And you Included an active hyperlink to Rescator why, exactly?
Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network, academics say. The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and …
Monday 5th December 2016 09:11 GMT Ole Juul
Monday 5th December 2016 09:53 GMT Dan 55
Well El Reg has often not linked to websites in the past precisely because they were dodgy. I think this would be another one that falls into that category, especially with modern browsers helpfully pre-fetching pages unless you specifically tell them not to.
Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.
Monday 5th December 2016 17:35 GMT Destroy All Monsters
> Good job this is December, in January you might wonder if you wanted that site in your Internet Connection Record.
Of course you want that. Generate as much noise as possible, let the datagreedos sort it out [Insert random raging jihad links or links to putin-friendly websites here]
Also: OMG, prefetch. People who think this was a good idea to incorporate into the overall design were probably the ones who boiled frogs in the microwave when kids.
Monday 5th December 2016 14:59 GMT Pen-y-gors
Monday 5th December 2016 08:26 GMT WebspaceMatt
"The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites.... Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken." Isn't this somewhat self-explanatory? Individual merchants can't do much... it's up to Visa to detect the distributed requests since their network is the only one able to identify a pattern.
Monday 5th December 2016 08:36 GMT Prst. V.Jeltz
I thought that too. But from the article it seems that the retailers could do more too, re the whole cvv/ home address thing. Its like VISA have said to the m - We've set up lots of security features - just ask the user for about half of them and that'll do.
The pattern would be easy to detect, similar to the too many failed attempts = lockout on a LAN domain, the same in fact. Its not even as technical as "detecting a pattern" if the lockout was for , say , an hour on , er , say 5 wrong guesses (numbers to be thought out better) surely that would do the trick.
If I got a message saying "account frozen for 1 hour to to 40 wrong guesses coming from 40 different postcodes" i'd be more worried about that than buying the whatever. (I'd just use another card not under attack)
Monday 5th December 2016 08:45 GMT Anonymous Coward
Monday 5th December 2016 13:32 GMT Kubla Cant
Re: Simple answer?
Most of them don't do the processing perhaps? How often have you been redirect to Worldpay for example?
Exactly. In general, only large merchants do their own card processing. There are at least three ways in which a merchant can use a payment processor:
* overt redirection (which you will be aware of, because the payment page carries the processor's brand)
* redirection to a merchant-branded payment page hosted by the payment processor
* merchant-hosted page interacting with payment processor's web service.
Monday 5th December 2016 08:59 GMT S4qFBxkFFg
SUBS! (or failing that, turn on the spelling checker)
"...partial breach records oof personal information..."
"...Top 400 online merchant sites accroding to findings in the paper..."
"Fraud of this sort us increasingly uncommon..."
"...seeking credit cards to abuse illegaly would..."
Can anyone find any more?
Monday 5th December 2016 09:22 GMT Blofeld's Cat
Convenience V Security
This appears to be another case where security is sacrificed for the sake of making the transaction more convenient to the buyer.
Our bank-issued card machine allows us to use a lower level of security (such as no address details) where the card is not present, but it is made very clear that we, rather than the bank, would be taking on the financial risk if the transaction proves fraudulent.
Presumably some of the major retailers (or their insurers) can absorb this risk - or have better deals with their bank.
Monday 5th December 2016 09:33 GMT David Roberts
Other sources stress that Visa is vulnerable to a distributed guessing attack but Master Card is not.
Also that use of Verified by Visa blocks this attack.
It is not clear to me how variation in the fields used aids the attack; possibly confirming the basic number and expiry date allows you to focus on other fields (think Cluedo) but I am not convinced that it makes it easy to brute force name and address.
Assuming that you have a name and (partial?) credit card number it should be relatively straightforward to brute force the full number, expiry date and 3 digit check code (not needed for card not present, I think). The system should be able to detect and block such a distributed brute force attack.
Wondering what implications this has for receipts which only print the last 4 numbers of the card.
Monday 5th December 2016 12:45 GMT Rimpel
Re: Partial article
Frmo the paper it starts from a known card number. 60 guesses gets you the expiry date, a further 1000 to get the cvv.
You don't need to guess the whole address "Different websites perform varying levels of verification on the address field’s numerical digits, ranging from verifying just the numerical digits in the postcode (partial match), to the complete numerical digits in postcode plus the door number".
But 291 of the ~400 sites listed don't validate the address anyway so you would be able to use those sites with just the expiry + cvv.
I'm quite glad I'm accidentally with mastercard.
