
Criminals can guess Visa number and security code in six seconds, experts find - seycombi
http://www.independent.co.uk/news/uk/crime/criminals-guess-visa-card-details-fraud-six-seconds-a7450776.html
======
cs702
There are well-specified rules for coming up with valid credit card account
numbers, and at most, say, 60 valid expiration dates (12 months × 5 years into
the future).

Once an attacker has a valid credit card number and expiration date, there are
only 10⁴ = 10,000 four-digit security codes possible, which the attacker tries
with parallel requests to hundreds of websites. Each website gives the
attacker at least a few tries to enter valid credit card information.

Worst case, it takes only 10,000 parallel requests to guess the correct
security code. Worst case.

I don't know whether to cringe or laugh at this.

~~~
ryanlol
The data you'd gain from this is practically useless to anyone looking to
commit fraud... so laugh at the article I guess?

Maybe you could abuse this to create a lot of netflix accounts, but you aren't
really going to be able to buy anything with just the PAN/cvv/expiry.

~~~
TheDong
[https://purse.io/](https://purse.io/) is a website for committing fraud with
stolen credit cards.

It's a website that specializes in letting criminals convert credit card
details (PAN/cvv/expiry) into bitcoin while exposing them to minimal risk.

There are very real ways to commit such fraud.

~~~
pablovidal85
Not really, purse.io does not facilitate fraud more than Amazon itself does.
Purse.io just connects people who are willing to buy bitcoin using Amazon gift
cards for a premium, and those that would like to purchase products on Amazon
using bitcoin.

~~~
phpnode
It's an out and out money laundering service. It exists for no other reason,
there are no legitimate circumstances where someone would want or need to sell
amazon gift cards at less than their face value. It is straight up money
laundering and it's frankly incredible that it's lasted as long as it has.

~~~
ctrl-j
> no legitimate circumstances where someone would want or need to sell amazon
> gift cards at less than their face value.

Absolute statements like this are _so_ hard to back up.

For instance, if you live in Cuba, Iran, Syria, North Korea, or Syria,
Amazon.com gift cards are worthless.

I know I received some AmericanEagle gift cards as a promotion recently, and
unloaded them for less than face value just because I had absolutely no
need/want to use them.

------
preinheimer
So criminals can guess a valid CC/CVC/Zip in 6 seconds, and merchants that get
nothing but green lights across the board from their credit card processor
will be left holding the bag when the card holder disputes the charge.

Merchants doing everything they can need better protection from this crap.

~~~
adrr
I designed the fraud prevention for a major ecommerce site(PCI Level 1). We
used to get hit with lots of card testing including bot nets. They are easily
mitigated. First thing is detune your error messages. Combine all the errors
into one generic message. This includes AVS, CVN, and Expiration. I've see so
many sites return the raw message back from the processor.

We also actively black holed large blocks IP addresses including TOR exit
nodes and open proxies. Before all the privacy people make comments. We're a
store. If you show up wearing a ski mask we aren't going to sell to you.

Sometimes we go on the offense and detect the patterns/attributes for the
botnets that allowed us distinguish them from real traffic. We didn't block
them, we fed them bad data. That made them go away fast.

Most important take away: Mitigating fraud will lead to higher auth success
rates as you build up the reputation on your MID(Merchant ID). Its not only
important in preventing chargebacks but increasing revenue.

~~~
politician
Regarding error messages: At a previous gig, we had to aggressively and
repeatedly fight the business side who thought that vague credit card error
messages were a large source of user confusion. Eventually, we won but it was
certainly an eye-opening moment for the developers involved to even have to
fight that battle.

~~~
curun1r
I've had the same argument many times over error messages for login and forgot
password flows. Being security conscious is a way of thinking that many people
aren't really capable of and an even greater number have problem maintaining
consistently. It's so ingrained in product managers to make their software as
friendly as possible that they forget that sometimes their users don't have
similarly noble intentions. This is also why social engineering is so
successful. When it's your job to be helpful, it's very difficult to be
strategically unhelpful when necessary.

~~~
pavlik_enemy
If you have a sign-up page, the usual "invalid email or password" message on
sign-in form doesn't increase security.

------
rcthompson
Shouldn't this be easy to detect, though? Every attempt to use a credit card
number online involves a request to the bank providing that card to determine
if it's valid, right? So the bank would see thousands of attempts across
hundreds of websites for the same card number in a matter of seconds, which is
clearly impossible for a human, and flag the card as "stolen".

Or maybe I'm just way too optimistic about how this all works.

~~~
erikpukinskis
They don't have to use the same number. 100 attempts at 100 numbers is just as
likely to turn up a hit as 10000 attempts on one number.

~~~
StephanTLavavej
Actually, it's not even close. 10,000 attempts to guess a 4-digit number are
certain to succeed. 100 attempts to guess 100 4-digit numbers have a good
chance of resulting in no hits. For each 4-digit number, you produce 100
different guesses (with no repeated guesses for that number, because that
would be silly). There's a 100/10,000 chance of a hit, and 9,900/10,000 chance
of a miss. The chance of missing on all 100 4-digit numbers is
(9,900/10,000)^100 = 0.366 = 36.6%. That's substantial!

Guessing 100 numbers, there's a chance to produce 2 or more hits, of course.

