Merchant sites open door to Visa fraud

Security researchers have confirmed that Visa has no mechanism to prevent attackers from using multiple merchant sites to make unlimited guesses on the values for fields such as CVV2. The potential for real harm from coordinated attacks is huge, but such attacks could also be blockable, now that the flaw has been identified.

Mohammed Ali, a Ph.D. student in Newcastle University’s School of Computing Science and lead author of an IEEE paper on the topic, said the security hole involves two separate problems. 

“The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts — typically 10 or 20 guesses — on each website. Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw,” Ali said. “The unlimited guesses, when combined with the variations in the payment data fields, make it frighteningly easy for attackers to generate all the card details one field at a time.”

The paper also noted that this attack method can be unintentionally strengthened if individual merchants try to defend themselves by adding fields. “Each generated field can be used in succession to generate the next field by using a different merchant’s website. If individual merchants were trying to improve their security by adding more payment fields to be verified on their site, they potentially inadvertently weaken the whole system by creating an opportunity to guess the value of another field,” the paper said, adding that “practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts.”

In an emailed statement, Visa took the standard defense, saying that this was a hypothetical attack method that wouldn’t actually succeed. “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world,” Visa said. “Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally. We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts.”

The problem with Visa’s defense is that, according to the IEEE paper, this wasn’t a theoretical attack. The researchers said they tried it and it worked.

“Rather than buying online goods from an e-commerce website, we created an attack scenario that uses the card details to open a money transfer account, sends the money to an anonymous recipient abroad, where the money is picked up within minutes of issuing the transfer. The attacker needs to be able to clear the funds before the issuing bank reverses the payment and thwarts the attack. It is therefore desirable from the attacker’s point of view that the funds are transferred to an account outside the country (because it is more time consuming and costly to reverse payment across countries) or be conducted through a wire transfer to an anonymous cash recipient by using services such as the Western Union,” the report said. “In our experiment, the card information extracted using our bot was used to create a bogus account from which we transferred money to a recipient in India. Within minutes, we received a confirmation email for the order made, and our contact confirmed the pick-up of the money. The time it took from the process of creating an account to collecting the money at the destination was only 27 minutes, which is short enough to avoid the bank reversing the payment.”

The paper also addressed how it obtained the CVV2. “To find the correct CVV2, the bot will simply need to cycle through the possible values starting from 001 until the payment website blocks further attempts. A handful of payment sites allowed unlimited attempts while most of the other payment sites allowed 5, 10 or even 50 attempts to enter a correct CVV2. In our scenario, we ‘farm out’ the brute force guessing attack to tens or even hundreds of payment systems, which practically means we can carry out unlimited guesses. The final step generates the cardholder’s address. An attacker can exploit the different variants of address verification system to find the full address of the cardholder.”

PCI also came up, with the researchers pointing out that PCI rules seemingly didn’t anticipate this multi-merchant attack method. “There is no [PCI] requirement for the merchant to request all of the data fields during an online payment authorization, nor is there a mandatory requirement for the merchant to implement any of the optional security filters.”

Other than money transfers — which, as the researchers demonstrated, is a long-term hole that is begging to be exploited — the big vulnerability here is e-commerce. 

But let’s not forget that most physical merchants have still not yet activated EMV. That means that this data can be used successfully to create cloned cards and then used in any of those physical stores that have yet to activate EMV. EMV delivers far from perfect overall security, but it does effectively all but halt any cloned card attempts. That should add EMV deployment to any merchant’s New Year’s resolution list.

How big is that e-commerce vulnerability? At this time of year, it’s larger than usual. That’s because e-tailers, including the online operations of physical chains, are scared to death to make their anti-fraud tactics more strict during the holidays. Although the rate of fraud doesn’t change during the hectic holiday shopping season, the shopper tolerance for jumping through anti-fraud hoops is far lower. That’s primarily because there are a lot of people who will only show up at an e-tailer’s virtual door during the holidays, often when they have a new gift recipient to deal with, such as a new brother-in-law who loves to fish.

Some of these holiday-only shoppers can be converted to regular visitors, but only if they are treated right. And when they get the slightest pushback on authentication, they have no problem abandoning the site, since they have no loyalty. As far as they are concerned, one fishing site is as good as another.

In short, adding fields or reducing the number of failures that a site will endure is the last thing retailers want to do during the holidays. 

This attack is quite effective because, by definition, it can’t be thwarted by the actions of any one or two — or even 2,000 — sites. As long as there are a decent number of lenient sites, this works. The true way to combat it is to have a centralized system — at the processor level, presumably, although the card brands could also attempt it — that limits wrong guesses for a card across all sites. That way, a multi-merchant attack method wouldn’t get any more guessing attempts than any one site.

But that’s not how the system works today. Merchants have wide latitude in deciding their own security methods, which aligns with how much risk they are willing to fund. That makes centralized verification tricky.

Still, the report found, without explanation, that while these attacks worked on every Visa card attempted, regardless of issuing bank, “when the attack is applied to a Mastercard, the distributed attack is detected. This suggests that the payment networks have the capability to detect and prevent a distributed attack where the network is globally integrated.”

The paper noted that a simple CAPTCHA on a checkout page disrupted their bot. Again, though, on a multi-merchant attack, the defenses of any one site are irrelevant. 

“Payment gateways can provide advanced features to their merchants, and these features should at least make it more difficult to exploit a website for the attack. Most importantly, gateways may use IP address velocity filters, which are implemented to detect repeated invalid attempts made within a certain time span from the same IP address,” the paper said, before pointing out this tactic’s futility. “But with no coordination between different gateways, these velocity filters can easily be circumvented just by switching to a website that uses a different payment gateway.”

Visa also hinted at another way to block this attack, but it again requires extensive merchant effort. “Visa also offers enhanced security using Verified by Visa based on the 3DSecure standard, which offers improved security for e-commerce transactions. The 3DSecure 2.0 specification was recently announced and Visa is actively developing Verified by Visa to incorporate the advances in security it offers,” Visa said. “Where a merchant chooses not to use Verified by Visa for a card not present transaction, they will assume the risk for fraud.”