E-commerce sites just got a rude awakening: researchers discovered that brute-forcing credit information is as easy as running the right software and guessing at all the possible numeric permutations until the right one is found.
The technique, outlined in the IEEE Security & Privacy , involves querying multiple e-commerce sites and simultaneously testing hundreds of combinations of expiration dates and CVV numbers. By testing multiple combinations of a card’s number, expiry date, and security code, the software quickly finds out all of the information needed to replicate a card. A sample attack could successfully generate correct information within as little as six seconds.
According to the University of Newcastle researchers who created the querying system — Ph.D. student Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel — most of the popular retailers on the Internet are vulnerable.
Because different sites request differing parts of the credentials required to verify a transaction, compiling a database of all of the fragmented details making up a card’s security details proved easy. “This attack subverts the payment functionality from its intended purpose of validating card details into helping the attackers to generate all security data fields required to make online transactions,” they wrote in the paper.
MasterCard isn't as susceptible to this attack, as their authentication system shut down after 100 attempts. Visa customers aren’t as fortunate.
Authentication systems with ZIP codes require slightly more effort to crack than merely running software for six seconds, but the researchers believe that their tool can also parse ZIP codes and address data in much the same way that it guesses credit card numbers. Alternatively, clever hackers can also correlate a target’s location data with the closest banks in proximity to guess at potential ZIP codes.
Few e-commerce sites even noticed the number of queries running in unison, reported the team: “It is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment systems.” Their findings were shared with the 36 sites which they ran their number-guessing system against. Of the 36 sites, only 28 made changes in response to the alarm.
There’s no evidence that cyber thieves are using such attacks in the wild, but the researchers describe the technique as very “practical,” therefore “credible.”
While distressing, the solution is quite simple requiring either standardization or centralization. The researchers write:
“Standardization would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardization nor centralisation naturally fits the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.”
Source: BBC and TechCrunch
Advertisement
Learn more about Electronic Products Magazine
