In Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?, a new paper in IEEE Security & Privacy, researchers from the University of Newcastle demonstrate a technique for guessing secruity details for credit-card numbers in six seconds — attackers spread their guesses out across many websites at once, so no website gets enough bad guesses to lock the card or trigger a fraud detection system.
The researchers believe this method has already been used in the wild, as part of a spectacular hack against Tesco bank last month. They disclosed their findings to various payment processors in advance of the paper’s publication and gave them time to attempt to remediate the problem before going public.
Mastercards are not vulnerable to this attack because "MasterCard’s centralised network detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multiple websites)," but Visa cards are, because "Visa’s payment ecosystem does not prevent the attack."
The attack relies on the fact that different websites require different authentication data to process transactions — some ask for addresses, others don’t. So information gleaned from one website can be used to build up enough data to start guessing at a difference website, gradually building up the entire corpus of authentication details for the target card. For example, websites that only require card number and expiry can be used to glean the expiry date in no more than 60 guesses (because cards are only valid for a maximum of 60 months) and then this card number/expiry pair to can be used to guess the three-digit CVV in no more than 999 guesses.