Researchers Can Guess Your Credit Card Details in Six Seconds

No, They Won’t Do It, They Just Want to Show Us How Easy It Is

You're security-conscious, bordering on the paranoid. You only use your credit or debit card at trusted ATMs where putting a skimming device is next to impossible. You've never used an e-commerce website, and you sleep well at night, safe in the knowledge that nobody will ever know your card details. We've got some bad news for you.

On December 2, a group of researchers led by Mohammed Ali, a Ph.D. student at Newcastle University in the UK, published an article explaining how threat actors can simply guess all the details of your VISA credit card and use the information for nefarious purposes. Here's how it works.

Online Shoppers Should be Most Concerned

The experts pointed out two aspects of the current online shopping landscape that allow the distributed guessing attack to work. The first weakness stems from the fact that different merchant websites require different types of information before allowing the payment to go through. While website A, for example, might need the 16-digit card number (also referred to as Primary Account Number or PAN) and the expiration date, website B might also want to know the 3-digit CVV number printed on the back of the card. The second weakness comes from the fact that some card payment networks (VISA, we're looking at you) won't detect multiple failed attempts to process online transactions from a single card. With these two aspects in mind, the researchers were able to literally brute-force all the vital information needed for making a payment.

The starting point is a card number. For ethical reasons, the researchers used their own credit cards in the experiment, but they did mention that threat actors can obtain valid card numbers in a variety of ways. They can, for example, buy them on the dark web (the ones that don't have a CVV or an expiration date attached to them are sold for peanuts). They can get them by exploiting the contactless feature on the recently issued cards. They can also come up with a valid number using the first six digits (denoting the type of card and the bank that issued it) and something called Luhn's algorithm.

Then, the experts went through the 400 most popular e-commerce websites and picked the ones that only require the PAN and the expiration date. Most of the websites allow between six and ten failed attempts at processing a payment from a single card, but by using a number of them, the researchers had plenty of room to guess. Plus, since most cards are valid for up to 60 months, they needed less than 60 attempts to figure out the expiration date.

With that, they moved on to the CVV number. They picked websites that require the PAN number, the expiration date, and the CVV, they input the already obtained information, and they started guessing the three-digit code on the back of the card (by trying "001," "002," etc.). After less than 1,000 attempts, they had the Card Verification Value.

Not All is Doom and Gloom With Card Holders

In theory, using multiple websites with different verification procedures, a threat actor would need less than 1,060 attempts to get to the CVV and the expiration date. By contrast, if all websites were to require the same information (card number, CVV, and expiration date), the bad guys would have needed 60,000 attempts. That's how much of a difference a single field makes.

Of course, some online merchants also ask for a billing address, which is not as straightforward to guess. Because only the numerical part of the address is verified (in most cases, the system only checks the postcode), however, brute-forcing is still possible, especially when you have the first six digits of the card number.

Knowing the vulnerabilities, the experts put together a software tool which automated the process and guessed the details of all the cards used in the experiment. In total, the tool needed around six seconds per card to come up with the sensitive information.

As you might imagine, the repercussions of the distributed guessing attack could be very serious. To prove how serious, the researchers set up a bogus account and transferred some of their own money to India. 27 minutes later, a contact of theirs picked up the cash at a Western Union office nearly 5,000 miles away.

36 of the websites used during the experiment were contacted. 8 Eight never called back, 18 responded with machine-generated emails, and 10 got in touch with the experts to ask for more technical details. Only 8 of the contacted websites made changes to their checkout systems, and none of them decided to lower the maximum number of failed payment attempts.

Not all cards are at risk, it must be said. Despite the use of numerous different websites situated all around the globe, MasterCard's network picked up the failed attempts to make a payment and thwarted the attack. With VISA, however, the guessing worked, no problem at all.

And that leads us to the question of what can be done to stop the threat actors from figuring out your card details and stealing your money. Websites which lead the user to the card issuer's system for further authentication can't be used in the distributed guessing attack. The technology is called 3-D Secure and is readily available, but making all online merchants implement it could be quite costly, and it comes with its own set of challenges. There's no doubt that VISA needs to do something about its card payment network, though how easy this is is also unknown. Perhaps the most painless way of making the attack impractical is by forcing online merchants to require the same exact information from every single customer during the checkout process. Making them lower the maximum number of failed attempts to use the same card might not be a bad call as well.

This too, could be a long and cumbersome process, but one thing is certain – if nothing is done, we might see quite a lot of people keeping their savings under the mattress very soon.