back to article Guessing valid credit card numbers in six seconds? Priceless

Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network, academics say. The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and …

  1. Lord Elpuss Silver badge

    And you Included an active hyperlink to Rescator why, exactly?

    1. Ole Juul Silver badge

      It's a cool looking login page, but you don't have to go there. People on this forum either have secure computers or know not to go there, so ... meh.

      1. Dan 55 Silver badge

        Well El Reg has often not linked to websites in the past precisely because they were dodgy. I think this would be another one that falls into that category, especially with modern browsers helpfully pre-fetching pages unless you specifically tell them not to.

        Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.

        1. Destroy All Monsters Silver badge
          Childcatcher

          > Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.

          Of course you want that. Generate as much noise as possible, let the datagreedos sort it out [Insert random raging jihad links or links to putin-friendly websites here]

          Also: OMG, prefetch. People who think this was a good idea to incorporate into the overall design were probably the ones who boiled frogs in the microwave when kids.

          > malwarebytes

          Why!

          1. Dan 55 Silver badge

            Unfortunately the Datagreedos say, "computer says 'yes'".

            Try arguing with that.

    2. Pen-y-gors Silver badge

      Malwarebytes

      Thankfully I'm running malwarebytes which blocked an outbound connection to rescator.cm, even though I hadn't clicked on it. Firefox being helpful and pre-loading links?

      1. Dan 55 Silver badge

        Re: Malwarebytes

        It is if network.dns.disablePrefetch is false or network.prefetch-next is true in about:config.

        1. Pen-y-gors Silver badge

          Re: Malwarebytes

          You are not wrong! Thanks

  2. Anonymous Coward
    Anonymous Coward

    VISA

    Very

    Insecure

    Security

    Application

  3. WebspaceMatt

    "The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites.... Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken." Isn't this somewhat self-explanatory? Individual merchants can't do much... it's up to Visa to detect the distributed requests since their network is the only one able to identify a pattern.

    1. Prst. V.Jeltz Silver badge

      I thought that too. But from the article it seems that the retailers could do more too, re the whole cvv/ home address thing. Its like VISA have said to the m - We've set up lots of security features - just ask the user for about half of them and that'll do.

      The pattern would be easy to detect, similar to the too many failed attempts = lockout on a LAN domain, the same in fact. Its not even as technical as "detecting a pattern" if the lockout was for , say , an hour on , er , say 5 wrong guesses (numbers to be thought out better) surely that would do the trick.

      If I got a message saying "account frozen for 1 hour to to 40 wrong guesses coming from 40 different postcodes" i'd be more worried about that than buying the whatever. (I'd just use another card not under attack)

      1. ricegf

        Only 5 wrong guesses to lock a card for an hour? I could shut down the entire Visa network with only a modest DDOS attack with those rules!

        1. leexgx

          some people cant get it right the first 2-3 times

  4. Anonymous Coward
    WTF?

    Simple answer?

    Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken

    Most of them don't do the processing perhaps? How often have you been redirect to Worldpay for example?

    1. Kubla Cant Silver badge

      Re: Simple answer?

      Most of them don't do the processing perhaps? How often have you been redirect to Worldpay for example?

      Exactly. In general, only large merchants do their own card processing. There are at least three ways in which a merchant can use a payment processor:

      * overt redirection (which you will be aware of, because the payment page carries the processor's brand)

      * redirection to a merchant-branded payment page hosted by the payment processor

      * merchant-hosted page interacting with payment processor's web service.

  5. S4qFBxkFFg

    SUBS! (or failing that, turn on the spelling checker)

    "...partial breach records oof personal information..."

    "...Top 400 online merchant sites accroding to findings in the paper..."

    "Fraud of this sort us increasingly uncommon..."

    "...seeking credit cards to abuse illegaly would..."

    Can anyone find any more?

    1. This post has been deleted by its author

  6. Blofeld's Cat

    Convenience V Security

    This appears to be another case where security is sacrificed for the sake of making the transaction more convenient to the buyer.

    Our bank-issued card machine allows us to use a lower level of security (such as no address details) where the card is not present, but it is made very clear that we, rather than the bank, would be taking on the financial risk if the transaction proves fraudulent.

    Presumably some of the major retailers (or their insurers) can absorb this risk - or have better deals with their bank.

  7. David Roberts Silver badge

    Partial article

    Other sources stress that Visa is vulnerable to a distributed guessing attack but Master Card is not.

    Also that use of Verified by Visa blocks this attack.

    It is not clear to me how variation in the fields used aids the attack; possibly confirming the basic number and expiry date allows you to focus on other fields (think Cluedo) but I am not convinced that it makes it easy to brute force name and address.

