Crooks Need Just Six Seconds To Guess A Credit Card Number

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.
One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."

Re:Why can't this be detected

One digit for typo checking. See Luhn algorithm.

Re:Why can't this be detected

[kenh]

Read the linked-to article, only Visa is vulnerable, MasterCard and others detect the widespread fraud after a few attempts and shut it down.

Re:It's even easier than that

The card-not-present-equivalent of chip and pin is "3D-secure", better known by its card-company-specific brand names like "Verified By Visa". When this is employed, the merchant's website delegates to the card company's website for part of the transaction, where the card company can then employ various techniques to verify the user's identity.

Exactly what authentication mechanism are used depends on the bank and card company. Some are just "enter another secret number", which at least increases the number space to guess but is vulnerable to phishing. Others are sophisticated enough to use techniques like two-factor authentication, which helps combat phishing but can be confusing for the average consumer.

But the main feature of 3D-secure that is relevant to the problem at hand is that the credit card company's website is involved which means that they can potentially correlate multiple concurrent attacks using the same sorts of heuristics that Google uses to detect when robots are crawling its search results. It can then tailor its response proportionally to the risk: if everything looks okay, maybe just ask a simple question. If things seem a little suspicious, perhaps have the customer complete a CAPTCHA-type test before returning the decision or prompt them for some additional personal information you don't normally ask for. If things seem super sketchy, do a two-factor technique such as sending the customer a verification SMS, or even just block the transaction altogether and ask the customer to try again later.

Of course, 3D-secure is another credit card innovation that has passed the U.S. by. As someone from Europe living in the U.S. I was amused to see what happened the first time I used my U.S. credit card to buy from a European online merchant: the merchant website delegated to Visa's website as normal, and I briefly saw a page with my bank's logo on it, but then after a second or so it just redirected me back to the merchant with the "looks okay!" message, having not prompted me for any information at all. I will give them some credit that there was probably some invisible analysis going on here so as to still prevent the kind of mass-validation this article is talking about, but it's a far cry from what I'm used to from using European credit cards.