Researchers from the University of Newcastle have identified a trivial cyber attack that exploits flaws in Visa’s card payment system. With the right set of software tools, the flaws can be exploited to “guess” a card number, its expiration date and the three-digit CVV (Card Verification Value) on the back of a card in as little as six seconds.
Mohammed Aamir Ali, a PhD student in Newcastle University’s School of Computing Science and lead author on a paper published in the academic journal IEEE Security & Privacy, notes that the attack uses multiple online payment websites to run a distributed guessing attack.
As you may know, many online merchants limit the number of attempts to enter correct payment information. What the researchers found, however, is that Visa’s network doesn’t detect multiple failed payment attempts from the same card across different websites.
Another important piece of information is the fact that different websites ask for different variations in the card data fields to validate a payment based on their requirements of card number, expiration date and / or CVV number. Again, because Visa’s network does not detect multiple invalid payment requests, unlimited guesses can be made by distributing the guesses over many websites.
Most hackers will have already gotten ahold of valid card numbers as a starting point but even without numbers, it’s relatively easy to generate variations of card numbers, the team said.
With a valid card number in hand, the next step is to guess the expiration date. Ali notes that banks typically issue cards that are valid for 60 months which means guessing the date takes at most 60 attempts. The three-digit CVV number is the final barrier but that can be guessed in fewer than 1,000 attempts.
Spread all of this out over hundreds or thousands of sites at once using a web bot and automated scripts and you can get all the pertinent details in as few as six seconds. The team used its own cards including seven Visa cards to verify that it is indeed possible and practical to obtain all the information on a card using a distributed guessing attack.
Visa didn’t seem to think the attack was a big deal. In a statement to The Guardian, Visa said the research did not take into account the multiple layers of fraud prevention that exists within the payments system, adding that each of which must be met in order to make a transaction possible in the real world.
Testing the same attack with MasterCard credit and debit cards was unsuccessful, the researchers discovered, as its system was able to detect the attack. What's more, merchants that use 3D Secure technology (like Verified by Visa or MasterCard SecureCode) were also shielded from the attack.