A group of researchers have designed a tool that helps them find credit card information — including CVV and expiry date — by sending queries to several e-commerce merchant sites.
An extensive study by Mohammad Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel, outlines online payments using credit and debit cards and the security issues caused by multiple payment gateways on different merchant sites, was published in IEEE Security & Privacy.
The tool’s algorithm guesses and tests scores of permutations of CVVs and expiration dates on hundreds of merchant websites.
The authors of the study, who’re associated with Newcastle University, pointed out that their tool can also be used to guess Zip codes and address data. Hackers can use the tool to correlate location data with the card-issuing financial institution or use a skimming device to figure out which merchant sites swiped the card.
“The difference in security solutions of various websites introduces a practically exploitable vulnerability in the overall payment system. An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details — card number, expiry date, card verification value, and postal address — one field at a time, Each generated field can be used in succession to generate the next field by using a different merchant’s website,” the study states.
If the concerned merchant site doesn’t ask for the ZIP code, then the tool works like a breeze and acquiring card information is a piece of cake for an attacker.
How Does the Guessing Tool Works?
The study outlines that the guessing work is enabled by to two major weaknesses of e-commerce sites.
“To obtain card details, one can use a web merchant’s payment page to guess the data: the merchant’s reply to a transaction attempt will state whether the guess was correct or not,” the report adds.
First, multiple payment requests from the same card on different merchant sites don’t raise a flag in the current online payment ecosystem. Secondly, different web merchants provide different sets of card detail fields, which enables the guessing attack tool to decipher card information one field at a time.
If an attacker is able to crack your card details, it will not only allow him to shop using the card but an online money transfer can also be made — preferably to an anonymous account in some other country as such attacks can be thwarted by the banks by reversing payments but cross-country reversal is a more tedious and time-consuming process which gives the attacker ample time to withdraw.
The research also points out that Visa cards are more susceptible to the attack than Mastercard. This is because a Mastercard shuts down after 100 invalid attempts are made, but this isn’t the case with Visa.
“To prevent the attack, either standardisation or centralisation can be pursued, which is already being provided by a few card issuing banks. Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network,” the study concluded.
Although neither standardisation or centralisation fit with the essence of the internet — freedom and freedom — this process will surely make things more secure for cardholders and make them less susceptible to online attacks.