Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk)

← Back to Stories (view on slashdot.org)

Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk)

Posted by EditorDavid on Sunday December 4, 2016 @12:39AM from the one-Mississippi-two-Mississippi dept.

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.
One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."

110 comments

Min score:

Reason:

Sort:

Why can't this be detected by Anonymous Coward · 2016-12-04 01:20 · Score: 5, Insightful

WTF is going on with the verification process? If the card hits verification even 10 times in the same minute from different sites it should be locked up. Crappy back end.
1. Re:Why can't this be detected by michelcolman · 2016-12-04 01:30 · Score: 2
  
  Indeed quite hard to believe. They just though of the situation where someone would keep guessing the number on the same website, but never thought someone might try different websites. Because, you know, it takes a whole lot of effort to open up a different website...
  What I'm wondering, though, is how they can guess all the numbers. Sure, the useless three-digit protection code on the back of the card only takes 1000 guesses in the worst case. And the number of expiration dates is even less, 60 or so. But they said they could guess the number by starting only with the first 6 digits (bank and card type). That leaves 10 digits to guess! Even if there are a few for typo detection (2, probably?) that still leaves 100 million codes to check. Were they using 10 million e-commerce sites?
2. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 01:52 · Score: 2, Informative
  
  One digit for typo checking. See Luhn algorithm.
3. Re:Why can't this be detected by ShanghaiBill · 2016-12-04 02:51 · Score: 2
  
  If the card hits verification even 10 times in the same minute from different sites it should be locked up.
  That seems like a simple, obvious solution. But it is not. Millions of credit card numbers would be "locked up" everyday, causing massive inconvenience for the card holders. The crooks could also just spread out their attempts to keep below the threshold, so instead of making a lot of attempts with one CC number before moving to the next CC number on the list, they would sweep through the list, making a few attempts each.
4. Re:Why can't this be detected by ShanghaiBill · 2016-12-04 03:02 · Score: 2
  
  that still leaves 100 million codes to check. Were they using 10 million e-commerce sites?
  What you are missing is that they don't have to guess a specific number, just a valid number. So if there are 9 unknown digits, and Bank of America has 10 million customers, it will, on average, only take 100 guesses to get a hit.
5. Re: Why can't this be detected by Jason+Levine · 2016-12-04 03:24 · Score: 1
  
  Many credit card companies simply don't care about fraud. If fraudulent charges happen, they reverse the charges (leaving the merchant out the cost of whatever was bought).
  My identity was stolen and Capital One let the account get opened despite numerous red flags (starting with an incorrect mother's maiden name ). When I notified them of the fraud, they gave me the runaround and asked if the account was actually opened by my wife without telling me. Then, they stonewalled both me and the police to protect themselves.
  Fraud is a minor inconvenience to credit card companies. Fixing the process would take them too much effort so they just deal with fraud as each case pops up.
  
  --
  My sci-fi novel, Ghost Thief, is now available from Amazon.com.
6. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 03:28 · Score: 0
  
  If counterfit attempts would should down too many cards, then for online purchases require a second level authentication. Or at least allow people to opt in to second level verification.
7. Re:Why can't this be detected by michelcolman · 2016-12-04 03:28 · Score: 1
  
  But what about the name on the card, then? Doesn't that have to be correct?
8. Re:Why can't this be detected by ShanghaiBill · 2016-12-04 03:47 · Score: 3, Interesting
  
  But what about the name on the card, then? Doesn't that have to be correct?
  Many merchants do not verify the name. I recently made an online purchase and wanted it shipped to a friend, and I inadvertently set both the shipping and billing address to my friend's name and address. The transaction went through.
  So some merchants verity the name, but not the CCV.
  Some validate the CCV but not the name.
  Some check the zipcode, others do not.
9. Re: Why can't this be detected by ShanghaiBill · 2016-12-04 03:57 · Score: 1
  
  Many credit card companies simply don't care about fraud. If fraudulent charges happen, they reverse the charges (leaving the merchant out the cost of whatever was bought).
  They also ding the merchant with a "charge-back" fee of about $25, although it actually costs the banks almost nothing to process. The banks actually benefit from CC fraud, which is why they are not proactive about preventing it. Consumers are ripped off if they don't notice the charges, but most of the cost is dumped onto the merchants, who are powerless to fix the problem.
10. Re: Why can't this be detected by omnichad · 2016-12-04 04:23 · Score: 1
  
  If the merchant is in the US and moved to chip and signature, then in-person fraud is on the bank.
11. Re:Why can't this be detected by kenh · 2016-12-04 05:18 · Score: 5, Informative
  
  Read the linked-to article, only Visa is vulnerable, MasterCard and others detect the widespread fraud after a few attempts and shut it down.
  
