You Guessed It. (Er, Your Credit Card Number)
Researchers from the University of Newcastle have developed a credit card querying system that has exposed loopholes in online payment systems. The system could allow cyber thieves using a similar method to successfully ‘guess’ your credit card number.
What Kind of System?
One of the main goals of cyber thieves is of course to obtain credit card details, but what if there was a way to go in through the ‘front’ of online payment systems to get them rather than hacking?
The Newcastle University team led by PhD student Mohammed Aamir Ali have developed a system that simultaneously submits payment requests to multiple websites at the same time.
In tests, this system was able to start with the first 6 digits of the long card number, ‘guess’ the other numbers, and then try out different combinations of those numbers, expiry dates and security codes on other websites. The researchers were able to piece together this information because different sites ask for different credentials to verify a purchase, and it was therefore possible to piece the fragmented details from each of the many sites to get the full, correct credit card details.
The ‘distributed guessing attack’ software based system worked so quickly and so effectively that in tests (using only Visa an MasterCard) the researchers were able to obtain correct card details in less than 10 seconds.
The test showed in essence that the very purpose of payment validation in online payment systems can actually be subverted to help attackers to generate the security data fields require to make successful online transactions.
Alarms Not Triggered.
The researchers found that they were able to run multiple software bots with multiple queries on many hundreds of website payment systems without triggering any alarms or arousing any suspicion. The cards used in the experiment do not enforce centralised checks across transactions from different sites.
As part of a responsible disclosure exercise, the researchers shared their findings with the top 36 (out of 342) vulnerable websites. Although 8 sites changed their security systems as a result the disclosure, the other 28 are reported to not have made any changes yet.
What Does This Mean For Your Business?
As the researchers pointed out in their paper about the experiment, online fraud is now the largest category of card fraud in the UK, representing 45% of the total value of the fraud committed against UK credit and debit cards.
Although there is no evidence that this ‘distributed guessing attack’ method is currently being used, the experiment has serious implications for all businesses that have an online payment system on their website, or indeed for anyone with a credit card. Visa for example is the most popular payment network in the world and the discovered vulnerabilities greatly affect the entire global online payments system.
If cyber thieves were to adopt this system, the broad outlines of which are now in the public domain, it could also be the case that parts of credit card numbers that have been stolen in previous cyber attacks around the world could be used to successfully obtain the rest of the numbers.