~~~
caf
_Guessing 100 numbers, there 's a chance to produce 2 or more hits, of
course._

..to the point that the expected value should converge to the same amount,
right?

~~~
kctess5
The expected value of both strategies is to have 1 success, but they have
different variance. The first strategy has variance of 0.99, and the second
strategy has variance 0. The chance of n out of 100 hits with the first
strategy is: binomial(100,n) x 0.01^n x 0.99^(100-n)

edit: asterisks as multiplication signs => italics

~~~
erikpukinskis
Right, but variance doesn't matter if you just repeat the scam tomorrow.

------
coldcode
The power of distributed attacks. Of course they can only guess a random
correct credit card + exp + code not yours. Given the relative limited number
of codes for each bank, I wonder what the odds are for them to wind up with
yours.

~~~
xtiansimon
...for every valid/correct credit card? The answer is a ratio of 1:x_1, where
x_1 is every correct cc. And each correct cc is a ratio to the total number of
cc vulnerable to the system of attack, 1:x_2; and this is in turn a ratio of
1:x_3, for all the currently valid cc, etc.etc. Right? But what's more
concerning is all of the successful fraudulant activity is adding to the loss
those banks are adding to their books, which in turn will be passed on to
customers as bank fees and other costs.

~~~
tyingq
>the loss those banks are adding to their books

There is no loss to the banks, assuming the fraudulent purchases are "card not
present". The loss goes to the selling merchant. Your point of it being
collectively passed on to the consumer is still true, of course.

------
lisper
Securing the current protocol for credit card transactions is completely
hopeless. It is _inherently_ insecure because the "secret" information used to
authorize a transaction is not bound to that transaction, and so it's
reusable. Even if you were able to secure the system against brute-force
attacks like this one, you can never secure against phishing. The only way to
fix it is to change the protocol to one that relies on public-key cryptography
and secure digital signatures.

[http://blog.rongarret.info/2013/02/a-simple-solution-to-
cred...](http://blog.rongarret.info/2013/02/a-simple-solution-to-credit-card-
fraud.html)

~~~
ian0
EMV tokens and virtual card numbers attempt to mitigate against the re-use
factor. 3D secure adds a layer of auth to the regular method (at some
expense).

There is a large infrastructure (acceptance, processing, acquiring, clearing,
issuing) running on card numbers so the solutions mentioned above all attempt
to build on top of them as oppose to replace them with something better. As
the logistics of doing so tend to be prohibitive.

------
acomjean
I'm no means on expert on this, but having delt a little with online
transactions from testing responses from a payment processor.

The things that needed to match also involved the customers street address,
zip and name. If I recall these were scored and if the match wasn't good (zip
was entered wrong) the transaction was rejected. Maybe different payment
processors have different thresholds for rejecting a transaction?

[https://help.chargify.com/payment-gateways/Error-
FAQ.html](https://help.chargify.com/payment-gateways/Error-FAQ.html)

~~~
tyingq
For US based transactions, AVS failures (address, zip) don't typically fail
the transactions.

Most often, the api has 3 possible return values "Success", "Success With
Warnings" and "Failure".

The "Success with Warnings" will have some error codes for AVS failures
(street address, zip). Usually the same for invalid CVV2. I've also noticed
that cardholder name matching isn't universally supported...AMEX does it well,
but VISA/MC is hit or miss.

Most merchants choose to allow for "Success with Warnings" and then manually
check them.

It's hard to automate, because it's very typical for real customers to mistype
billing addresses, CVV2, etc. One good example is small business owners. They,
very often, use their business address as billing, even when the billing
address is actually their home address.

In short, you can configure for hard failure on address mismatch or CVV2
mismatch, but you're throwing away a lot of legit transactions if you do so.

~~~
BillinghamJ
Only Amex has the ability to check the cardholder name. Visa & Mastercard
don't pass this data to the issuer.

------
maemre
A solution that some banks provide is to enable a credit card for only
transactions using 3-D Secure [1], in which you are expected to enter a 2FA
code sent to your phone by the bank during transaction to a webpage of the
bank that gets opened.

Unfortunately, some (most) websites don't support 3-D Secure. I remember that
almost all Turkish e-commerce sites I shopped supported it but almost none of
the American sites supported it.

[1]:
[https://en.wikipedia.org/wiki/3-D_Secure](https://en.wikipedia.org/wiki/3-D_Secure)

~~~
pvdebbe
As a customer I hate these 2FA codes and online bank confirmations, common in
the EU. I don't want to bring my bank passwords and whatnot with me if I want
to make an online purchase with my CC!

~~~
Kliment
As a customer they are also entirely to your disadvantage as in any 3dsecure
transaction the customer is liable for unauthorized transactions as the
assumption is they are the only ones with the ability to authorize. This makes
disputing charges extremely difficult for the customer, and shifts liability
from the bank and merchant to the customer end.

------
hanoz
I find it impossible to believe distributed enumeration of card numbers via
ecommerce sites was used to defraud 9000 Tesco customers over a weekend.

