“Rather than buying online goods from an e-commerce website, we created an attack scenario that uses the card details to open a money transfer account, sends the money to an anonymous recipient abroad, where the money is picked up within minutes of issuing the transfer. The attacker needs to be able to clear the funds before the issuing bank reverses the payment and thwarts the attack. It is therefore desirable from the attacker’s point of view that the funds are transferred to an account outside the country (because it is more time consuming and costly to reverse payment across countries) or be conducted through a wire transfer to an anonymous cash recipient by using services such as the Western Union,” the report said. “In our experiment, the card information extracted using our bot was used to create a bogus account from which we transferred money to a recipient in India. Within minutes, we received a confirmation email for the order made, and our contact confirmed the pick-up of the money. The time it took from the process of creating an account to collecting the money at the destination was only 27 minutes, which is short enough to avoid the bank reversing the payment.”
The paper also addressed how it obtained the CVV2. “To find the correct CVV2, the bot will simply need to cycle through the possible values starting from 001 until the payment website blocks further attempts. A handful of payment sites allowed unlimited attempts while most of the other payment sites allowed 5, 10 or even 50 attempts to enter a correct CVV2. In our scenario, we ‘farm out’ the brute force guessing attack to tens or even hundreds of payment systems, which practically means we can carry out unlimited guesses. The final step generates the cardholder’s address. An attacker can exploit the different variants of address verification system to find the full address of the cardholder.”
PCI also came up, with the researchers pointing out that PCI rules seemingly didn’t anticipate this multi-merchant attack method. “There is no [PCI] requirement for the merchant to request all of the data fields during an online payment authorization, nor is there a mandatory requirement for the merchant to implement any of the optional security filters.”
Other than money transfers — which, as the researchers demonstrated, is a long-term hole that is begging to be exploited — the big vulnerability here is e-commerce.
But let’s not forget that most physical merchants have still not yet activated EMV. That means that this data can be used successfully to create cloned cards and then used in any of those physical stores that have yet to activate EMV. EMV delivers far from perfect overall security, but it does effectively all but halt any cloned card attempts. That should add EMV deployment to any merchant’s New Year’s resolution list.
Sign up for Computerworld eNewsletters.