  --
  Ken
12. Re:Why can't this be detected by mark-t · 2016-12-04 06:32 · Score: 2
  
  That could be easily exploited to DOS a credit card
  
  --
  File under 'M' for 'Manic ranting'
13. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 07:37 · Score: 0
  
  Or just call the entire credit card and banking system old and crappy and use something new like Bitcoin.
14. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 08:03 · Score: 0
  
  No
  There is no way to check the name of a card mot built into system
15. Re: Why can't this be detected by michelcolman · 2016-12-04 08:17 · Score: 1
  
  And how do you make a website that reads chips on customer's credit cards? (without requiring a special card reader, with dozens of different incompatible types to choose from)
16. Re:Why can't this be detected by sjames · 2016-12-04 09:23 · Score: 1
  
  That shouldn't cause a lot of false lockups since it has to be different sites. How often do you even use your credit card on 2 different sites within one minute?
  The real issue is, as you say, the crooks will just go low and slow to avoid the lockout. It's the same problem with password guessing. Since they don't care which particular card is solved when, they can just do many in parallel, all just below the lockout threshold and still solve cards at a high rate.
17. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 14:36 · Score: 0
  
  So hackers can practically DDoS the entire credit card payment system by spamming failed verification from websites that take credit cards, by locking up thousands upon thousands of cards? Great idea!
18. Re: Why can't this be detected by buchanmilne · 2016-12-04 17:48 · Score: 1
  
  That is what "3D Secure" does. It allows the bank to implement whatever additional verification they want during the credit card transaction. In early implementations I saw additional passwords, but most banks in my country currently use SMS-based OTPs.
  The banks have been enforcing the use of 3D-Secure or threatening to suspend merchants.
  As usual, the U.S. is behind most of the world ...
19. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 18:17 · Score: 0
  
  Just an FYI, Amazon is the worst offender here. I'll have a full write-up soon (and will submit it to Slashdot), but if you want to test stolen card numbers, just use Amazon AWS. They don't verify the billing address or expiration dates and they may or may not verify the CVC codes (had a 50/50 success rate with those). Amazon.com (the parent company) did a slightly better job, but I'd expect the worlds largest eCommerce company to be a bit more on the ball than the companies I manage.
20. Re:Why can't this be detected by Anonymous Coward · 2016-12-04 18:41 · Score: 0
  
  Huh? That makes no sense to me.
  Fraudster bot 1 goes to site A and guesses XXXX
  Fraudster bot 2 goes to site B and guesses YYYY
  Fraudster bot 3 goes to site C and guesses ZZZZ
  I don't logically see any way this attack can be stopped (by Mastercard but not VISA) unless a secure transaction is needed (like 3D Secure or other similar system).
  The attack could be made extremely hard to pull off by requiring both CVV2 and full name (Spelled as on card) for every transaction at all vendors.
21. Re:Why can't this be detected by heson · 2016-12-04 22:48 · Score: 1
  
  I makes business sense for them to be sloppy.
  If the card does not go through (due to some minor mistype or similar) I just buy the stuff somewhere else.
  As long as their share for the fraud cost is lower than revenue on extra sales for being convenient, they will continue being convenient.
22. Re:Why can't this be detected by endercase · 2016-12-05 17:40 · Score: 1
  
  +1 interesting
23. Re: Why can't this be detected by Anonymous Coward · 2016-12-07 03:50 · Score: 0
  
  They also ding the merchant with a "charge-back" fee of about $25, although it actually costs the banks almost nothing to process.
  That doesn't sound correct, but I am willing to be proved wrong. Where did you hear/see this?
  -pax humana
24. Re: Why can't this be detected by kenh · 2016-12-07 15:21 · Score: 1
  
  Because the 16 digit CC stays the same as you brute force guess the 1,000 possible CVC codes and 60 possible expiration month/year combination...
  Site A gets 1111 2222 3333 4444 12/16 000
  Site B gets 1111 2222 3333 4444 12/16 001
  Site C gets 1111 2222 3333 4444 12/16 002
  Site D gets 1111 2222 3333 4444 12/16 003
  And, assuming 1111 2222 3333 4444 is a valid card number, the central computers at MasterCard notice a pattern and block that card for suspected fraud...
  
  --
  Ken
vodlock.co by Anonymous Coward · 2016-12-04 01:27 · Score: 0

when will you realize that every site that uses this popup window trick is a menace and must be shut down?
No safe-guards? by jgullstr · 2016-12-04 01:27 · Score: 1

Brute-forcing arbitrary card numbers from hundreds of different sites cannot be mitigated, but doing the same for a single number should be quite easy to spot and block. Even setting a timeout of, say 15 minutes, after 3 incorrect attempts would probably be enough to spot the unusual behavior before correct details are guessed. A more robust way would be to force two-factor authentication for all online purchases, rendering knowing random card details useless.
1. Re:No safe-guards? by Tukz · 2016-12-04 01:35 · Score: 1
  
  "verified By VISA" uses a two-factor authentication. I get a code by text I have to enter whenever I use my VISA on a website that have it enabled.
  I really think a system like that should be mandatory for online sales and not just optional.
  Of course, there are circumstances where two-factor might not be feasible, but at the very least have two-factor enabled by default and disable it where necessary and with good reason.
  
  --
  - Don't do what I do, it's probably not healthy nor safe. -
2. Re:No safe-guards? by Anonymous Coward · 2016-12-04 01:46 · Score: 0
  
  Now if only it were possible to tell the difference between the merchant embedding an iframe with a page that claims to be from my bank from a phishing scam asking me to tell some random website some security details....
3. Re: No safe-guards? by Anonymous Coward · 2016-12-04 01:49 · Score: 0
  
  Really? Why as a consumer would I want the extra burden of verified by Visa? It requires me to do extra work at checkout for what advantage? I think it's less inconvenient to have to cancel my credit card every few years due to fraudulent transactions.
4. Re:No safe-guards? by jgullstr · 2016-12-04 01:54 · Score: 2
  
  I have Verified by Visa as well, but as you say, it only works on websites that have it enabled, which makes it useless for attacks of this sort. One way to prevent them, is to disable web payments for all credit cards, and use virtual prepaid cards instead.
5. Re:No safe-guards? by swb · 2016-12-04 01:57 · Score: 1
  
