By gathering data compiled from guessing on multiple websites, software is now quickly able to gather information like a card’s expiration date, three digit CVC, the card holder’s address and zip code. This technique was rumored to have been used in an incident that saw 20 thousand Tesco Bank accounts being drained earlier this month.
The only card issuer susceptible to the security flaw is Visa. Other issuers like MasterCard track hacker’s guessing efforts across various websites. Visa’s system isn’t currently setup to take actions from multiple websites into account.
Hackers use bots to submit credit card information to hundreds of retailers simultaneously. This allows them to guess the missing security code information in a matter of seconds. It only takes 1 thousand attempts maximum to crack a three-digit code. Multiple bots can run at the same time on hundreds of payment sites without waving any red flags in the payment system. Online payment requests typically receive authorization within 2 seconds, making the Visa attacks viable and salable in real time.
Before these findings were published, The Independent informed Visa of the flaw. Visa didn’t take the findings very seriously and responded “the research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.” After receiving Visa’s response, the report was published in IEEE Security & Privacy 2017.
There is a weak spot in online payments. Information is entered and transmitted online, opposed to using chip enabled technology and other features designed to tighten up security for in-store transactions. In an illustration, a website bot was configured to cleverly run on 30 sites. An attacker was able to obtain the correct information within 4 seconds.
Credit cards are a prime example of old technology persistent in the modern world. The future of payment won’t be plastic and will be much more secure. We aren’t moving into the card-free world quickly enough to move away from this type of fraudulent activity. Some systems like Apple Pay and Android Wallet are paving the way to the future, but they aren’t available globally yet. It will take time for the technology to become available to everyone. Until then, we will continue to see security breaches akin to the Tesco Bank disaster.
One current solution to the guessing attacks would be for online retailers to require additional verification details like a zip code, but retailers are reluctant to add friction to the customer’s payment process. Addition information supplied by consumers would also be susceptible in one way or another.
Sources: