back to article Guessing valid credit card numbers in six seconds? Priceless

Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network, academics say. The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and …

Silver badge

And you Included an active hyperlink to Rescator why, exactly?

20
0
Silver badge

It's a cool looking login page, but you don't have to go there. People on this forum either have secure computers or know not to go there, so ... meh.

1
5
Silver badge

Well El Reg has often not linked to websites in the past precisely because they were dodgy. I think this would be another one that falls into that category, especially with modern browsers helpfully pre-fetching pages unless you specifically tell them not to.

Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.

14
0
Silver badge

Malwarebytes

Thankfully I'm running malwarebytes which blocked an outbound connection to rescator.cm, even though I hadn't clicked on it. Firefox being helpful and pre-loading links?

3
0
Silver badge

Re: Malwarebytes

It is if network.dns.disablePrefetch is false or network.prefetch-next is true in about:config.

2
0
Silver badge
Childcatcher

> Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.

Of course you want that. Generate as much noise as possible, let the datagreedos sort it out [Insert random raging jihad links or links to putin-friendly websites here]

Also: OMG, prefetch. People who think this was a good idea to incorporate into the overall design were probably the ones who boiled frogs in the microwave when kids.

> malwarebytes

Why!

5
0
Silver badge

Re: Malwarebytes

You are not wrong! Thanks

1
0
Silver badge

Unfortunately the Datagreedos say, "computer says 'yes'".

Try arguing with that.

1
0
Anonymous Coward

VISA

Very

Insecure

Security

Application

4
0

"The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites.... Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken." Isn't this somewhat self-explanatory? Individual merchants can't do much... it's up to Visa to detect the distributed requests since their network is the only one able to identify a pattern.

12
1
Silver badge

I thought that too. But from the article it seems that the retailers could do more too, re the whole cvv/ home address thing. Its like VISA have said to the m - We've set up lots of security features - just ask the user for about half of them and that'll do.

The pattern would be easy to detect, similar to the too many failed attempts = lockout on a LAN domain, the same in fact. Its not even as technical as "detecting a pattern" if the lockout was for , say , an hour on , er , say 5 wrong guesses (numbers to be thought out better) surely that would do the trick.

If I got a message saying "account frozen for 1 hour to to 40 wrong guesses coming from 40 different postcodes" i'd be more worried about that than buying the whatever. (I'd just use another card not under attack)

2
0

Only 5 wrong guesses to lock a card for an hour? I could shut down the entire Visa network with only a modest DDOS attack with those rules!

1
0

some people cant get it right the first 2-3 times

0
0
Silver badge
WTF?

Simple answer?

Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken

Most of them don't do the processing perhaps? How often have you been redirect to Worldpay for example?

7
0
Silver badge

Re: Simple answer?

Most of them don't do the processing perhaps? How often have you been redirect to Worldpay for example?

Exactly. In general, only large merchants do their own card processing. There are at least three ways in which a merchant can use a payment processor:

* overt redirection (which you will be aware of, because the payment page carries the processor's brand)

* redirection to a merchant-branded payment page hosted by the payment processor

* merchant-hosted page interacting with payment processor's web service.

3
0

SUBS! (or failing that, turn on the spelling checker)

"...partial breach records oof personal information..."

"...Top 400 online merchant sites accroding to findings in the paper..."

"Fraud of this sort us increasingly uncommon..."

"...seeking credit cards to abuse illegaly would..."

Can anyone find any more?

16
0
Silver badge
Coat

Re: SUBS! (or failing that, turn on the spelling checker)

Well the headline references the Mastercard ads, using "priceless". However, from the article, Mastercard are unaffected by this. "Visa, unlike rival Mastercard, does not detect the flood of requests as unusual"

7
1

Convenience V Security

This appears to be another case where security is sacrificed for the sake of making the transaction more convenient to the buyer.

Our bank-issued card machine allows us to use a lower level of security (such as no address details) where the card is not present, but it is made very clear that we, rather than the bank, would be taking on the financial risk if the transaction proves fraudulent.

Presumably some of the major retailers (or their insurers) can absorb this risk - or have better deals with their bank.

1
0
Silver badge

Partial article

Other sources stress that Visa is vulnerable to a distributed guessing attack but Master Card is not.

Also that use of Verified by Visa blocks this attack.

It is not clear to me how variation in the fields used aids the attack; possibly confirming the basic number and expiry date allows you to focus on other fields (think Cluedo) but I am not convinced that it makes it easy to brute force name and address.

Assuming that you have a name and (partial?) credit card number it should be relatively straightforward to brute force the full number, expiry date and 3 digit check code (not needed for card not present, I think). The system should be able to detect and block such a distributed brute force attack.

Wondering what implications this has for receipts which only print the last 4 numbers of the card.