  Why not just build 2 factor authentication into the card itself? They could offer a card with an in-built RSA token or a way to use a smartphone app for cards without token hardware.
  Something tells me this is something we should have, but given the sparring and profiteering over getting chip enabled terminals in the US (I'm STILL swiping at many terminals). I suspect that it's not the two factor part that keeps it from happening but the terminals and merchant software costs combined with a bunch of middlemen who figure that fraud deterrence for merchants and consumers isn't their problem since they make merchants eat it, who then make consumers eat it in higher prices.
  And then there's the spreadsheet guys, who predict transaction fee revenue drops from failed transactions and doom-and-gloom of lost sales pitched to merchants.
6. Re:No safe-guards? by houghi · 2016-12-04 02:02 · Score: 1
  
  The part that makes it hard is that it must be activated worldwide. You can not have e.g. somebody from country A not be allowed to not buy something in country B from the point of view of MC or Visa.
  At this moment they are working on getting the card distributors to enable 3DS. I believe they must be done by beginning or end of 2017. At least in Europe. When that is done, they can start to require it from the online sellers.
  
  --
  Don't fight for your country, if your country does not fight for you.
7. Re:No safe-guards? by ShanghaiBill · 2016-12-04 03:15 · Score: 2
  
  I really think a system like that should be mandatory for online sales and not just optional.
  It may be overkill for ALL online transactions. For instance, if I have bought from an online merchant before, and the shipping address matches my billing address, then it very unlikely to be fraud. But if the transaction is for a first time gold bullion purchase shipped to Moldavia, then sure, a text message is a good idea.
8. Re:No safe-guards? by omnichad · 2016-12-04 04:32 · Score: 1
  
  It should be possible to mitigate this almost completely. You create a secure phrase in advance that appears on the 3D-Secure verification page. This page will only load if given a copy of a token granted by the initial authorization request, so it would be impossible to MITM without compromising the actual authorization handling code on the server side. Injected scripts would not do it. The 3D-Secure page should also open communication back to the originating server to verify the page load is valid.
9. Re: No safe-guards? by Anonymous Coward · 2016-12-04 10:57 · Score: 0
  
  I can geoblock my Visa for both online and physical purchases just fine on my banks web site.
10. Re:No safe-guards? by RockDoctor · 2016-12-05 08:12 · Score: 1
  
  Strange, MY "verified by Visa" card, when it asks for details, asks me for a password (distinct from the one for the online banking, which I've disabled every time the bank has set it up for me) not send me a text. Not that they know my phone number (any of them) anyway.
  
  --
  Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
Address by RghtHndSd · 2016-12-04 01:44 · Score: 1

Doesn't the online verification process use an address? I don't see that mentioned here.
1. Re:Address by Anonymous Coward · 2016-12-04 08:37 · Score: 0
  
  Doesn't the online verification process use an address? I don't see that mentioned here.
  Verifying the address is optional. And even then, it can only verify the first number of the address and the zip code.
Billing address? by Paul+Carver · 2016-12-04 01:51 · Score: 2

The article didn't mention billing address, but I don't think I've ever entered my credit card number into any website that didn't include billing address as a set of required fields. Shipping address is always an additional set of optional fields.
Now, I suppose if the backend doesn't validate billing address then you could use a fake addresses for the brute force part of the job, but when you go to use the card isn't a fake billing address going to be a dead giveaway that the transaction was a fraud and therefore guarantee a successful charge back with zero questions?
But if Visa has any sense they ought to require billing address verification as part of the preauthorization step for all card not present transactions.
1. Re:Billing address? by Opportunist · 2016-12-04 01:57 · Score: 1
  
  In some countries, people are allowed to change their address. This is called "moving" there. What about the people who can and do that?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:Billing address? by Anonymous Coward · 2016-12-04 01:58 · Score: 0
  
  The full billing address is not always used for verification. They often just use the zip code.
3. Re:Billing address? by Anonymous Coward · 2016-12-04 02:02 · Score: 0
  
  Some people notify their credit card provider about a change of address.
4. Re:Billing address? by swb · 2016-12-04 02:05 · Score: 1
  
  Maybe getting the card numbers (card, code, expiry) is just phase I of weakness with limited applicability for in-person transactions. Nobody asks my address at the electronics shop when I have a $800 TV in my cart.
  And perhaps they have other databases that allow them to correlate incomplete card numbers with names and addresses to create useful online transactions where they info can be asked.
  IMHO, the only useful solution to this is two factor RSA-style authentication. Go ahead and know all the card info, but unless you can guess the random digits it would be worthless. Pity that fraud doesn't cost VISA and merchants can build most of their costs into product pricing.
5. Re:Billing address? by Anonymous Coward · 2016-12-04 02:06 · Score: 0
  
  The level of address verification to use is set by the merchant. Like anything else to do with databases and computers, address verification is not perfect. After so many customer complaints and lost orders, you just give up and turn it off. We have the same problem with UPS telling us people don't know their own address..
6. Re:Billing address? by Anonymous Coward · 2016-12-04 02:11 · Score: 0
  
  Opportunist is a famous troll around here. Don't waste time responding to trolls.
7. Re: Billing address? by Anonymous Coward · 2016-12-04 02:23 · Score: 0
  
  What's your address? I need it for verification purposes.
8. Re:Billing address? by rmdingler · 2016-12-04 02:34 · Score: 1
  
  The solutions to minimize fraudulent credit card are many, so why aren't they implemented? As always, who benefits from the present situation? Merchants and banks are hit with the bulk of the fraud cost.
  
