Criminals can use a type of distributed attack to guess the card number, expiration date, and CVV2 number of Visa members.
Security researchers Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel found that merchants’ websites request different types of information for a customer to complete an online payment using a payment card. Some websites ask only for the card number and expiration code. Others request more detailed information.
Unfortunately, those differences in some cases threaten the entire online payment system. As the researchers explain in their paper Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? (PDF):
“We came to an important observation that the difference in security solutions of various web sites introduces a practically exploitable vulnerability in the overall payment system. An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details (card number, expiry date, card verification value, and postal address) one field at a time. Each generated field can be used in succession to generate the next field by using a different merchant’s website.”
The researchers tested their attack against MasterCard and Visa. The former detected the attack after fewer than 10 attempts, but the latter failed to prevent the attack. As a result, Aamir Ali and his colleagues demonstrated that someone could use their attack to guess Visa cardholders’ information sometimes in as little as six seconds.
Visa has looked at the research and said the findings don’t consider certain safeguards implemented by the online payment system. As quoted by The Independent:
“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.
“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.
“We provide issuers with the necessary data to make informed decisions on the risk of transactions.
“There are also steps that merchants and issuers can take to thwart brute force attempts.”
That’s true. Merchants can use 3D Secure technologies recommended by the payment card industry. Those solutions enlist card issuing banks in the effort of authenticating cardholders before authorizing a payment. They also implement additional safeguards that help monitor for suspicious card activity.
To prevent the attack altogether, however, the researchers suggest that all the major payment card networks must embrace standardization and centralization. The former requires that all merchants use the same payment interface for their e-commerce websites, while the latter provides companies like Visa with insight into all transactions that are dispersed over its entire payment system.