Benjamin Haas - Fotolia

How can a distributed guessing attack obtain payment card data?

Attackers can gather payment card data by carrying out distributed guessing with a minimal amount of existing information. Expert Michael Cobb explains how this attack works.

Researchers at Newcastle University have found that a minimal amount of existing information in an attacker's hands can lead to a distributed guessing attack, where payment card data can be guessed in an automated way. How is this attack carried out, and what are the possibilities of it actually happening?

Attackers who craft spear phishing emails use social networks to glean bits of information about a target to build up a profile of their lives: friends, family, and home and work life. This enables them to create a malicious email that the victim is more likely to believe is true and, therefore, open an attachment or follow embedded links. Researchers at Newcastle University have used a similar tactic to brute force the security data fields required to make online card transactions.

The validity of a card not present online payment is dependent on the customer providing data that only the owner of the card could know -- but it turns out that there's no universal methodology that sites use to perform security checks on the card details submitted in the payment process. This inconsistency enables an attacker to perform a distributed guessing attack by using different sites to guess the necessary data needed to complete a valid transaction.

The attack is successful whenever the payment system doesn't detect multiple invalid payment requests on the same card from different websites. Newcastle University researchers examined the Alexa top 400 online merchants' sites, and found that MasterCard's centralized network will detect a distributed guessing attack after fewer than 10 attempts, while Visa's payment system will not detect or stop the attack.

The minimum information required by some merchants to make an online payment is the 16-digit card number, which links the card to the customer's bank account, and the card expiration date -- the researchers found that no website checks that the cardholder name entered is correct. Many sites also require the user to enter the card verification value (CVV2), but the validation checks performed by sites that require the cardholder to enter their address only include the numerical digits in the postal code and, in some cases, the door number, while alphabetical characters are ignored.

To pull off the attack, a cybercriminal uses a valid card number on websites that only check the card number and expiry date. It takes a maximum of 60 guesses to learn the expiry date. With this information, the attacker can visit websites that also require the CVV2 value and repeat the process. Guessing the 3-digit CVV2 takes fewer than 1,000 attempts. The process can be repeated to obtain the address if this is also required. By distributing the guesses over many websites, the attacker has a practically unlimited number of attempts at brute forcing the data. The Newcastle researchers successfully automated the task of carrying out the attack.

If all merchants were to require the card number, expiry date and CVV2, it would increase the maximum number of guesses needed from 1,600 to as many as 60,000, which would make using a distributed guessing attack far less practical -- a measure that the PCI Security Standards Council should introduce immediately.

In the meantime, website administrators can help slow down this attack by adding IP-based velocity filters and introducing delays to the payment authorization processing times, where the first attempt is processed instantly, but the time taken for payment confirmation for subsequent attempts is increased. Merchants can also use technologies recommended by the payment card industry like American Express SafeKey, Verified by Visa and MasterCard SecureCode. However, these measures are not seen as user-friendly, and many potential customers abandon their purchase when faced with these additional checks.

The researchers shared their findings with Visa and a selection of affected sites, and although some sites have changed the way they validate cards, many have not. This attack will remain practical until all sites require the same card data and payment gateways implement a centralized view of all payment attempts across their networks.

It may be some time before the ability to perform successful distributed guessing attacks can be eradicated completely, due to the many technical and business issues involved across multiple parties.

Next Steps

Find out how your company can reduce risk issues by using PCI DSS

Learn how credit card data is exposed through man-in-the-middle attacks on PIN pads

Discover the weaknesses in chip-and-PIN technology in preventing credit card hacking

This was last published in May 2017

Dig Deeper on Data security and privacy