  Usually, however, it is the banks that get hurt the most. This includes small regional banks. Visa and MasterCard’s contracts generally put the burden of fraud reimbursement onto the bank.
  
  --
  Happiness in intelligent people is the rarest thing I know.
  Ernest Hemingway
9. Re: Billing address? by Anonymous Coward · 2016-12-04 02:41 · Score: 0
  
  You're kind of a moron, aren't you?
10. Re: Billing address? by Zero__Kelvin · 2016-12-04 03:10 · Score: 1
  
  I'm this case "verification purposes" means "so we can send you SPAM"
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
11. Re:Billing address? by Anonymous Coward · 2016-12-04 03:33 · Score: 0
  
  Ah, the Zip code enigma
  There are sites in the USA that only accept US Zip codes. This lazyness prevents people from outside the USA from doing business with that company. They don't even accept Canadian Post Codes. I suppose they are getting in ahead of the game and the removel of the NAFA acreement.
  Some are of these sites are for services. No goods etc to be shipped overseas.
  This goes along with some bricks and mortar stores less than 50 miles from NYC not accepting out of state Credit Cards.
  Your country is already 'f****d up. I'd hate to see what it is like after 4 years of Dump.
  Show your ID when crossing state lines? Non residents must sit at the back of the Bus?
12. Re:Billing address? by ShanghaiBill · 2016-12-04 04:05 · Score: 1
  
  Nobody asks my address at the electronics shop when I have a $800 TV in my cart.
  That is a "card present" transaction. If the card is physically swiped or inserted they don't need your address because they can verify the transaction with the data from the mag-stripe or chip.
  The fraud discussed in TFA is for online "card not present" transactions.
13. Re:Billing address? by Anonymous Coward · 2016-12-04 05:26 · Score: 0
  I'm sure this varies from country to country and company to company, but years ago when I was working closely with a card processing company I learned that their "billing address validation" was much simpler than you might expect:
  Extract all of the decimal digits from the address in order
  Concatenate them together to make one big string of digits
  Compare the result to a similar string of digits extracted from the customer's billing address on file
  At that point, it becomes just another number like all of the other things the criminal needs to guess, albeit one that varies slightly in length from one card to another.
  They can just put realistic-looking placeholder values in the other non-numeric fields to get pass the "does this look like an address?" validation that the site itself might employ. For US cards, the "country", "state" and "city" fields can be easily inferred from whatever number you're guessing as zip code, and most businesses do not have the data source required to validate the street address beyond just checking that you entered something in that field, so just make it something super generic like "NNNNN Market St" and you'd have something that for most cities even a human would have trouble checking without consulting an external geocoding or address validation database.
14. Re:Billing address? by Anonymous Coward · 2016-12-04 05:35 · Score: 0
  
  We have the same problem with UPS telling us people don't know their own address..
  That's a funny one. Once I was ordering something online to be shipped to my office.
  The merchant's website said the shipping address didn't exist and they couldn't complete the order. I called the merchant, and they were using an address verification service from UPS to validate addresses, and UPS said the address didn't exist.
  The funny part was that my office WAS a customer of UPS, and UPS would come by everyday to pick up packages that we had to send out.
15. Re:Billing address? by vtcodger · 2016-12-04 05:39 · Score: 1
  
  On top of which, comparing addresses can be non-trivial. Is "37-3 St Simeon Ln, L.A., CA" the same address as "37 Saint Simeon Lane, Los Angeles, Calif, Apt 3?"
  
  --
  You can't see ANYTHING from a car, You've got to get out of the goddamned contraption and walk...Edward Abbey
16. Re:Billing address? by kenh · 2016-12-04 05:46 · Score: 2
  
  Perhaps they aren't interested in entering into international sales agreements? What "services" do you want to buy from an American retailer that do not involve the movement of goods across international borders?
  Are you trying to stream video? (They may only have licenses to provide streaming services in America)
  Are you trying to buy software? (Again, they may only have a license for embedded code elements for domestic use, AKA security/encryption/compression, etc)
  Are you trying to download an eBook? (single-country agreements between publishers and retailers are quite common outside the "major players" in the space (Amazon, Barnes & Noble, etc.))
  I'd be very interested in hearing about your "services" you hope to purchase that do not involve shipping goods overseas.
  Also, it's called "NAFTA agreement" or just "NAFTA" since the last "A" stands for "Agreement".
  I've never heard of a store refusing "out of state" credit cards - do you mean NY state stores refusing cards from Canada or Connecticut? I suspect the out of country car restriction is based on a history of fraudulent charges along that particular corridor between Canada and NYC, but that's pure speculation on my part.
  Oh, and can you believe the NY State Thruway doesn't accept Canadian money! What's up with that! /sarcasm
  
  --
  Ken
17. Re:Billing address? by thegarbz · 2016-12-04 06:19 · Score: 1
  
  Creditcards are tied to people, not to locations. There are many cases where the billing address may want to differ from whereever the card is registered. Buying for a friend, someone else paying an invoice. And god forbid all my cards suddenly stop working at the very critical time of moving house.
  Billing address has never been used to validate a credit card.
18. Re:Billing address? by magarity · 2016-12-04 06:19 · Score: 1
  
  On top of which, comparing addresses can be non-trivial. Is "37-3 St Simeon Ln, L.A., CA" the same address as "37 Saint Simeon Lane, Los Angeles, Calif, Apt 3?"
  There are commercially available data validation software packages for which that is indeed quite trivial to match up.
19. Re:Billing address? by Solandri · 2016-12-04 06:32 · Score: 1
  
  Speaking as a former merchant, the billing address, security code, expiration date* aren't required to process a credit card transaction. They're tools the credit card companies give merchants to help prevent fraud (while simultaneously passing laws prohibiting merchants from requiring credit card users to show ID to prove it's actually their card**).
  
