December 5, 2016
Academics at Newcastle University have proven that an attacker in possession of a minimal amount of existing information can, in an automated way, guess payment card data by exploiting weaknesses in online payment processes.
The issue lies in the fact that the global payment system lacks a centralized mechanism for monitoring invalid payment attempts across multiple websites. Using a purpose-built bot, an attacker can try multiple guesses on different websites until they land on all the necessary information without triggering a warning.
The attack works only against Visa’s payment ecosystem, the researchers said, adding that their experiments against 400 of the top-rated Alexa websites, including PayPal and Amazon rendered card numbers, expiration dates, CVV numbers and additional data in a matter of seconds.
The attack scales and is practical, the researchers caution. The vulnerabilities and research were disclosed in advance to Visa and a number of the affected top websites, some of which have mitigated the attack. Visa said that the paper “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” does not take into account its fraud prevention systems that protect against such attacks. Mohammed Aamir Ali, one of the report’s coauthors, said that the researchers does indeed demonstrate how advanced attackers could exploit Visa’s multiple layers of fraud protection.
“This is about trying to stay one step ahead of the criminals, pushing the system, finding the flaws and learning from that,” Ali said.
Ali and his coauthors Budi Arief, Martin Emms and Aad van Moorsel advocate for a centralized system of security checks across transactions to be implemented to prevent what the paper describes as a distributed guessing attack.
“This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions,” the researchers wrote. “We will show that this attack would not be practical if all payment sites performed the same security checks.”
It has been reported as well that the attack against Tesco, a U.K. retail bank, in which 20,000 account holders reported missing money, may have been carried out using this distributed guessing attack.
“We don’t have enough evidence to support this claim,” Ali told Threatpost.
The research was carried out against Visa and MasterCard; MasterCard has a centralized network that detects such guessing attacks after 10 tries, even if the 10 guesses are distributed across a number of sites. Visa does not have such checks, the researchers wrote.