http://www.bbc.co.uk/news/technology-38207974
QuoteStarting with just the first six digits of a card, the system guessed the remaining details and tried the combinations on many sites at the same time.
Sounds pretty clever, basically they are exploiting validation much in the same way messages about "wrong username" or "wrong password" instead of "wrong username or password" messages divulge TMI for login data.
From the paper linked to in the article
QuoteMoreover, if individual merchants we re trying to improve their security by adding more payment fields to be verified on their site , they potentia lly inadvertently weaken the whole system by creating an opportunity to guess the value of another field , as explained later in the article
Quotevulnerabilities described in this article apply to cards that do not enforce centralised checks across transactions from different sites. Our experiments were conducted using Visa and MasterCard only. Whereas MasterCard's centralised network detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multi ple websites) , Visa 's payment ecosystem does not prevent the attack ( see Section VI. D ). Because Visa is the most popular payment network in the world, the discovered vulnerabilities greatly affect the entire global online payments system.
QuoteGuessing an expiry date takes at most 60 attempts(banks typically issue cards that are valid for up to 60 months), and subsequently,guessing the 3-digit CVV2 takes fewer than 1,000 attempts. Hence, expiry date and CVV2 are guaranteed to be obtained within 60 + 1,000 = 1,060 guesses.
Paper: http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-BDB3-73C22D6E1FDB.pdf
I heard this on the radio. The Bank representative poo poo'd it.
That made me suspicious. Is it real then?
My payment gateway shows me 12 of the 16 digits on the card. Makes it easy too.
Thats also why I use Amex, and also why I sell using Amex. although the findings in the report are far deeper and far scarier than I realised.
Amex imho are brilliant at managing stolen cards, and disputed transactions. Visa is crap. Mastercard, just keeps on issuing new cards so that helps.
I didn't read the entire research paper but it does seem feasible in the way they describe it. It's simply a process of elimination and circumventing any rate limiting a specific site would have wrt failed transactions and taking advantage of their validation techniques. Plain old deduction.
I'd suspect VISA have plugged it already as it'd seem relatively trivial for the average sophisticated hacker to poke around and get it working.
If its for real thats sad.
Back in 2000 I remember people testing stolen CC on my site. I was unable to stop them for a while, and was charge 8% each time. Then the bank tried to shut me down for fraud. They thought it was me.
hopefully they have learned something. But I don't know, this suggests "not a lot".