  The way it works is that if you're a merchant and you accept a fraudulent/stolen card, the onus is on you to prove that to the best of your knowledge the transaction was legit. The main way this is done is by validating the signature on the receipt matches the signature the card company has on file. When you accept a card, you're supposed to check the signature on the back of the card to insure it matches the signature on the receipt. If the cardholder requests a chargeback and the signature doesn't match, it's instantly game over - the merchant loses and the card company grants the chargeback.
  
  If it sorta matches or (for online purchases) there is no signature, then it falls onto these secondary security measures. The more data the merchant collected which correctly matches the info the card company has on file (security code, expiration date, billing address, phone number, cardholder's birthdate, I think that's all) the better the chances the merchant will win against a chargeback. So it's in the best interests of the merchant to collect as much info as possible to protect themsevles. But on the flip side if you try to collect too much info you make the transaction more annoying for the cardholder, and risk alienating them so they go make their purchase elsewhere. Or (for brick and mortar purchases) you slow down the checkout line forcing you to hire more cashiers and add more cash registers. So the merchant picks the amount of security they're comfortable with. I've always wondered what happens if someone sets up a fake merchant account, runs a bunch of fraudulent transactions without any security checks, then absconds with the money and closes the bank account once the credit card has wired the payments, before any of the cardholders can notice and request chargebacks.
  
  There are some other ways to get fake credit card transaction to go through that I fell victim to about 10 years ago when I lost one of my cards. I promptly called to report the card lost/stolen and figured that was that. But reviewing my card statements, I noticed a fraudulent charge on the second statement after I'd gotten a new card with a new number. After some discussion with the card company, I learned that (1) as of 2007 they still allowed carbon copy credit card transactions. Older readers may recall the credit card machines used before phone and Internet credit card machines. They'd take your card, put it in the machine, put a carbon copy form on top of it, then run a roller over the card to imprint it onto the carbon copy paper. One copy became the customer's receipt, the other the merchants. The merchant would then mail these in for processing and to receive payment. Because of the time delay, the credit card companies would continue to process these even if they were received after the card had been canceled.
  
  "But the date on the fraudulent transaction is after I reported my card lost/stolen. Why was it still processed?" I asked. (2) The thief had processed it as a subscription service. Apparently when people have a card stolen they frequently forget to update their magazine subscriptions with the new card info. The credit card companies got tired of getting into 3-way arguments about canceled subscriptions because the payment was denied due to the card being canceled. So if the transaction is coded as payment for a subscription, the card company will "helpfully" forward the charge to the new card even if the charge was processed using the account's old (stolen) card number.
  
  * (I don't think expiration date is required, but this was a decade ago so I don't recall exactly.)
  
  ** (The card companie
20. Re:Billing address? by thegarbz · 2016-12-04 06:45 · Score: 1
  
  I hate to double post but in addition to the above concerns there's also the point the a billing address is a horrible choice for security.
  Security should be based on something you have, something you are, and something you know. A billing address by definition needs to be handed over to vendors who may have your credit card. This instantly compromises both bits of information in one attack.
  For proper security you need a process where one piece of information is not handed over to a party. e.g. verified by visa. When this check is triggered I'm redirected to my bank's website to complete the transaction. This is then done either with a keyfob or with a password independent to the creditcard. This is the type of system we should be demanding for ALL online transactions and would instantly render any guesswork as well as hacking of online stores moot.
21. Re:Billing address? by Anonymous Coward · 2016-12-04 07:52 · Score: 0
  
  That's why credit card companies don't verify addresses at all in most cases. They only verify zip code.
22. Re:Billing address? by Anonymous Coward · 2016-12-04 08:34 · Score: 1
  
  On top of which, comparing addresses can be non-trivial. Is "37-3 St Simeon Ln, L.A., CA" the same address as "37 Saint Simeon Lane, Los Angeles, Calif, Apt 3?"
  Yes, they are the same. "37 Main Street, Apt 52" is also the same. "37 10256th Street, Suite 700" is also the same. Are you seeing a pattern? AVS can only validate 2 numbers, the first number of the address and the zip code. Everything else is completely ignored. Your name, additional address lines, your city, your state, even your country, cannot be validated.
23. Re:Billing address? by Anonymous Coward · 2016-12-04 08:57 · Score: 0
  
  Was that unit 42, 24 street street, 42/24 street st, U42 24 street street, or were you buying something for your aunt in backwardsville?
24. Re:Billing address? by Zeroko · 2016-12-04 15:52 · Score: 1
  
  Which works great until the government splits a zip code. Then it takes years for some merchants to decide the new zip code is valid, & until then, transactions that attempt to verify zip code fail—either enter the right zip & get rejected by the merchant or the wrong one & get rejected by the bank. (That actually happened to me at a gas station once.)
A number or Your number? by slashkitty · 2016-12-04 02:03 · Score: 1

I find it hard to believe that they are able to guess my number in 6 seconds. Anyone can guess A single number, and verify if it's a credit card number. And then guess the exp and security codes. The summary is very sensational.

