Crooks Need Just Six Seconds To Guess A Credit Card Number

schwit1 quotes The Independent: Criminals can work out the card number, expiration date, and security code for a Visa debit or credit card in as little as six seconds using guesswork, researchers have found... Fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud, and this may have been the method used in the recent Tesco Bank hack...

According to a study published in the academic journal IEEE Security & Privacy, fraudsters could use computers to systematically fire different variations of security data at hundreds of websites simultaneously. Within seconds, by a process of elimination, the criminals could verify the correct card number, expiration date and the three-digit security number on the back of the card.
One of the researchers explained this attack combines two weaknesses into one powerful attack. "Firstly, current online payment systems do not detect multiple invalid payment requests from different websites... Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw puzzle."

Why can't this be detected

WTF is going on with the verification process? If the card hits verification even 10 times in the same minute from different sites it should be locked up. Crappy back end.

Re:Why can't this be detected

[michelcolman]

Indeed quite hard to believe. They just though of the situation where someone would keep guessing the number on the same website, but never thought someone might try different websites. Because, you know, it takes a whole lot of effort to open up a different website...

What I'm wondering, though, is how they can guess all the numbers. Sure, the useless three-digit protection code on the back of the card only takes 1000 guesses in the worst case. And the number of expiration dates is even less, 60 or so. But they said they could guess the number by starting only with the first 6 digits (bank and card type). That leaves 10 digits to guess! Even if there are a few for typo detection (2, probably?) that still leaves 100 million codes to check. Were they using 10 million e-commerce sites?

Re:Why can't this be detected

One digit for typo checking. See Luhn algorithm.

Re:Why can't this be detected

[ShanghaiBill]

If the card hits verification even 10 times in the same minute from different sites it should be locked up.

That seems like a simple, obvious solution. But it is not. Millions of credit card numbers would be "locked up" everyday, causing massive inconvenience for the card holders. The crooks could also just spread out their attempts to keep below the threshold, so instead of making a lot of attempts with one CC number before moving to the next CC number on the list, they would sweep through the list, making a few attempts each.

Re:Why can't this be detected

[ShanghaiBill]

that still leaves 100 million codes to check. Were they using 10 million e-commerce sites?

What you are missing is that they don't have to guess a specific number, just a valid number. So if there are 9 unknown digits, and Bank of America has 10 million customers, it will, on average, only take 100 guesses to get a hit.

Re:Why can't this be detected

[ShanghaiBill]

But what about the name on the card, then? Doesn't that have to be correct?

Many merchants do not verify the name. I recently made an online purchase and wanted it shipped to a friend, and I inadvertently set both the shipping and billing address to my friend's name and address. The transaction went through.

So some merchants verity the name, but not the CCV.
Some validate the CCV but not the name.
Some check the zipcode, others do not.

Re:Why can't this be detected

[kenh]

Read the linked-to article, only Visa is vulnerable, MasterCard and others detect the widespread fraud after a few attempts and shut it down.

Re:Why can't this be detected

[mark-t]

That could be easily exploited to DOS a credit card

Billing address?

[Paul+Carver]

The article didn't mention billing address, but I don't think I've ever entered my credit card number into any website that didn't include billing address as a set of required fields. Shipping address is always an additional set of optional fields.

Now, I suppose if the backend doesn't validate billing address then you could use a fake addresses for the brute force part of the job, but when you go to use the card isn't a fake billing address going to be a dead giveaway that the transaction was a fraud and therefore guarantee a successful charge back with zero questions?

But if Visa has any sense they ought to require billing address verification as part of the preauthorization step for all card not present transactions.

Re:Billing address?

[kenh]

Perhaps they aren't interested in entering into international sales agreements? What "services" do you want to buy from an American retailer that do not involve the movement of goods across international borders?

Are you trying to stream video? (They may only have licenses to provide streaming services in America)
Are you trying to buy software? (Again, they may only have a license for embedded code elements for domestic use, AKA security/encryption/compression, etc)
Are you trying to download an eBook? (single-country agreements between publishers and retailers are quite common outside the "major players" in the space (Amazon, Barnes & Noble, etc.))

I'd be very interested in hearing about your "services" you hope to purchase that do not involve shipping goods overseas.

Also, it's called "NAFTA agreement" or just "NAFTA" since the last "A" stands for "Agreement".

I've never heard of a store refusing "out of state" credit cards - do you mean NY state stores refusing cards from Canada or Connecticut? I suspect the out of country car restriction is based on a history of fraudulent charges along that particular corridor between Canada and NYC, but that's pure speculation on my part.

Oh, and can you believe the NY State Thruway doesn't accept Canadian money! What's up with that! /sarcasm

Re:No safe-guards?

[jgullstr]

I have Verified by Visa as well, but as you say, it only works on websites that have it enabled, which makes it useless for attacks of this sort. One way to prevent them, is to disable web payments for all credit cards, and use virtual prepaid cards instead.

It's even easier than that

[onyxruby]

This is a good opportunity to talk about why security through obscurity is bad:

Your typical credit card number has a theoretical 16 digits that are available. That's a huge number (9,999,999,999,999,999) that makes it look effectively impossible to guess. Let's pare that number down to size.

First, you aren't guessing anywhere near 16 digits. It turns out there's a lot you already know (1st digit is 4 for visa, 5 for mastercard etc.). That reduces the typical address space from 16 to 15 digits. That first number turns out to actually just be part of the bank identification number which is typically 6 digits long. All of the rest of it except for last digit is the actual account number. The last number itself is used for a checksum (Luhn) that is used to verify the number is good.