    Assuming that you have a name and (partial?) credit card number it should be relatively straightforward to brute force the full number, expiry date and 3 digit check code (not needed for card not present, I think). The system should be able to detect and block such a distributed brute force attack.

    Wondering what implications this has for receipts which only print the last 4 numbers of the card.

    1. Rimpel

      Re: Partial article

      Frmo the paper it starts from a known card number. 60 guesses gets you the expiry date, a further 1000 to get the cvv.

      You don't need to guess the whole address "Different websites perform varying levels of verification on the address field’s numerical digits, ranging from verifying just the numerical digits in the postcode (partial match), to the complete numerical digits in postcode plus the door number".

      But 291 of the ~400 sites listed don't validate the address anyway so you would be able to use those sites with just the expiry + cvv.

      I'm quite glad I'm accidentally with mastercard.

    2. veti Silver badge

      Re: Partial article

      Oh yes, "Verified by Visa" - training users to type credit card numbers into third-party pop-up windows since...

      Seriously, I'm not surprised the same company that came up with that is also responsible for this new idiocy.

      1. Sir Runcible Spoon Silver badge

        Re: Partial article

        Doesn't 'Verified by Visa' just ask you for random characters from you pass-phrase?

        Mind you, just recently it's been telling me that 'This transaction did not need to be verified' - even when I pay for something on a new site!

        1. leexgx

          Re: Partial article

          the 'Verified by Visa' site it self looks like a scam site

          first time it happened to me i was like nope, you cant even goto the homepage as the domain does not have one so does not explain what the site does, its like visa thinks the page is a secret people was very confused about it when first time even fourms did not trust it as the whois info did not seem right (this was very long time ago thought)

          if 'Verified by Visa' thinks its a low risk you get the low risk redirect url (norm i see it for like a second) and you end back at the merchant site with payment completed, unless i do a payment outside the UK or the website was compromised recently (norm my bank wont even let the payment happen until the automated system calls me to allow it a second time)

  8. Jon Massey
    WTF?

    Card not present?

    I thought the whole point of the CVV number was that is **was** required for CNP transactions?

    1. Chris Miller

      Re: Card not present?

      Not entirely: if the merchant doesn't validate CVV, then they're liable for any fraudulent transactions, not the card issuer. For relatively low value sites, they may be prepared to take that risk, particularly as every extra security check loses you a (non-trivial) proportion of potential customers.

      1. MrXavia

        Re: Card not present?

        CVV? How could anyone not ask for this? I can't think of any site I buy from that doesn't ask for this..

        1. jeremyjh

          Re: Card not present?

          Really? I can think of one that doesn't ask for a CVV in the normal course of a transaction. It begins with A, ends in N and has six characters in its name.

      2. Nifty

        Re: Card not present?

        The article says the crack woks when CVV numbers are NOT required. I haven't encountered such a website, ever.

        Meanwhile by coincidence a few days ago on R4 there was an academic being interviewed who could demo cracking CVV numbers in minutes if card number and expiry were already known, by concurrently testing 000 to 999 across hundreds of random payment pages.

  9. Anonymous Coward
    Anonymous Coward

    Two Words...

    Tesco Bank

    1. Tom Paine Silver badge

      Re: Two Words...

      The paper does in fact speculate that this is the attack used on Tesco Bank.

  10. JJKing Bronze badge

    Begins with A, ends in N

    I can think of one that doesn't ask for a CVV in the normal course of a transaction. It begins with A, ends in N and has six characters in its name.

    They certainly asked for my CVV when I made a transaction with them.

    1. Dan 55 Silver badge

      Re: Begins with A, ends in N

      If web/phone merchants use it, they shouldn't store it, just make the transaction and forget it. Amazon UK doesn't ask for it when you add a card and doesn't ask for it when you buy something.

      Unless they think something's up with your card?

      1. Mainframe Wallah

        Re: Begins with A, ends in N

        From what I recall they ask for the CVV the first time you use the card to an address. If you want to change the delivery address or any of your details they ask for it again but once there is one successful transaction they don't ask for it for future ones.

  11. FuzzyWuzzys Silver badge
    Joke

    "University's Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel..."

    'Dr Cooper, Dr Hofsteader, Dr Kuthrapalli and Mr Wollowitz!'

  12. Frank Bitterlich

    How does CVV actually work?

    I'm still not sure why/how the CVV mechanism makes transactions more secure. I reckon that in most cases where the card number was intercepted while doing a legit CNP transaction (whether it's on the customer's side or the merchant's), or on phishing sites, the CVV number could easily be captured too. But apparenty this isn't the case - or else the whole CVV system would be useless.

    I don't know the stats - how many numbers are stolen in POS transactions vs. internet (ard not present) - but I always assumed that the latter would be the bulk of them. Does anybody have more information on this?

    1. Named coward

      Re: How does CVV actually work?

