiskers".
Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 06 December, 2016, 11:42

'However, it is likely that the difference between Mastercard and Visa here is rather a difference between two banks -- one with a better fraud detection system than the other' .... so how do you come to the conclusion that is the headline of your report? How irresponsible!

Also, you forget that most web sites now support 3D-Secure or some other form of 2-Factor authentication. So, getting hold of the card details alone is not going to get you very far.

What you need to do is publish details of the study like sample selection methodology, sample size, test methodology and observations based on which you draw your conclusions. Otherwise, it is just 'statistics, damn-lies and statistics'

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 06 December, 2016, 11:46

 > Also, you forget that most web sites now support 3D-Secure or some other form of 2-Factor authentication.

The artcile addresses this. Most web sites do not enforce it, which means it is essentially useless.

 > What you need to do is publish details of the study like sample selection methodology, sample size, test methodology and observations based on which you draw your conclusions. 
Those are in the article.

For the original article, see http://eprint.ncl.ac.uk/pub_details2.aspx?pub_id=230123 .

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
A Finextra member
A Finextra member | 06 December, 2016, 11:56

Unfortunately, http://eprint.ncl.ac.uk/pub_details2.aspx?pub_id=230123 requires logging into the University system. Are you able to publish this on LinkedIn?

On a separate note, you will find that where the card issuer supports 3D-Secure/2-Factor authentication and the cardholder is enrolled for the service, then any merchant not supporting this is liable for the fraud as per card scheme rules. So, consumers will be protected.

 

Be the first to give this comment the thumbs up 0 thumb ups! (Log in to thumb up)
Comment on this story (membership required)

Finextra news in your inbox

For Finextra's free daily newsletter, breaking news flashes and weekly jobs board: sign up now

Related stories

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

Cloned card cash-out operation touted as possible Tesco Bank breach explanation

17 November 2016  |  7362 views  |  3 comments | 6 tweets | 13 linkedin
Tesco Bank fraudsters drained £2.5 million from customer accounts

Tesco Bank fraudsters drained £2.5 million from customer accounts

09 November 2016  |  6907 views  |  0 comments | 9 tweets | 17 linkedin
Tesco Bank halts transactions after money disappears from customer accounts

Tesco Bank halts transactions after money disappears from customer accounts

07 November 2016  |  13265 views  |  7 comments | 25 tweets | 43 linkedin

Related blogs

Create a blog about this story (membership required)
Visit capgemini.comvisit abe-eba.euParticipate in the survey

Top topics

Most viewed Most shared
French retailer Carrefour launches online bank accountFrench retailer Carrefour launches online...
39259 views comments | 15 tweets | 35 linkedin
hands typing furiouslyMachine Learning: Lessons for Banks From S...
10392 views 0 | 13 tweets | 11 linkedin
Can banks really win in the payments business of the future? – new Finextra reportCan banks really win in the payments busin...
8134 views comments | 23 tweets | 37 linkedin
Westpac wants to take over your messaging keyboardWestpac wants to take over your messaging...
6743 views comments | 4 tweets | 10 linkedin
SecureKey taps IBM to put identity on the blockchainSecureKey taps IBM to put identity on the...
6485 views comments | 22 tweets | 15 linkedin

Featured job

Six Figure Base + Commission + Stock Options
London

Find your next job