--
-- these are only opinions and they might not be mine.
1. Re:A number or Your number? by Anonymous Coward · 2016-12-04 05:32 · Score: 0
  
  Indeed, this is a variant of the birthday paradox. It's hard for a random stranger to guess my birthday, but if we fill a room with 100 people and have that stranger yell out a date he's much more likely to guess the correct birthday of at least one person in that room.
  The number space of credit cards is of course much higher, but the number of valid numbers is also much higher, so this isn't super surprising once you know that there's no coordination between different merchants to notice that the same IP address is trying to charge to thousands of card numbers at the same time... the anti-fraud analysis that banks do is tailored for repeated suspicious transactions on a single card, not a multitude of transactions from the same person on many different cards.
It's even easier than that by onyxruby · 2016-12-04 02:24 · Score: 5, Insightful

This is a good opportunity to talk about why security through obscurity is bad:
Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.
First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.
In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).
The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.
Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.
The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.
The system is broken, it's just a matter of time before industry must recalibrate how it works.
More below for those who are curious:
http://www.creditcards.com/cre...
http://datagenetics.com/blog/j...
http://www.darkcoding.net/cred...
http://blog.opensecurityresear...
http://www.ibm.com/support/kno...
1. Re:It's even easier than that by drew_kime · 2016-12-04 03:44 · Score: 1
  
  Yes, but add a chip and now it's uncrackable! That's why in the US we don't even bother with chip and pin, but rather allow chip and sign. Would the industry allow something so seemingly brain-dead if the system weren't secure?
  
  --
  Nope, no sig
2. Re:It's even easier than that by Anonymous Coward · 2016-12-04 03:59 · Score: 0
  
  Chip and pin is more secure than chip and sign. The pin is 2FA.
3. Re:It's even easier than that by ShanghaiBill · 2016-12-04 04:22 · Score: 1
  
  That leaves the CVC2 number itself, which of course isn't random either.
  Do you have a citation for this assertion that CVV2 numbers are not random?
4. Re:It's even easier than that by Anonymous Coward · 2016-12-04 04:31 · Score: 0
  
  Woosh!
5. Re:It's even easier than that by onyxruby · 2016-12-04 04:47 · Score: 1
  
  Citations were in the sources I provided.
6. Re:It's even easier than that by onyxruby · 2016-12-04 04:50 · Score: 2
  
  Chip and pin really does help for card present transactions. Unfortunately it doesn't do much for card not present transactions (online). The article talks about the issues online merchants face.
7. Re:It's even easier than that by Anonymous Coward · 2016-12-04 04:59 · Score: 0
  
  Chip and Pin is broken as well: https://www.lightbluetouchpaper.org/2010/02/11/chip-and-pin-is-broken/
8. Re:It's even easier than that by JustAnotherOldGuy · 2016-12-04 05:14 · Score: 1
  
  Thank you for this.
  I've tried to explain this to quite a few people over the years (with limited success) but your explanation was clear and succinct. In the future I'll just send them the text of your post; it'll save a lot of time and misunderstanding.
  As you said, the system is broken. Badly, badly broken.
  
  --
  Just cruising through this digital world at 33 1/3 rpm...
9. Re:It's even easier than that by bws111 · 2016-12-04 05:18 · Score: 1
  
  What does any of that have to do with security by obscurity? There is nothing obscure about how credit card transactions work.
10. Re:It's even easier than that by Anonymous Coward · 2016-12-04 05:46 · Score: 2, Informative
  
  The card-not-present-equivalent of chip and pin is "3D-secure", better known by its card-company-specific brand names like "Verified By Visa". When this is employed, the merchant's website delegates to the card company's website for part of the transaction, where the card company can then employ various techniques to verify the user's identity.
  Exactly what authentication mechanism are used depends on the bank and card company. Some are just "enter another secret number", which at least increases the number space to guess but is vulnerable to phishing. Others are sophisticated enough to use techniques like two-factor authentication, which helps combat phishing but can be confusing for the average consumer.
  But the main feature of 3D-secure that is relevant to the problem at hand is that the credit card company's website is involved which means that they can potentially correlate multiple concurrent attacks using the same sorts of heuristics that Google uses to detect when robots are crawling its search results. It can then tailor its response proportionally to the risk: if everything looks okay, maybe just ask a simple question. If things seem a little suspicious, perhaps have the customer complete a CAPTCHA-type test before returning the decision or prompt them for some additional personal information you don't normally ask for. If things seem super sketchy, do a two-factor technique such as sending the customer a verification SMS, or even just block the transaction altogether and ask the customer to try again later.
  Of course, 3D-secure is another credit card innovation that has passed the U.S. by. As someone from Europe living in the U.S. I was amused to see what happened the first time I used my U.S. credit card to buy from a European online merchant: the merchant website delegated to Visa's website as normal, and I briefly saw a page with my bank's logo on it, but then after a second or so it just redirected me back to the merchant with the "looks okay!" message, having not prompted me for any information at all. I will give them some credit that there was probably some invisible analysis going on here so as to still prevent the kind of mass-validation this article is talking about, but it's a far cry from what I'm used to from using European credit cards.
11. Re: It's even easier than that by mattpalmer1086 · 2016-12-04 09:28 · Score: 1
  
  They may not be chosen randomly, but they are indistinguishable from random if you don't have the encryption keys.
12. Re:It's even easier than that by onyxruby · 2016-12-04 10:15 · Score: 1
  
  Agreed, Chip and pin is better, however it is also broken. The whole thing needs rebuilt.
  2 factor should /always/ be required
13. Re: It's even easier than that by onyxruby · 2016-12-04 10:31 · Score: 1
  