      The CVV doesn't protect against phising. It protects against getting your card cloned at a physical reader (CVV not in magnetic stripe) and when a merchant loses a card database (CVV is not supposed to be stored)

  13. JeffyPoooh Silver badge
    Pint

    Online => shipping...

    Many systems will pick-up on the even the slightest discrepancy in the Shipping vice Billing address.

    In other words, they'll only ship to the card holder.

    1. Kubla Cant Silver badge

      Re: Online => shipping...

      In other words, they'll only ship to the card holder.

      In my experience, this is rare and becoming rarer. Most deliveries are made during working hours, so buyers tend to have deliveries sent to their work address or to the home of a friend or relative who's in all day.

  14. Anonymous South African Coward Silver badge

    Ne'er-do-wells sure think outside the box.

    1. Anonymous Coward
      Anonymous Coward

      And now they finally have a good reason to have a sexy display where you see the codeword slowly filling in as time progresses while the there is panic in the good guys' team, like in War Games.

  15. phil dude
    Coat

    google pay or fruity equivalent...

    i have been using Google Pay with my Nexus 6P for a few months.

    It presents a fake CC number to the merchant, that nevertheless carries payment.

    If you have a pyramid of accounts (imagine the leaves at the bottom can't see up), then populate the electronic accounts with the leaves.

    Hence, your attack surface is just then what they can social engineer after a few beers...

    For the rest of the world without Google Pay (or fruity alternative), perhaps just use some leafy debit cards...

    P.

    1. leexgx

      Re: google pay or fruity equivalent...

      android pay uses virtual card number the merchant never sees any of your card details (same as apple pay) if it gets compromised you just remove the card and re add it to get a new virtual card number (there is a internet and offline side of it so its hard to compromise as offline is limited to 5 per No phone unlock, once phone is unlocked+internet it resets the 5 no unlock phone limit)

      iphone has this as well but as your using fingerprint to pay its norm reset every time (unless no internet)

      be nice if google would add the option to require unlock to allow transaction for 60 seconds as at the moment you can steal some ones android phone and make 5 £30 transactions (as the only requirement is turn the screen on to allow payment on android pay) even if this option is disabled by default so user can optionally enable it (as why i only link my credit card even though i am not liable on the my debit card when tap and pay as its less fuss to dispute) it would take google 60 seconds to add a tick box and what ever time to validate it (probably a way lot long as this is something google would not want to screw up)

  16. Tom Paine Silver badge
    Facepalm

    WHAAAAAAT???!

    "A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented updates that made their checkouts even less secure."

    No comment necessary...

    In related news, the lead researcher (Martin Emms) was interviewed about this on R4's Moneybox programme and explained it quite well. Starts at 16m 00s in:

    http://www.bbc.co.uk/programmes/b0848blr

    (No, of course I don't listen to Moneybox... all that stuff about pensions is far, far too depressing, as I'm now less than 15 years from permanent, involuntary unemployment. I was waiting for the 12:30 funny, currently The Now Show.)

    1. Destroy All Monsters Silver badge
      Paris Hilton

      Re: WHAAAAAAT???!

      "Your pensions have been burn down to keep the casino stock exchange based economy going a little bit longer

      (appalled silence)

      BWA-HA-HA-HA!!"

      What is so depressing about that?

  17. Stevie Silver badge

    Bah!

    I keep seeing smug comments about how chip-and-pin makes fraud "like this" harder, but exactly how do you implement chip-and-pin when buying from [pick-any-company] dot com?

    This attack would seem to emulate the very sort of e-commerce that is fast becoming the preferred way of shopping in the urban eastern seaboard of the US.

    And how does it work over the phone? As in when the electric bill is discovered sitting behind the sideboard instead of having made it into last month's post?

    1. leexgx

      Re: Bah!

      chip and pin has nothing to do with customer not present transactions if they added a OTP to each debit and credit card that would work very well as that could be a requirement for payment for online transactions if the card has the feature (the current way of having a separate card reader that generates the code is cumbersome)

      the paypal one has a push button on it with a very thin battery integrated that makes a OTP code each time its pressed (valid for 30-60 seconds i think)

      but that would add cost to each card that the banks would not want to pay and would most likely prefer to eat the small fraud risk (USA does not seem even bothered about customer present never mind customer Not present transactions been fraud, as visa and mastercard are trying to Push for chip and sign witch does not offer much more protection than just mag swipe)

      1. Stevie Silver badge

        Re: Bah!

        Yeah, I knew that. I was pointing out that the author was singing a song which is largely pointless in the online commerce world.

        And it was vendors in the US who put up resistance to C&P, not the banks underwriting the cards.

  18. waldo kitty
    Boffin

    and then you get

    those that require a CVV and don't accept a valid 4 digit CVV like some cards have on them...