0
0

Re: Partial article

Frmo the paper it starts from a known card number. 60 guesses gets you the expiry date, a further 1000 to get the cvv.

You don't need to guess the whole address "Different websites perform varying levels of verification on the address field’s numerical digits, ranging from verifying just the numerical digits in the postcode (partial match), to the complete numerical digits in postcode plus the door number".

But 291 of the ~400 sites listed don't validate the address anyway so you would be able to use those sites with just the expiry + cvv.

I'm quite glad I'm accidentally with mastercard.

2
0
Silver badge

Re: Partial article

Oh yes, "Verified by Visa" - training users to type credit card numbers into third-party pop-up windows since...

Seriously, I'm not surprised the same company that came up with that is also responsible for this new idiocy.

3
0
Silver badge

Re: Partial article

Doesn't 'Verified by Visa' just ask you for random characters from you pass-phrase?

Mind you, just recently it's been telling me that 'This transaction did not need to be verified' - even when I pay for something on a new site!

0
0

Re: Partial article

the 'Verified by Visa' site it self looks like a scam site

first time it happened to me i was like nope, you cant even goto the homepage as the domain does not have one so does not explain what the site does, its like visa thinks the page is a secret people was very confused about it when first time even fourms did not trust it as the whois info did not seem right (this was very long time ago thought)

if 'Verified by Visa' thinks its a low risk you get the low risk redirect url (norm i see it for like a second) and you end back at the merchant site with payment completed, unless i do a payment outside the UK or the website was compromised recently (norm my bank wont even let the payment happen until the automated system calls me to allow it a second time)

0
0
WTF?

Card not present?

I thought the whole point of the CVV number was that is **was** required for CNP transactions?

9
0
Silver badge

Re: Card not present?

Not entirely: if the merchant doesn't validate CVV, then they're liable for any fraudulent transactions, not the card issuer. For relatively low value sites, they may be prepared to take that risk, particularly as every extra security check loses you a (non-trivial) proportion of potential customers.

0
0

Re: Card not present?

CVV? How could anyone not ask for this? I can't think of any site I buy from that doesn't ask for this..

4
0

Re: Card not present?

Really? I can think of one that doesn't ask for a CVV in the normal course of a transaction. It begins with A, ends in N and has six characters in its name.

2
4

Re: Card not present?

The article says the crack woks when CVV numbers are NOT required. I haven't encountered such a website, ever.

Meanwhile by coincidence a few days ago on R4 there was an academic being interviewed who could demo cracking CVV numbers in minutes if card number and expiry were already known, by concurrently testing 000 to 999 across hundreds of random payment pages.

3
0
Anonymous Coward

Two Words...

Tesco Bank

1
0
Silver badge

Re: Two Words...

The paper does in fact speculate that this is the attack used on Tesco Bank.

0
0
Bronze badge

Begins with A, ends in N

I can think of one that doesn't ask for a CVV in the normal course of a transaction. It begins with A, ends in N and has six characters in its name.

They certainly asked for my CVV when I made a transaction with them.

3
0
Silver badge

Re: Begins with A, ends in N

If web/phone merchants use it, they shouldn't store it, just make the transaction and forget it. Amazon UK doesn't ask for it when you add a card and doesn't ask for it when you buy something.

Unless they think something's up with your card?

2
0

Re: Begins with A, ends in N

From what I recall they ask for the CVV the first time you use the card to an address. If you want to change the delivery address or any of your details they ask for it again but once there is one successful transaction they don't ask for it for future ones.

1
0
Silver badge
Joke

"University's Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel..."

'Dr Cooper, Dr Hofsteader, Dr Kuthrapalli and Mr Wollowitz!'

3
1

How does CVV actually work?

I'm still not sure why/how the CVV mechanism makes transactions more secure. I reckon that in most cases where the card number was intercepted while doing a legit CNP transaction (whether it's on the customer's side or the merchant's), or on phishing sites, the CVV number could easily be captured too. But apparenty this isn't the case - or else the whole CVV system would be useless.

I don't know the stats - how many numbers are stolen in POS transactions vs. internet (ard not present) - but I always assumed that the latter would be the bulk of them. Does anybody have more information on this?

3
0

Re: How does CVV actually work?

The CVV doesn't protect against phising. It protects against getting your card cloned at a physical reader (CVV not in magnetic stripe) and when a merchant loses a card database (CVV is not supposed to be stored)

5
0
Silver badge
Pint

Online => shipping...

Many systems will pick-up on the even the slightest discrepancy in the Shipping vice Billing address.

In other words, they'll only ship to the card holder.

0
0
Silver badge

Re: Online => shipping...

In other words, they'll only ship to the card holder.

In my experience, this is rare and becoming rarer. Most deliveries are made during working hours, so buyers tend to have deliveries sent to their work address or to the home of a friend or relative who's in all day.

8
1
Silver badge

Ne'er-do-wells sure think outside the box.

