A study published by academic journal IEEE Security & Privacy revealed how the Visa online payment system can be compromised in just four seconds.
Conducted by experts from Newcastle University, the research demonstrated how system tools using multiple website bots can easily generate complete credit card information, with the Visa system failing to detect multiple attempts.
‘The Distributed Guessing Attack’
Four hundred of the most popular e-commerce websites (online merchants) were selected in the experiment including Google, PayPal, iTunes, and Amazon, and showed that only Visa cards are vulnerable to the distributed guessing attack as MasterCard’s system were able to detect and prevent it after less than 10 attempts.
The random credit card numbers, expiration dates, and CVV codes are entered one field at a time and tested on multiple merchant websites.
Because there is no minimum security requirement for most online merchants, the hacking is done by a process of elimination to find the credit card information individually and get the correct set in just a few seconds.
According to the study, there are three common levels of data fields used by online merchants:
2 fields: valid card number (PAN) + Expiry date (the absolute minimum)
3 fields: PAN + Expiry date + CVV2
4 fields: PAN + Expiry date + CVV2 + Address
The first weakness was the lack of velocity limits for multiple failed attempts on the same card for different websites.
The distributed guessing attack was done with over 30 websites all at once, and it showed how “practically unlimited guesses” can be made to obtain the correct credit card information.
The second weakness was the different data fields required for every online merchant. “Starting with a valid card number (PAN), to guess the expiry date an attacker can utilize several merchants’ websites that check only two fields: the card number and the expiry date.
“Guessing an expiry date takes at most 60 attempts (banks typically issue cards that are valid for up to 60 months), and subsequently, guessing the three-digit CVV2 takes fewer than 1,000 attempts. Hence, expiry date and CVV2 are guaranteed to be obtained within 60 + 1,000 = 1,060 guesses.
“If all merchants would use three fields and ask for expiry date as well as CVV2, then it may take as many as 60 x 1,000 = 60,000 attempts. The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close to impractical attack.”
“Visa’s payment ecosystem does not prevent the attack. Because Visa is the most popular payment network in the world, the discovered vulnerabilities greatly affect the entire global online payments system.”
How to keep your account safe
Thirty-six of the biggest online merchants were contacted with the result of the experiment. Out of the 20 responses, only eight of the websites updated their online security settings.
These websites added address fields, delay filter on expiration dates, velocity filter for credit card number or Primary Account Number (PAN), velocity filter for IP address, and CAPTCHA, which prevents bots from carrying out automated attempts.
However, the CAPTCHA was found to “adversely affect the usability of those websites.” As a better alternative, the researchers suggested to replace CAPTCHA with velocity filters, limiting the allowed attempts to give per IP address in 24 hours.
Considering all parties involved with online payments, the researchers found that 3D Secure implementation is one of the best ways to prevent the distributed guessing attack.
A 3D Secure PIN is an additional authentication for online payments personally set up by the cardholder. It is a strong security feature that greatly reduces the risk of fraud and charge-backs.
“We reiterate that, from the whole payment system’s perspective, we would need a very high adoption rate of 3D Secure technology to prevent the distributed attack, because the attack would still work as long as there are sufficient vulnerable websites not using 3D Secure.
“If 3D Secure is implemented, the card issuing bank is responsible for authenticating a cardholder before authorizing the payment and it monitors the frequency of transactions and the total value of purchases for each card or bank account.”
In addition, the researchers suggested that standardization of data fields for merchants (i.e. only three data fields set up for all merchants), or centralization for card payment networks will help prevent the attack.
“Neither standardization nor centralization naturally fits the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.”
The 3D Secure system is not yet implemented by local banks in the Philippines. For now, it will require extra vigilance in the part of credit cardholders and banks to help prevent these kinds of attacks.