    1. MiguelC Silver badge

      Re: and then you get

      Well, if it's 4 digits long it's not a CVV (VISA / Mastercard and some others) but an American Express' CID (Card Identification Number)

      Are you sure those sites accept Amex cards? If they did, they would adhere to the required validation scheme...

  19. Ironclad

    CVV2 brute forcing is surprising

    The issuing institution should dictate whether CVV2 is verified and perform the verification.

    It should also have 'velocity' checks on bad CVV2 attempts and/or fraud systems that detect multiple bad CVV2 attempts and ultimately block or restrict the card once a limit is reached so using a variety of different Merchants should not be able to bypass this restriction.

    I would expect the CVV2 limit/tries to be in the single digits to minimise the chance of a 'lucky' guess. After all inputting 3 relatively clear digits from the back of the card is one of the simpler parts of the payment process.

    It would be interesting to know which Visa cards were used/derived and which institution(s) issued them.

    The researchers are correct in that this should be addressed by the Payment Networks and Card Issuers but the Merchants should always demand the CVV2.

  20. Cynic_999 Silver badge

    What we need ...

    ... is an entirely different system of payment for online transactions. Maybe a system where the user can have as many virtual cards as they like which are usually used for only one external transaction each, each having its own public/private key pair with the private key never being passed so cannot be intercepted or cloned. Maybe all transactions could be held in a public distributed blockchain constantly being verified by many independent operators (we could call them "miners").

    It would be kinda cool to be able to watch every transaction in the World in real time https://blockchain.info/

    1. peter_dtm
      Meh

      Re: What we need ...

      ... is an entirely different system of payment for online transactions.

      Isn't that what ApplePay does ? As I undersatnd the system

      Merchant asks Apple if the Apple pseudo random id presented is valid and good for the dosh

      Apple checks card (assume answer is yes)

      Apple says Yes & issues a transaction number to merchant to invoice Apple with in due course

      Apple sends debit request for amount of dosh with Apple transaction code to Card company; from whom Apple then gets the dosh (in due course).

      Merchant does not get to see any detail of purchaser - and especially not any card details; nor email address; nor street address etc etc ; nor amazon browsing history

      Card Company does not get to see any detail of merchant.

      Each transaction from the same purchaser gets a different pseudo random transaction code

      Card holder gets their goodies & only Apple knows the whole transaction chain. Do you trust Apple more or less than ?website?/amazon/ebay etc ?

      I assume AndroidPay will/does work much the same. Do you trust Amazon ?

  21. -tim
    Black Helicopters

    Birthday paradox strikes again?

    If I'm an evil hacker and playing games of trying to guess PINs in a large retail environment, I don't need to guess your PIN, I just need to guess someone's PIN. I could pick a popular PIN every week so the 1st week I pick 8520 and try every card number I can find. The next week I might try 1234. After about 6 months of trying just the 25 most common numbers, I end up with about 25% correct and without tripping the rate limiters. So much for that one in 10,000 on guessing a 4 digit number.

  22. MR J

    Two-Factor Auth Please

    I would like to see Tw-Factor Auth pushed as standard. (and I don't mean the 2nt factor being something like a postal code that you can just google!)...

    I personally have two of the one-time password generators where you put your card in, add pin, plug in a code then get back a verification code. I love how it "seems" fairly secure. Downside is that It is used so little that it often runs out of battery power before the second use!. My bank has decided to make my life easier now too and let me make purchases for up to £250 (per transition) without verification (I am Stunned by this).

    I have to wonder if the reason we don't see these things is because payment processors want to lower processing cost AND charge extra to merchants for this type of protection. Personally I would like to see the top protection be supplied to merchants at no extra cost - then we might see huge uptake.

    I live in the UK, and buy stuff from the US for people in the US sometimes. US Payment processors ask for your postal code, but generally they tend to pull the city from the postal code and then pass that up along with the first line of the address. I have never been able to easily buy things from the US as they all require a postal code, and all postal codes in the whole world are in nnnnn-nnnn format. So if I go to google and find a city with the same name as mine, anywhere in the USA, my card will run. I tell the US site I live in the UK, my address is in Florida, and I am shipping to Texas... Approved every time!

  23. Anonymous Coward
    Anonymous Coward

    Tip (from El Reg) - destroy the CV2 number

    (soldering iron may be needed)

    There was advice many years back from a poster (legend, sir !) that to make a card *truly* secure, the owner should memorise and then obliterate the CV2. The reason being no-one in real life needs it, so why leave it for all and sundry to see ?

    (This technique also ferrets out cheapskate retailers who are playing fast and loose with their merchant account and trying to put cardholder present transactions through as CNP. This has happened twice in shops who have been duly reported).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019