Security researchers have confirmed that Visa has no mechanism to prevent attackers from using multiple merchant sites to make unlimited guesses on the values for fields such as CVV2. The potential for real harm from coordinated attacks is huge, but such attacks could also be blockable, now that the flaw has been identified.
Mohammed Ali, a Ph.D. student in Newcastle University’s School of Computing Science and lead author of an IEEE paper on the topic, said the security hole involves two separate problems.
“The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts — typically 10 or 20 guesses — on each website. Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw,” Ali said. “The unlimited guesses, when combined with the variations in the payment data fields, make it frighteningly easy for attackers to generate all the card details one field at a time.”
The paper also noted that this attack method can be unintentionally strengthened if individual merchants try to defend themselves by adding fields. “Each generated field can be used in succession to generate the next field by using a different merchant’s website. If individual merchants were trying to improve their security by adding more payment fields to be verified on their site, they potentially inadvertently weaken the whole system by creating an opportunity to guess the value of another field,” the paper said, adding that “practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts.”
In an emailed statement, Visa took the standard defense, saying that this was a hypothetical attack method that wouldn’t actually succeed. “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world,” Visa said. “Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally. We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts.”
The problem with Visa’s defense is that, according to the IEEE paper, this wasn’t a theoretical attack. The researchers said they tried it and it worked.
Sign up for Computerworld eNewsletters.