Tuesday 6th December 2016 00:40 GMT veti
Tuesday 6th December 2016 11:58 GMT Sir Runcible Spoon
Thursday 8th December 2016 01:20 GMT leexgx
Re: Partial article
the 'Verified by Visa' site it self looks like a scam site
first time it happened to me i was like nope, you cant even goto the homepage as the domain does not have one so does not explain what the site does, its like visa thinks the page is a secret people was very confused about it when first time even fourms did not trust it as the whois info did not seem right (this was very long time ago thought)
if 'Verified by Visa' thinks its a low risk you get the low risk redirect url (norm i see it for like a second) and you end back at the merchant site with payment completed, unless i do a payment outside the UK or the website was compromised recently (norm my bank wont even let the payment happen until the automated system calls me to allow it a second time)
Monday 5th December 2016 10:07 GMT Jon Massey
Monday 5th December 2016 10:25 GMT Chris Miller
Re: Card not present?
Not entirely: if the merchant doesn't validate CVV, then they're liable for any fraudulent transactions, not the card issuer. For relatively low value sites, they may be prepared to take that risk, particularly as every extra security check loses you a (non-trivial) proportion of potential customers.
Monday 5th December 2016 10:48 GMT MrXavia
Monday 5th December 2016 21:42 GMT Nifty
Re: Card not present?
The article says the crack woks when CVV numbers are NOT required. I haven't encountered such a website, ever.
Meanwhile by coincidence a few days ago on R4 there was an academic being interviewed who could demo cracking CVV numbers in minutes if card number and expiry were already known, by concurrently testing 000 to 999 across hundreds of random payment pages.
Monday 5th December 2016 11:48 GMT JJKing
Monday 5th December 2016 12:21 GMT Frank Bitterlich
How does CVV actually work?
I'm still not sure why/how the CVV mechanism makes transactions more secure. I reckon that in most cases where the card number was intercepted while doing a legit CNP transaction (whether it's on the customer's side or the merchant's), or on phishing sites, the CVV number could easily be captured too. But apparenty this isn't the case - or else the whole CVV system would be useless.
I don't know the stats - how many numbers are stolen in POS transactions vs. internet (ard not present) - but I always assumed that the latter would be the bulk of them. Does anybody have more information on this?
Monday 5th December 2016 13:01 GMT JeffyPoooh
Monday 5th December 2016 13:40 GMT Kubla Cant
Re: Online => shipping...
In other words, they'll only ship to the card holder.
In my experience, this is rare and becoming rarer. Most deliveries are made during working hours, so buyers tend to have deliveries sent to their work address or to the home of a friend or relative who's in all day.
Monday 5th December 2016 13:21 GMT Anonymous South African Coward
Monday 5th December 2016 13:30 GMT phil dude
google pay or fruity equivalent...
i have been using Google Pay with my Nexus 6P for a few months.
It presents a fake CC number to the merchant, that nevertheless carries payment.
If you have a pyramid of accounts (imagine the leaves at the bottom can't see up), then populate the electronic accounts with the leaves.
Hence, your attack surface is just then what they can social engineer after a few beers...
For the rest of the world without Google Pay (or fruity alternative), perhaps just use some leafy debit cards...
Thursday 8th December 2016 02:03 GMT leexgx
Re: google pay or fruity equivalent...
android pay uses virtual card number the merchant never sees any of your card details (same as apple pay) if it gets compromised you just remove the card and re add it to get a new virtual card number (there is a internet and offline side of it so its hard to compromise as offline is limited to 5 per No phone unlock, once phone is unlocked+internet it resets the 5 no unlock phone limit)
iphone has this as well but as your using fingerprint to pay its norm reset every time (unless no internet)
be nice if google would add the option to require unlock to allow transaction for 60 seconds as at the moment you can steal some ones android phone and make 5 £30 transactions (as the only requirement is turn the screen on to allow payment on android pay) even if this option is disabled by default so user can optionally enable it (as why i only link my credit card even though i am not liable on the my debit card when tap and pay as its less fuss to dispute) it would take google 60 seconds to add a tick box and what ever time to validate it (probably a way lot long as this is something google would not want to screw up)
Monday 5th December 2016 13:33 GMT Tom Paine
"A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented updates that made their checkouts even less secure."
No comment necessary...
In related news, the lead researcher (Martin Emms) was interviewed about this on R4's Moneybox programme and explained it quite well. Starts at 16m 00s in:
(No, of course I don't listen to Moneybox... all that stuff about pensions is far, far too depressing, as I'm now less than 15 years from permanent, involuntary unemployment. I was waiting for the 12:30 funny, currently The Now Show.)
Monday 5th December 2016 14:31 GMT Stevie
I keep seeing smug comments about how chip-and-pin makes fraud "like this" harder, but exactly how do you implement chip-and-pin when buying from [pick-any-company] dot com?
This attack would seem to emulate the very sort of e-commerce that is fast becoming the preferred way of shopping in the urban eastern seaboard of the US.
And how does it work over the phone? As in when the electric bill is discovered sitting behind the sideboard instead of having made it into last month's post?
