'Guessing Attack' Bypasses Credit Card Security in 6 Seconds
December is always a very busy time for the banks and credit card companies as we all scramble to purchase presents in time for Christmas. But it's also a boon period for fraudsters who are trying to steal those precious card details. And now it seems, they can "guess hack" a credit card in mere seconds.
A team of researchers at Newcastle University discovered two weaknesses in the way online transactions are verified using the Visa payment system. Neither weakness is of much use alone, but when used together, an attacker can recover a credit card's security information in as little as six seconds.
The two weaknesses being taking advantage of are as follows:
- Online payment systems do not detect multiple invalid payment requests if they are performed across multiple websites. They also allow up to 20 attempts per card on each site.
- Websites are not consistent in the checks they do, varying the card information requested.
https://www.youtube.com/watch?v=uwvjZGKwKvY&feature=youtu.be - Watch the video link
As the video above demonstrates, it's possible to recover the expiry date, CVV numerical code, and the postal code associated with a card knowing only partial details, e.g. the card number and expiry date. The CCS2015 Toolkit automatically accesses a number of website payment systems and systematically removes the unknown elements through brute force failure and success until all the card details are uncovered.
Guessing an expiry date takes no more than 60 attempts, where as a CVV code is less than 1,000 attempts. Spread over hundreds or thousands of website payment systems, you can see why the card details don't stay hidden for very long.
The most worrying aspect of this attack is the fact the payment system, and therefore banks, do not detect it is happening. The attacker is creating a working stolen card in a matter of seconds, meaning they can steal it, use it, and discard it very quickly and before the owner realizes it has been stolen.
The research team confirmed that only Visa is prone to this form of attack. MasterCard detects the invalid attempts after 10 failures, limiting its use to fraudsters.
According to Dr. Martin Emms, a co-author on the Newcastle University research paper, "Sadly there's no magic bullet" when it comes to solving this problem. Until websites and Visa solve the problems with their validation systems, it's up to users to keep their cards safe and react quickly to any suspicious behavior.
Source : December 5, 2016 06:32am EST