Researchers in the UK have uncovered a novel and unexpected way in which attackers can compromise credit cards by using legitimate online merchants. The attack relies on gathering different pieces of authentication data, until the hackers guess the credit card’s security details.
Older Visa credit cards seem to be particularly at risk to this type of “distributed guessing attack”, mainly because Visa’s network doesn’t flag numerous card payment requests from multiple sites as suspicious. Attackers can exploit this flaw by trying to brute-force their way to easy money. The technique is particularly useful when they already have access to partial user data from leaked accounts, or phishing attacks.
Researchers found that by targeting hundreds of legitimate online retailers, each using slightly different pieces of information to authenticate credit cards, attackers could slowly but surely build up a complete credit card profile.
It’s important to note however that this type of attack relies on so-called “card-not-present fraud”, where the merchants don’t force the attacker to provide the 3-digit CVV code, usually found on the backs of cards. Advanced payment systems make for much tougher targets.
And directly buying credit card information that was fully leaked is an even simpler and more efficient practice, so the current flaw, though worrying, isn’t likely to be exploited on a large scale.
The investigators who uncovered this flaw are calling for a more unified model for authenticating credit cards online, and for retailers and payment processing companies to bulk up their security.