Thursday 8th December 2016 02:17 GMT leexgx
chip and pin has nothing to do with customer not present transactions if they added a OTP to each debit and credit card that would work very well as that could be a requirement for payment for online transactions if the card has the feature (the current way of having a separate card reader that generates the code is cumbersome)
the paypal one has a push button on it with a very thin battery integrated that makes a OTP code each time its pressed (valid for 30-60 seconds i think)
but that would add cost to each card that the banks would not want to pay and would most likely prefer to eat the small fraud risk (USA does not seem even bothered about customer present never mind customer Not present transactions been fraud, as visa and mastercard are trying to Push for chip and sign witch does not offer much more protection than just mag swipe)
Monday 5th December 2016 14:41 GMT waldo kitty
Monday 5th December 2016 15:03 GMT Ironclad
CVV2 brute forcing is surprising
The issuing institution should dictate whether CVV2 is verified and perform the verification.
It should also have 'velocity' checks on bad CVV2 attempts and/or fraud systems that detect multiple bad CVV2 attempts and ultimately block or restrict the card once a limit is reached so using a variety of different Merchants should not be able to bypass this restriction.
I would expect the CVV2 limit/tries to be in the single digits to minimise the chance of a 'lucky' guess. After all inputting 3 relatively clear digits from the back of the card is one of the simpler parts of the payment process.
It would be interesting to know which Visa cards were used/derived and which institution(s) issued them.
The researchers are correct in that this should be addressed by the Payment Networks and Card Issuers but the Merchants should always demand the CVV2.
Monday 5th December 2016 19:02 GMT Cynic_999
What we need ...
... is an entirely different system of payment for online transactions. Maybe a system where the user can have as many virtual cards as they like which are usually used for only one external transaction each, each having its own public/private key pair with the private key never being passed so cannot be intercepted or cloned. Maybe all transactions could be held in a public distributed blockchain constantly being verified by many independent operators (we could call them "miners").
It would be kinda cool to be able to watch every transaction in the World in real time https://blockchain.info/
Monday 5th December 2016 23:08 GMT peter_dtm
Re: What we need ...
... is an entirely different system of payment for online transactions.
Isn't that what ApplePay does ? As I undersatnd the system
Merchant asks Apple if the Apple pseudo random id presented is valid and good for the dosh
Apple checks card (assume answer is yes)
Apple says Yes & issues a transaction number to merchant to invoice Apple with in due course
Apple sends debit request for amount of dosh with Apple transaction code to Card company; from whom Apple then gets the dosh (in due course).
Merchant does not get to see any detail of purchaser - and especially not any card details; nor email address; nor street address etc etc ; nor amazon browsing history
Card Company does not get to see any detail of merchant.
Each transaction from the same purchaser gets a different pseudo random transaction code
Card holder gets their goodies & only Apple knows the whole transaction chain. Do you trust Apple more or less than ?website?/amazon/ebay etc ?
I assume AndroidPay will/does work much the same. Do you trust Amazon ?
Monday 5th December 2016 22:30 GMT -tim
Birthday paradox strikes again?
If I'm an evil hacker and playing games of trying to guess PINs in a large retail environment, I don't need to guess your PIN, I just need to guess someone's PIN. I could pick a popular PIN every week so the 1st week I pick 8520 and try every card number I can find. The next week I might try 1234. After about 6 months of trying just the 25 most common numbers, I end up with about 25% correct and without tripping the rate limiters. So much for that one in 10,000 on guessing a 4 digit number.
Monday 5th December 2016 22:36 GMT MR J
Two-Factor Auth Please
I would like to see Tw-Factor Auth pushed as standard. (and I don't mean the 2nt factor being something like a postal code that you can just google!)...
I personally have two of the one-time password generators where you put your card in, add pin, plug in a code then get back a verification code. I love how it "seems" fairly secure. Downside is that It is used so little that it often runs out of battery power before the second use!. My bank has decided to make my life easier now too and let me make purchases for up to £250 (per transition) without verification (I am Stunned by this).
I have to wonder if the reason we don't see these things is because payment processors want to lower processing cost AND charge extra to merchants for this type of protection. Personally I would like to see the top protection be supplied to merchants at no extra cost - then we might see huge uptake.
I live in the UK, and buy stuff from the US for people in the US sometimes. US Payment processors ask for your postal code, but generally they tend to pull the city from the postal code and then pass that up along with the first line of the address. I have never been able to easily buy things from the US as they all require a postal code, and all postal codes in the whole world are in nnnnn-nnnn format. So if I go to google and find a city with the same name as mine, anywhere in the USA, my card will run. I tell the US site I live in the UK, my address is in Florida, and I am shipping to Texas... Approved every time!
Tuesday 6th December 2016 08:27 GMT Anonymous Coward
Tip (from El Reg) - destroy the CV2 number
(soldering iron may be needed)
There was advice many years back from a poster (legend, sir !) that to make a card *truly* secure, the owner should memorise and then obliterate the CV2. The reason being no-one in real life needs it, so why leave it for all and sundry to see ?
(This technique also ferrets out cheapskate retailers who are playing fast and loose with their merchant account and trying to put cardholder present transactions through as CNP. This has happened twice in shops who have been duly reported).