Study claims it's 'frighteningly easy' to obtain card details

Credit: Primakov/Shutterstock.com

Writing in the IEEE Security & Privacy journal, they claim that working out "the card number, expiry date and security code of any Visa credit or debit card can take as little as six seconds".

Criminals obtain such details by using software that spreads guesses over a number of different websites, thereby avoiding being blocked out by any single site.

And the authors also theorise that this method - which is viable only with the Visa payment system - was most likely used in the November cyberattack against Tesco Bank, something which underlines the serious nature of the threat it poses to personal financial security.

Distributed Guessing Attack

Going into more detail on the nature of the attack, they note that it "exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system".

As explained by lead author Mohammed Ali, the first is that "the current online payment system does not detect multiple invalid payment requests from different websites". This means that criminals have a potentially unlimited number of guesses, since they're able to jump from one website to another.

Added to this, "different websites ask for different variations in the card data fields to validate an online purchase". As such, rather than simply obtaining only one piece of information attached to a particular card (e.g. expiry date), thieves can put together a complete picture.

The other important element in the paper's account is that this Distributed Guessing Attack begins with a card's first six digits, which "tell you the bank and card type and so are the same for every card from a single provider".

It's because the first six numbers are identical for a single bank's cards that the paper's authors believe distributed guessing was used in the attack against Tesco Bank on the weekend of November 5-6th.

This attack resulted in a total of £2.5 million being stolen from around 9,000 of the bank's customers, who were refunded in full shortly after this money had been siphoned from their accounts.

However, even though compensation was provided and normal service restored, neither Tesco Bank nor any of the security agencies working on the incident have reported the precise nature of the attack.

One recurring explanation was that it was simply an inside job, yet the possibility that it was the result of a Distributed Guessing Attack raises serious questions about the strength of the security system used by the bank.

Visa

Yet more disturbingly, it also raises serious questions about the robustness of the Visa payment system, since as the authors report, they "found it was only the Visa network that was vulnerable".

When it came to MasterCard, their "centralised network was able to detect the guessing attack after less than 10 attempts - even when those payments were distributed across multiple networks".

This therefore puts enormous pressure on Visa to update their system so it can detect multiple guesses across more than one website, yet the financial services corporation argue that the study did "not take into account the multiple layers of fraud prevention that exist within the payments system".

Outlining some of these layers, their spokesperson informed us that their system "offers enhanced security using Verified by Visa".

This is based on the 3DSecure standard, which "means entering an extra password when paying online".

As secure as it does make e-commerce, it isn't mandatory and therefore isn't used by every online retailer. As a result, there remain considerable holes in the VISA system, which doesn't seem to pick up the slack left by some less careful merchants.

Still, Visa affirm that they're "actively developing Verified by Visa to incorporate the advances in security" being offered by, among other things, the new 3DSecure 2.0, which will incorporate one-time passwords and biometrics to make payment more secure and more seamless.

Reassurance

As always, aside from simply waiting for new security technologies and payment safeguards to emerge, customers can always do a few things in the here and now to lessen the chance of fraud.

As the paper's co-author Dr Martin Emms advises, we can "use just one card for online payments and keep the spending limit on that account as low as possible".

And more generally, we should simply "pay attention", checking our balances and statements regularly just in case some fraudulent payment has been made.

Other than that, we can at least rest assured that, if we fall victim to fraud through no fault of our own, our banks will always reimburse us. Or to put it differently, they'll always pay for their own laxity.