Researchers from the UK’s Newcastle University have developed a so-called Distributed Guess Attack that essentially circumvents all security features for protecting online payments to steal card number, CVV and expiration date of any Visa card. The attack takes advantage of the manner that different online merchants request different types of information for processing a credit or debt card payment, even though most of them at a minimum require the card number or and expiry date. In addition, there is no mechanism currently in place to detect multiple invalid payment request made on the same card yet from different online merchant sites. Therefore, it is possible that a hacker to make unlimited times of guess on a card’s CVV or expiration date by spreading the guesses across multiple sites. Based on these two manners, an attacker can obtain full card details by automatically generating and verifying different combinations, and the process can be done through 1,060 and 60,000 attempts and takes only six seconds. The guessing attack worked only on Visa’s network. MasterCard’s network would quickly detect the guessing attack.
I was surprised that Visa would have such a great vulnerability in its credit and debt card payment process. As one of the world largest financial service corporation, Visa processed 100 billion transactions with a total volume of US $6.8 trillion. Over 1.5 billion credit cards are Visa cards. With such a large number of users and transaction volume, this vulnerability is an great challenge to Visa that it has to figure out an appropriate solution to improve this security issue and protect its customer information.
This is somewhat concerning, but I do agree with Visa that there are several other fraud prevention and detection techniques that mitigate the risk of guessing credit card details. I think that merchant should have more accountability to detect these types of attacks on their payment processing networks. There is never a reason to allow 60,000 invalid payment attempts when making a purchase!
The case is more alarming as the guesses could work out for both the cases.Case 1 where the card PAN is not available and case 2 where PAN is available with only difference in number of attempts required.
The researchers believes that 2.5 million euro stolen from Tesco Bank by hackers might have used same technique which means the technique has been made practically viable by the hackers