In other words to get the account number right you've only got an address space of 999,999,999. That's a significant reduction in magnitude to start with. Now let's go back to that Luhn checksum (it isn't a hash). Due to this detail you can easily validate the number to make sure that you haven't mistyped it (Luhn precedes using magnetic tape for credit cards).

The Luhn check uses a Mod 10 algorithm that excludes 90% of the previous address space. You now have 99,999,999 numbers to guess against. Your malicious actor isn't starting work in a quadrillion space number, they're working in the millions. All of that is just from the industry standards themselves. Now remember that each bank is going to have their own formulas for generating credit card numbers and that card thieves have data sets of the tens of millions - old dumps are good for providing data that can show patterns. This is a good example of how data at the aggregate level carries risk that it doesn't at the micro level.

Chances are the account number for the card itself isn't at all random. Chances are really good that the formulas used to generate these numbers for a number of large popular banks have been reverse engineered by any number of parties. You also have policies at many banks such as never reusing a number that also reduce this address space. All the malcious actor has to do is look for patterns. Patterns have a way of reducing the order of magnitude once you learn them.

The expiration dates themselves are typically within 2 years giving a range of only 24 to pick from for the typical transaction. Guess a valid account number, try it at 24 websites and chances are really good one of them will work. That leaves the CVC2 number itself, which of course isn't random either.

The system is broken, it's just a matter of time before industry must recalibrate how it works.

More below for those who are curious:
http://www.creditcards.com/cre...
http://datagenetics.com/blog/j...
http://www.darkcoding.net/cred...
http://blog.opensecurityresear...
http://www.ibm.com/support/kno...

Re:It's even easier than that

[onyxruby]

Chip and pin really does help for card present transactions. Unfortunately it doesn't do much for card not present transactions (online). The article talks about the issues online merchants face.

Re:It's even easier than that

The card-not-present-equivalent of chip and pin is "3D-secure", better known by its card-company-specific brand names like "Verified By Visa". When this is employed, the merchant's website delegates to the card company's website for part of the transaction, where the card company can then employ various techniques to verify the user's identity.

Exactly what authentication mechanism are used depends on the bank and card company. Some are just "enter another secret number", which at least increases the number space to guess but is vulnerable to phishing. Others are sophisticated enough to use techniques like two-factor authentication, which helps combat phishing but can be confusing for the average consumer.

But the main feature of 3D-secure that is relevant to the problem at hand is that the credit card company's website is involved which means that they can potentially correlate multiple concurrent attacks using the same sorts of heuristics that Google uses to detect when robots are crawling its search results. It can then tailor its response proportionally to the risk: if everything looks okay, maybe just ask a simple question. If things seem a little suspicious, perhaps have the customer complete a CAPTCHA-type test before returning the decision or prompt them for some additional personal information you don't normally ask for. If things seem super sketchy, do a two-factor technique such as sending the customer a verification SMS, or even just block the transaction altogether and ask the customer to try again later.

Of course, 3D-secure is another credit card innovation that has passed the U.S. by. As someone from Europe living in the U.S. I was amused to see what happened the first time I used my U.S. credit card to buy from a European online merchant: the merchant website delegated to Visa's website as normal, and I briefly saw a page with my bank's logo on it, but then after a second or so it just redirected me back to the merchant with the "looks okay!" message, having not prompted me for any information at all. I will give them some credit that there was probably some invisible analysis going on here so as to still prevent the kind of mass-validation this article is talking about, but it's a far cry from what I'm used to from using European credit cards.

Re:No safe-guards?

[ShanghaiBill]

I really think a system like that should be mandatory for online sales and not just optional.

It may be overkill for ALL online transactions. For instance, if I have bought from an online merchant before, and the shipping address matches my billing address, then it very unlikely to be fraud. But if the transaction is for a first time gold bullion purchase shipped to Moldavia, then sure, a text message is a good idea.

Wow, all you need is...

[kenh]

Mohammed explains: “Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.

Uh, sure - if you have a valid card number as a starting point, the other data points are trivial... But if you don't, "guessing" the remaining 10 digits of a valid credit card number quickly becomes a non-trivial task because the only way to separate a "correct" credit card number (which can be proven algorithmically) from a validly-issued credit card is to supply the proposed "correct" credit card number to multiple sites with all 60 possible expiry dates and each of the nearly one thousand CVV numbers from the back... (See below)

“The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts.

“The CVV is your last barrier and theoretically only the card holder has that piece of information – it isn’t stored anywhere else.

“But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it – all the data you need to hack the account.”

So, when the headline says "Credit Card" they only mean Visa, everyone else blocks cards after as few as a dozen failed attempts, and the key ingredient to "cracking" a credit card is to start with a valid credit card number, all 16 digits, then find a list of e-commerce websites that will let you keep pitching hundreds and hundreds of credit card transactions at them so you can go through all 60,000 combination of expiry date and CVV to find the right one. Oh, then you need to make sure the attempted purchase in under the card's available spending limit.

But hey, yeah, credit cards are easy to brute-force hack, if you start with a valid, active, complete 16 digit credit card number - as long as it is a Visa card and Visa doesn't update their software.

shouldnt fraud detection catch these?

[schweini]

But wouldn't this 'attack' be really trivial to detect on the credit card processor's side? There isn't a legitimate use case that would explain multiple attempts at the same time?