1
0
Anonymous Coward

And now they finally have a good reason to have a sexy display where you see the codeword slowly filling in as time progresses while the there is panic in the good guys' team, like in War Games.

1
0
Coat

google pay or fruity equivalent...

i have been using Google Pay with my Nexus 6P for a few months.

It presents a fake CC number to the merchant, that nevertheless carries payment.

If you have a pyramid of accounts (imagine the leaves at the bottom can't see up), then populate the electronic accounts with the leaves.

Hence, your attack surface is just then what they can social engineer after a few beers...

For the rest of the world without Google Pay (or fruity alternative), perhaps just use some leafy debit cards...

P.

0
1

Re: google pay or fruity equivalent...

android pay uses virtual card number the merchant never sees any of your card details (same as apple pay) if it gets compromised you just remove the card and re add it to get a new virtual card number (there is a internet and offline side of it so its hard to compromise as offline is limited to 5 per No phone unlock, once phone is unlocked+internet it resets the 5 no unlock phone limit)

iphone has this as well but as your using fingerprint to pay its norm reset every time (unless no internet)

be nice if google would add the option to require unlock to allow transaction for 60 seconds as at the moment you can steal some ones android phone and make 5 £30 transactions (as the only requirement is turn the screen on to allow payment on android pay) even if this option is disabled by default so user can optionally enable it (as why i only link my credit card even though i am not liable on the my debit card when tap and pay as its less fuss to dispute) it would take google 60 seconds to add a tick box and what ever time to validate it (probably a way lot long as this is something google would not want to screw up)

0
0
Silver badge
Facepalm

WHAAAAAAT???!

"A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented updates that made their checkouts even less secure."

No comment necessary...

In related news, the lead researcher (Martin Emms) was interviewed about this on R4's Moneybox programme and explained it quite well. Starts at 16m 00s in:

http://www.bbc.co.uk/programmes/b0848blr

(No, of course I don't listen to Moneybox... all that stuff about pensions is far, far too depressing, as I'm now less than 15 years from permanent, involuntary unemployment. I was waiting for the 12:30 funny, currently The Now Show.)

2
0
Silver badge
Paris Hilton

Re: WHAAAAAAT???!

"Your pensions have been burn down to keep the casino stock exchange based economy going a little bit longer

(appalled silence)

BWA-HA-HA-HA!!"

What is so depressing about that?

1
0
Silver badge

Bah!

I keep seeing smug comments about how chip-and-pin makes fraud "like this" harder, but exactly how do you implement chip-and-pin when buying from [pick-any-company] dot com?

This attack would seem to emulate the very sort of e-commerce that is fast becoming the preferred way of shopping in the urban eastern seaboard of the US.

And how does it work over the phone? As in when the electric bill is discovered sitting behind the sideboard instead of having made it into last month's post?

0
0

Re: Bah!

chip and pin has nothing to do with customer not present transactions if they added a OTP to each debit and credit card that would work very well as that could be a requirement for payment for online transactions if the card has the feature (the current way of having a separate card reader that generates the code is cumbersome)

the paypal one has a push button on it with a very thin battery integrated that makes a OTP code each time its pressed (valid for 30-60 seconds i think)

but that would add cost to each card that the banks would not want to pay and would most likely prefer to eat the small fraud risk (USA does not seem even bothered about customer present never mind customer Not present transactions been fraud, as visa and mastercard are trying to Push for chip and sign witch does not offer much more protection than just mag swipe)

0
0
Silver badge

Re: Bah!

Yeah, I knew that. I was pointing out that the author was singing a song which is largely pointless in the online commerce world.

And it was vendors in the US who put up resistance to C&P, not the banks underwriting the cards.

0
0
Boffin

and then you get

those that require a CVV and don't accept a valid 4 digit CVV like some cards have on them...

0
0

Re: and then you get

Well, if it's 4 digits long it's not a CVV (VISA / Mastercard and some others) but an American Express' CID (Card Identification Number)

Are you sure those sites accept Amex cards? If they did, they would adhere to the required validation scheme...

2
0

CVV2 brute forcing is surprising

The issuing institution should dictate whether CVV2 is verified and perform the verification.

It should also have 'velocity' checks on bad CVV2 attempts and/or fraud systems that detect multiple bad CVV2 attempts and ultimately block or restrict the card once a limit is reached so using a variety of different Merchants should not be able to bypass this restriction.

I would expect the CVV2 limit/tries to be in the single digits to minimise the chance of a 'lucky' guess. After all inputting 3 relatively clear digits from the back of the card is one of the simpler parts of the payment process.

It would be interesting to know which Visa cards were used/derived and which institution(s) issued them.

The researchers are correct in that this should be addressed by the Payment Networks and Card Issuers but the Merchants should always demand the CVV2.

1
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2017