Researchers Warn of Visa Payment Fraud Gaps

Researchers have warned that deficiencies in Visa’s e-commerce payment network could allow attackers to brute force credit card details in as little as six seconds.

A paper from Newcastle University’s Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel describes how they were able to launch a “distributed guessing attack” against Alexa top-400 online merchants’ payment sites to work out expiry dates and CV2 values.

As different sites perform different security checks to validate card details, hackers can launch mass attempts across a range of sites to work out the key verification details.

MasterCard is not affected as it enforces centralized checks across transactions from different sites and so detects the guessing attack after fewer than 10 attempts, but Visa’s payment ecosystem does not, and so is wide-open to attack, the report claimed.

The researchers explained the main problem:

“The first weakness is that in many settings, the current online payment system does not detect multiple invalid payment requests on the same card from different websites. Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts.

"Secondly, the attack scales well because different web merchants provide different fields, and therefore allow the guessing attack to obtain the desired card information one field at a time.”

Guessing an expiry date using the methodology detailed in the report would take at most 60 attempts, with the three-digit CV2 taking fewer than 1000.

The researchers also showed that in some cases even addresses could be guessed by the same method.

However, the attackers must already know the long card number.

It should also be noted that websites running the 3D Secure system are immune to attack as this pop up window mandates the user fill in a separate secret password and CV2 to complete an order.

What’s Hot on Infosecurity Magazine?