Slashdot Mirror
Crooks Need Just Six Seconds To Guess A Credit Card Number (independent.co.uk)
schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found...
Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...
According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.
One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."
According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.
One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."
WTF is going on with the verification process? If the card hits verification even 10 times in the same minute from different sites it should be locked up. Crappy back end.
This is a good opportunity to talk about why security through obscurity is bad:
Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.
First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.
In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).
The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.
Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.
The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.
The system is broken, it's just a matter of time before industry must recalibrate how it works.
More below for those who are curious:
http://www.creditcards.com/cre...
http://datagenetics.com/blog/j...
http://www.darkcoding.net/cred...
http://blog.opensecurityresear...
http://www.ibm.com/support/kno...