  Every company chooses their own method of generation for this code. Some vendors use weak encryption, some might use strong encryption, some don't use encryption at all, and some issue the codes in batches. It really all comes down to the company, their risk policies and their expertise. That's why large card dumps are risky, they provide material that can be used to look for patterns. It's a bit scary how many companies have told me they secure their product with base64.
14. Re:It's even easier than that by Anonymous Coward · 2016-12-04 11:53 · Score: 0
  
  This is a good opportunity to talk about why security through obscurity is bad:
  Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.
  First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.
  In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).
  The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.
  Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.
  The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.
  The system is broken, it's just a matter of time before industry must recalibrate how it works.
  More below for those who are curious:
  http://www.creditcards.com/cre...
  http://datagenetics.com/blog/j...
  http://www.darkcoding.net/cred...
  http://blog.opensecurityresear...
  http://www.ibm.com/support/kno...
  I'm creating one software about this Subject and need good places to search...
  Roger
  Blog Programa de Reconstrução Capilar
  http://dhtequedadecabelo.quetudo.com.br
15. Re:It's even easier than that by onyxruby · 2016-12-04 12:30 · Score: 1
  
  Credit card transactions are fairly well documented (I'm a big fan of DUKPT myself and that is decently documented). However the process used to generate the account and CVC2 numbers themselves is obscure and proprietary to each bank. Most banks do not have the expertise or will to properly perform this function. They count on malicious actors not looking too hard at how they do things.
  Unfortunately for the banks once you figure out how to generate these numbers you have broken the primary security used to prevent the public at large from using any given key (card no's) against a very public lock (merchant website). 2FA goes a long way to prevent this!!!
  Processors, banks and merchants all have the ability to mitigate this risk by putting in additional controls (geo-location, address, shopping patterns etc.) These all help reduce the risk of a given transaction. However they must balance out approving most (probably legitimate) transactions against an acceptable level of fraud. They must also balance out the overhead involved in reviewing and approving transactions.
  The result is the continued use of a system that is fundamentally broken. You will see this type of fraud increase significantly until the whole system is re-engineered.
16. Re:It's even easier than that by onyxruby · 2016-12-04 12:33 · Score: 1
  
  Thanks, glad it's helpful :)
17. Re:It's even easier than that by david_bonn · 2016-12-04 13:25 · Score: 1
  
  ... then maybe one way to solve it is to have "credit card numbers" be ridiculously large, like 1024 digits. The mag stripe or pin wouldn't care if the number was large for card-present transactions, and you could scan the card number with a camera for online transactions.
  Of course, the next step would be to generate a unique "credit card number" for each transaction, that was valid exactly once.
18. Re:It's even easier than that by onyxruby · 2016-12-04 13:56 · Score: 1
  
  Credit card numbers that long aren't necessary. Changing how they are constructed is. Logically speaking the problem can be fixed (hashing etc.) The problem is that the infrastructure that supports it would also have to be changed and that would be a monumental undertaking. Which is why they are trying to avoid it at all costs. You also have the issue that the typical consumer is not going to tolerate an even longer number than they already have.
  The unique credit card number solution has been offered by some banks already (e.g. Amex). Many payment terminals are configured to use DUKPT which creates a unique key per transaction (this is enough to take a cash register out of scope for PCI if properly configured).
  You may find this interesting:
  http://www.maravis.com/derived...
  Even 2FA is broken if it is done via SMS
  https://pages.nist.gov/800-63-...
19. Re:It's even easier than that by drew_kime · 2016-12-04 14:02 · Score: 1
  
  So chip and pin is broken by the requirement to support chip and sign. Awesome.
  
  --
  Nope, no sig
20. Re:It's even easier than that by tepples · 2016-12-04 14:37 · Score: 1
  
  Do most desktop PCs have a suitable webcam? If not, buying one online may end up a Catch-22 once it comes time to pay.
21. Re:It's even easier than that by rpstrong · 2016-12-05 07:05 · Score: 1
  
  Interesting post, but how does the Luhn check exclude 90% of the numbers? I can create cards running from '000000001x' to '999999999x' where 'x' is the appropriate check digit, and where the first nine digits guarantee uniqueness.
Mastercard by Coditor · 2016-12-04 02:36 · Score: 1

It sounds from the article like having Mastercard would mitigate the attack since they use a centralized system.
2FA by Anonymous Coward · 2016-12-04 02:42 · Score: 0

It's almost 2017 and banks that still don't enforce two-factor authentication are just begging to be hacked.
Cat got my tongue by Anonymous Coward · 2016-12-04 03:02 · Score: 0

rate control at the root check node
Incorrect headline by BenJeremy · 2016-12-04 03:16 · Score: 0

Geez.... they can't guess your CC# - only your CVV and Expiration Date in 6 seconds.
The headline is grossly incorrect clickbait. Shame on you, Slashdot, but I know EditorDavid has no shame, nor any journalistic integrity.
1. Re:Incorrect headline by Anonymous Coward · 2016-12-04 04:22 · Score: 0
  
  6 seconds vs 2 minutes, what difference does it make? Headlines are ALWAYS inaccurate, they are information reduction. Get over it, cry into this brown paper bag I guess.
2. Re:Incorrect headline by Anonymous Coward · 2016-12-04 05:10 · Score: 0
  
  No it's perfectly accurate. The headline says a credit card number, not your credit card number. They only need to guess numbers that are currently active. They don't care who it belongs to, so long as they can find an active card and rack up charges before it's detected.
Thanks EditorDavid! by bigwheel · 2016-12-04 03:18 · Score: 1

