« previous next »
Pages: [1]

Author Topic: Distributed Card Hacking  (Read 1612 times)

BoL

  • Inner Core
  • Hero Member
  • *
  • Posts: 1211
    • View Profile
Distributed Card Hacking
« on: December 05, 2016, 08:56:25 PM »
http://www.bbc.co.uk/news/technology-38207974

Quote
Starting with just the first six digits of a card, the system guessed the remaining details and tried the combinations on many sites at the same time.

Sounds pretty clever, basically they are exploiting validation much in the same way messages about "wrong username" or "wrong password" instead of "wrong username or password" messages divulge TMI for login data.

From the paper linked to in the article

Quote
Moreover, if  individual merchants we re  trying to improve their security by  adding more payment fields  to  be verified on their site , they  potentia lly  inadvertently weaken the whole  system by creating an opportunity to guess the value  of another  field , as  explained later in the article

Quote
vulnerabilities described in this article apply to cards that do not enforce centralised checks across transactions from different sites. Our experiments were conducted using Visa and MasterCard only. Whereas MasterCard’s centralised network detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multi ple websites) , Visa ’s payment ecosystem does not prevent the attack ( see Section VI. D ). Because Visa is the most popular payment network in the world, the discovered vulnerabilities greatly affect the entire global online payments system.

Quote
Guessing an expiry date takes at most 60 attempts(banks typically issue cards that are valid for up to 60 months), and subsequently,guessing the 3-digit CVV2 takes fewer than 1,000 attempts. Hence, expiry date and CVV2 are guaranteed to be obtained within 60 + 1,000 = 1,060 guesses.

Paper: http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-BDB3-73C22D6E1FDB.pdf
Logged

Rupert

  • Inner Core
  • Hero Member
  • *
  • Posts: 3359
  • George in a previous life.
    • View Profile
    • SuitsMen
Re: Distributed Card Hacking
« Reply #1 on: December 05, 2016, 09:03:12 PM »
I heard this on the radio.  The Bank representative poo poo'd it.

That made me suspicious.  Is it real then?

 My payment gateway shows me 12 of the 16 digits on the card.  Makes it easy too.

Thats also why I use Amex, and also why I sell using Amex.  although the findings in the report are far deeper and far scarier than I realised.

Amex imho are brilliant at managing stolen cards, and disputed transactions. Visa is crap.  Mastercard, just keeps on issuing new cards so that helps.
Logged
... Make sure you live before you die.

BoL

  • Inner Core
  • Hero Member
  • *
  • Posts: 1211
    • View Profile
Re: Distributed Card Hacking
« Reply #2 on: December 05, 2016, 11:20:49 PM »
I didn't read the entire research paper but it does seem feasible in the way they describe it. It's simply a process of elimination and circumventing any rate limiting a specific site would have wrt failed transactions and taking advantage of their validation techniques. Plain old deduction.

I'd suspect VISA have plugged it already as it'd seem relatively trivial for the average sophisticated hacker to poke around and get it working.
Logged

Rupert

  • Inner Core
  • Hero Member
  • *
  • Posts: 3359
  • George in a previous life.
    • View Profile
    • SuitsMen
Re: Distributed Card Hacking
« Reply #3 on: December 07, 2016, 09:32:01 AM »
If its for real thats sad. 

Back in 2000 I remember people testing stolen CC on my site.  I was unable to stop them for a while, and was charge 8% each time.  Then the bank tried to shut me down for fraud.  They thought it was me.

hopefully they have learned something. But I don't know, this suggests "not a lot".
Logged
... Make sure you live before you die.
Pages: [1]
« previous next »