Visa security flaws enable credit card numbers and expiry dates to be guessed, claim researchers

Visa credit card security fails to identify brute force attack conducted over different websites

A lack of defences against 'brute force' attacks means that fraudsters can the numbers and expiry dates of Visa credit cards without triggering a security response.

That is the conclusion of research published by Newcastle University following an analysis of the 400 most popular e-commerce websites and their web payment interfaces. It found that different websites present different sets of fields to identify the cardholder. "It turns out that this disparity between different websites inadvertently creates conditions for a scalable distributed guessing attack," the researchers concluded.

They continued: "By conducting a guessing attack one field at the time - using a set of appropriate websites at each stage - the attack becomes practical. With the obtained data, the attacker can make purchases or transfer funds...

"Fundamentally, much of the problem with card payment stems from the fact that the identity of the payer needs to be established in the ‘card-not-present' mode. This is inherently problematic since it is at odds with the original use of cards (where the card and cardholder are present at the moment of purchase).

"It also implies that, for instance, Chip-and-PIN is not available to establish the identity of the payer. This is exacerbated by the fact that the Internet facilitates distribution of guesses for data fields over many merchant sites."

The researchers recommend that Visa standardise the data required to identify customers and credit cards in online transactions, as well as centralising payment attempts made via its network.

The researchers conjecture that the method was used against Tesco Bank in the recent 'heist' that saw several million pounds spirited out of 20,000 bank accounts. Worse still, under the EU's General Data Protection Regulation (GDPR), the Bank would have been on the hook for fines up to £1.9bn.

"This sort of attack exploits two weaknesses that, on their own are not too severe, but, when used together, present a serious risk to the whole payment system. Firstly, the current online payment system does not detect multiple invalid payment requests from different websites," said Newcastle University PhD student Mohammed Ali.

This allows unlimited guesses on each card data field, using up to the allowed number of attempts - typically 10 or 20 guesses - on each website.

"Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time".

Visa, however, have denied claims that it is soft on security.

"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world," it said, adding that consumers are covered against losses due to pin theft.

"Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally. For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability."

The research was conducted by Mohammed Aamir Ali, a Ph.D. research student at the centre of cybercrime and computer security at Newcastle University; Martin Emms, a cyber security researcher at Newcastle University; Aad van Moorsel, professor and head of the School of Computing Science at Newcastle University; and, Budi Arief, a lecturer in the School of Computing at the University of Kent.