Kudos to EditorDavid for posting some interesting articles, rather than trolling political fight bait. I was about to give up on /., but maybe there's hope.
Re:Tell me more by AndyKron · 2016-12-04 03:24 · Score: 1

I've lived happily for decades without that movie entering my mind, and then you come long. THX!
OTP required by Anonymous Coward · 2016-12-04 03:52 · Score: 0

Here in India I'm required to enter an OTP sent to my mobile, for my other card provider I'm redirected to a website which asks for a password I have preset earlier on the bank website.. why is this so hard?
1. Re:OTP required by tepples · 2016-12-04 14:39 · Score: 1
  
  Because a lot of U.S. cardmembers still don't have mobile phones with unmetered incoming SMS.
Wow, all you need is... by kenh · 2016-12-04 05:30 · Score: 2

Mohammed explains: “Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.
Uh, sure - if you have a valid card number as a starting point, the other data points are trivial... But if you don't, "guessing" the remaining 10 digits of a valid credit card number quickly becomes a non-trivial task because the only way to separate a "correct" credit card number (which can be proven algorithmically) from a validly-issued credit card is to supply the proposed "correct" credit card number to multiple sites with all 60 possible expiry dates and each of the nearly one thousand CVV numbers from the back... (See below)

“The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts.
“The CVV is your last barrier and theoretically only the card holder has that piece of information – it isn’t stored anywhere else.
“But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it – all the data you need to hack the account.”
So, when the headline says "Credit Card" they only mean Visa, everyone else blocks cards after as few as a dozen failed attempts, and the key ingredient to "cracking" a credit card is to start with a valid credit card number, all 16 digits, then find a list of e-commerce websites that will let you keep pitching hundreds and hundreds of credit card transactions at them so you can go through all 60,000 combination of expiry date and CVV to find the right one. Oh, then you need to make sure the attempted purchase in under the card's available spending limit.
But hey, yeah, credit cards are easy to brute-force hack, if you start with a valid, active, complete 16 digit credit card number - as long as it is a Visa card and Visa doesn't update their software.

--
Ken
1. Re:Wow, all you need is... by thegarbz · 2016-12-04 06:50 · Score: 1
  
  Oh, then you need to make sure the attempted purchase in under the card's available spending limit
  This one is easy. Smash out small transactions until it passes, then spend up to known limits. This happend my last fraud case. A transaction worth $50ish followed immediately bu a transaction worth $4500 on my card with a $5000 limit.
shouldnt fraud detection catch these? by schweini · 2016-12-04 05:35 · Score: 2

But wouldn't this 'attack' be really trivial to detect on the credit card processor's side? There isn't a legitimate use case that would explain multiple attempts at the same time?
1. Re:shouldnt fraud detection catch these? by hibiki_r · 2016-12-04 07:32 · Score: 1
  
  There's a difference between processor and originating bank. There are many processors, but each card has a single originating bank. The processors themselves only know a fraction of the attempts.
  Processors with good systems underneath might make this harder to do though: For instance, a processor might decline because the ip making this request is suspicious. Websites that use really big processors underneath might have more information on the card colder than you'd think, and be able to see something close to the originating bank.
  There's a constant war between fraudsters of different kind and credit card processors. The attacks what were profitable 3 years ago don't work today at all: This is why a lot of fraud today involves large fraud 'companies', that will use their tools for you in exchange for something: from BTC to merchant accounts to believable credentials.
Sensational article. by orlanz · 2016-12-04 05:55 · Score: 1

Basically some payment systems allow 10-20 human errors per valid card number before triggering a fraud alert. 10 seems understandable for all those old folks with arthritis and poor eyesight. 20 seems like someone didn't know what they were doing or didn't change it during deployment from QA.
So what the article is saying is that it is theoretically possible for someone to write a program to submit random numbers to various sites and by the law of big numbers, figure out a valid CC & data in under 6 seconds.
Not really a big return there. Nor can this be used in mass, eventually the payment systems will see you as spam and if not them, the upstream will block the payment system because it is sending in too many invalid queries.
Even with a CC number, usage would still need to go through the rest of the fraud detection system. If this ever becomes a problem the obvious immediate answer is to lower the attempts to 5-10 or block repeat attempts for x seconds.
There are easier ways to get a lot more card numbers...
You can set up levels of checking. by Anonymous Coward · 2016-12-04 07:40 · Score: 0

You can ask your card service to set up requirements, like checking signature, ID check, etc. Most people don't because they don't want to to be inconvenienced.
With card locking a DDoS attack on cards by Anonymous Coward · 2016-12-04 10:24 · Score: 0

Think DDoS. If there is a threshold of N false tries for locking a card with a given cardnumber it only takes N*1000000 tries to lock one million cards. It would not be much of a challenge for someone with a botnet to keep millions of cards locked 24/7 just for fun.
1. Re: With card locking a DDoS attack on cards by Anonymous Coward · 2016-12-04 16:54 · Score: 0
  
  This exactly.
For how much a month? by tepples · 2016-12-04 14:22 · Score: 1

How many of the tens of thousands of small businesses on whose websites crooks are trying millions of credential combinations can afford an annual subscription to said "commercially available data validation software packages"?
What good is that? by SirMasterboy · 2016-12-04 15:23 · Score: 1

Whenever I use my credit card I have to authorize each transaction on my smartphone. Even if a thief stole my wallet, as long as they don't have my unlocked phone they can't use my credit card anyways,.
because.... by meglon · 2016-12-04 16:46 · Score: 1

https://www.youtube.com/watch?...

--
Fascism: An authoritarian and nationalistic right-wing system of government and social organization. See also: NAZI's