Add credit card fraud to the list of things that distributed processing can speed up.
An e-commerce site will typically block a credit card number after 10 or 20 failed attempts to enter the corresponding expiry date and CVV (card verification value), making life difficult for fraudsters who don’t have a full set of credentials.
But there are plenty of e-commerce sites out there, and it’s possible to obtain missing account details by submitting slightly different payment requests to hundreds of them in parallel.
It takes less than six seconds to perform the “distributed guessing attack,” according to the researchers at Newcastle University in the U.K. who figured out how to do it.
Guessing the expiry date of a valid card isn’t all that difficult: Cards are typically issued for five years at most, so sending the 60 possible values to different websites will get a confirmation from one of them. The three-digit CVV is a little harder, involving spreading 1,000 requests across multiple websites.
“Practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” wrote the researchers, Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel.
The title of their paper asked the question: “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?”
Their answer is emphatically yes — at least for Visa cards, for which they were able to submit sufficient requests to obtain the missing values.
MasterCard’s centralized payment network, on the other hand, detected their attack on a card account after fewer than 10 authorization attempts.
Ali and colleagues studied 389 websites drawn from the 400 most-visited according to Alexa.com. Of those, just 47 used the 3D Secure authorization system, making them immune to the attack.
The weak links in the system were the 26 sites that required only the card number and the expiry date to validate payment. The 20 of them allowing at least six guesses provided ample capacity for guessing such an easy answer.
A further 291 sites would validate a card number with just the expiry date and CVV — but with 238 of them allowing six or more guesses, the CVV could soon be obtained.
Even the cardholder’s address, required by 25 sites along with the expiry date and CVV, could be guessed in some cases, the researchers explained. Some banks encode branch details in the card number, making it possible to guess at post codes around the branch, they said in the paper. Two of the sites examined allowed unlimited attempts at guessing the address — and also the expiry date and CVV, they found.
To see how concerned the sites were about the problem, the researchers divided them into three categories based on the information they required to verify card numbers, and contacted the 12 with the most users in each category.
Of those 36 sites, 28 replied within four weeks, and eight of them patched their sites to reduce the risk of information disclosure. The patches included limiting the rate of requests either by IP address or card number, adding Captchas, and requiring additional data to verify a card number and expiry date.
They questioned the usefulness of those patches, noting that testing addresses without limiting the number of queries merely opened up another avenue of attack. Likewise, using Captchas and throttling the number of submissions merely slowed down the attack, but did not stop it. None of the patched sites introduced a hard limit on the number of tests relating to one card number, they found.
Ultimately, the only way to secure payment systems against distributed guessing attacks are to centralize — as Mastercard has done — or standardize, with all sites requiring the same information to validate card numbers. In this way, the attack cannot be scaled, the researchers wrote.