~~~
BillinghamJ
The article stated that Tesco weren't protecting against distributed card
testing because they didn't track failures on the same card across different
merchants. Thus I think it would be very plausible.

The people running the scam would choose a specific IIN/BIN known to suffer
from this problem.

------
seanwilson
Wouldn't asking for the name on the card as well stop this? You're not going
to be able to randomly generate the correct name.

~~~
tyingq
Unfortunately, at least in the US, cardholder name matching doesn't work for
most transactions. Only AMEX supports it.

Edit: Offtopic rant, but as an online merchant this is the sort of thing that
pisses me off about the CC situation. They don't support other obvious things
either, like passing in the shipping address and ip address so they can be
used for fraud detection. Yes, there are outboard services (MaxMind,etc) you
can use, but they are working with a small subset of transactions, so their
algorithms and blacklists are incomplete.

~~~
ScottBurson
Name matching _doesn 't work_??! I guess you must be right, or this attack
wouldn't be possible, but holy shit that is fucked up.

~~~
tyingq
100% true. Does not work, outside of AMEX cards. You can put anything you want
in the cardholder name fields.

------
avh02
hindsight is 20/20 - but I'm awefully surprised that this would not be
detected by the backend/backoffice systems processing cards.

~~~
coldcode
Matercard supposedly has a single back end but VISA does not, according to the
article. Given the distributed nature of the attack I imagine only the card
processors could detect it; if you pick sufficiently broad set of web site to
test with the chances of them sharing a server that could detect something is
probably low.

~~~
Freestyler_3
I remember seeing the VISA security centre, where they monitor threats etc. It
was a huge high tech facility.

I would think that they flag if a card is attempted a lot of times in short
time span.

~~~
tyingq
Apparently, VISA does not do this.

The actual research paper is online:
[http://eprint.ncl.ac.uk/file_store/production/230123/1918024...](http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-
BDB3-73C22D6E1FDB.pdf)

It says this: _" Whereas MasterCard’s centralised network detects the guessing
attack after fewer than 10 attempts (even when those attempts were distributed
across multiple websites), Visa’s payment ecosystem does not prevent the
attack"_

------
fjarlq
The paper:

Ali, Mohammed Aamir and Arief, Budi and Emms, Martin and van Moorsel, Aad
(2016)

Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?

IEEE Security & Privacy

[http://eprint.ncl.ac.uk/file_store/production/230123/1918024...](http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-
BDB3-73C22D6E1FDB.pdf)

------
mamon
That's why you should enable two factor authentication on your credit card:
online transactions would require confirmation with single-use password you
receive by SMS.

~~~
seanp2k2
What cards allow this? I would do it in a second if that was a thing I could
actually have. Not 100% foolproof but I'd bet it would stop almost all fraud.

~~~
CmdrSprinkles
Not aware of any cards specifically (outside of European chip-and-pin, but I
don't think those usually work online), but this is the big argument for
things like android/apple/firebomb pay.

Make a purchase, then sign off on your phone (or fingerprint reader on your
laptop).

It obviously won't resolve the issue posed in the article, but it is
definitely a step in the right direction and many of the major CC companies
are integrating more and more. In five or six years I can easily see Chase and
the like giving an option to only let the physical card be used in chip-and-
pin mode and to require the use of an approved service for any
contactless/online orders.

Obviously the approved services thing is a concern, but not a huge one.

------
hughw
These attackers are probably brilliant enough to make their mark in the honest
tech business world. I suppose they are driven by the challenge of the crime.

~~~
linkmotif
I suspect they live in countries without the rule of law so they have little
incentive to make an "honest" living.

~~~
Cyph0n
More importantly, an "honest" living as a developer probably makes them
pennies compared to online fraud.

~~~
hippich
you will be surprised :)

~~~
vxNsr
He means in those countries. For example, in Vietnam the avg dev makes
$1000/year or he could hack and make that in seconds.

------
ForFreedom
If you total the credit card numbers for any particular card the answer would
be the same. For example: totaling the visa credit card number might be 32.
The hackers would have to guess the 3 set of numbers if they get the fourth
set.

So my guess is they would try out different combination with the available
expiry date/cvv number

------
mataug
Another one of those technologies which hasn't kept up with the evolving tech
landscape.

~~~
swiley
It's pretty unfortunate that there is absolutely no federated, popular, and
secure payment system in the US due to consumers and merchants simply sticking
with older systems simply because "it's what we've always done."

~~~
ian0
There are many parties that would gain from a better payments system.

However the logistics of improving it are significant due to the number of
highly regulated and kinda-fat and kinda-happy entities running the
infrastructure.

Interestingly what has happened in India and China (success of non-bank
payment wallets VS cards) is injecting a lot of the traditional players with a
sense of urgency. Before this it would have taken a states intervention (Eg
MEPS in Sing/MY) to improve acceptance through the launch of a new payments
system.

------
fiatjaf
This is a good argument to be used against the creditcardization (war on
cash[1]) of the world some governments are promoting.

[1]:
[https://www.google.com.br/search?q=war+on+cash](https://www.google.com.br/search?q=war+on+cash)

------
debt
Laughed out loud after reading this headline

