Academics at Newcastle University have proven that an attacker in possession of a minimal amount of existing information can, in an automated way, guess payment card data by exploiting weaknesses in online payment processes.
The issue lies in the fact that the global payment system lacks a centralized mechanism for monitoring invalid payment attempts across multiple websites. Using a purpose-built bot, an attacker can try multiple guesses on different websites until they land on all the necessary information without triggering a warning.
The attack works only against Visa’s payment ecosystem, the researchers said, adding that their experiments against 400 of the top-rated Alexa websites, including PayPal and Amazon rendered card numbers, expiration dates, CVV numbers and additional data in a matter of seconds.
The attack scales and is practical, the researchers caution. The vulnerabilities and research were disclosed in advance to Visa and a number of the affected top websites, some of which have mitigated the attack. Visa said that the paper “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” does not take into account its fraud prevention systems that protect against such attacks. Mohammed Aamir Ali, one of the report’s coauthors, said that the researchers does indeed demonstrate how advanced attackers could exploit Visa’s multiple layers of fraud protection.
“This is about trying to stay one step ahead of the criminals, pushing the system, finding the flaws and learning from that,” Ali said.
Ali and his coauthors Budi Arief, Martin Emms and Aad van Moorsel advocate for a centralized system of security checks across transactions to be implemented to prevent what the paper describes as a distributed guessing attack.
“This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions,” the researchers wrote. “We will show that this attack would not be practical if all payment sites performed the same security checks.”
It has been reported as well that the attack against Tesco, a U.K. retail bank, in which 20,000 account holders reported missing money, may have been carried out using this distributed guessing attack.
“We don’t have enough evidence to support this claim,” Ali told Threatpost.
The research was carried out against Visa and MasterCard; MasterCard has a centralized network that detects such guessing attacks after 10 tries, even if the 10 guesses are distributed across a number of sites. Visa does not have such checks, the researchers wrote.
“Attackers can just start with a laptop connected to the internet,” Ali said. “As a starting point, they will need the first six digits, also called the Bank Identification Number (BIN) of a bank, which is publicly available through the internet.”
The paper points out that there are two weaknesses being exploited here, and standing alone, each is relatively benign. Used together, however, and the researchers believe they are a risk to the entire global payment system.
Payment systems, the researchers wrote, often do not detect invalid payment requests on the same car from different websites.
“Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” the researchers wrote.
The second weakness enables the attack to scare. Different websites, for example, provide for different fields where card information can be entered; some merchants require a primary account number, expiration date, CVV number and address, while others require less information.
“Starting with a valid card number (PAN), to guess the expiry date an attacker can utilize several merchants’ websites that check only two fields: the card number and the expiry date,” the researchers wrote. “Once the expiry date is known, the attacker can use it along with the card number to guess the CVV2 information using another set of websites that check 3 fields (the card number, the expiry date, and the CVV2).”
The researchers built a bot and used automated scripts written in the Java Selenium browser automation framework to automate the guessing of card information across numerous sites. The group’s experiments were run on Firefox and the bot did the heavy lifting of inputting and guessing values for each field.
The researchers said that CVV numbers can be obtained in fewer than 1,000 guesses, while the expiration date in 60 tries.
“If all merchants would use three fields and ask for expiry date as well as CVV2, then it may take as many as 60 x 1,000 = 60,000 attempts,” the researchers wrote. “The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close to impractical attack.”
The researchers notified Visa and 36 of the top websites affected by the vulnerabilities. Within four weeks, they’d received 20 responses from people requesting more details, while the rest were automated responses. Eight of the 36 websites patched the weakness by either adding delay or velocity filters, or CAPTCHAs, for example. Twenty eight of the notified websites have yet to mitigate the issue.
The researchers meanwhile suggest industry-wide changes such as merchant standardizing on the same payment interface, which would reduce the scale of the attack, or centralization where payment gateways or card payment networks have a full view of payment tries on its networks.
“Neither standardization nor centralization naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection,” the researchers wrote. “It is up to the various stakeholders to determine the case for and timing of such solutions.”