Crooks can guess Visa card details in six seconds by querying lots of websites at once

Originally published at: http://boingboing.net/2016/12/04/crooks-can-guess-visa-card-det.html

…

…Just in time for Christmas.

2016 - Just swell from start to finish.

Did something bad happen in 2016? I wasn’t paying much attention.

Just hack the card of some board members and order porn to their address on their card, and I’m sure the word will go round that they have to fix the security.

The attack itself seems fairly obvious, once you know that Visa card validation isn’t done centrally. While that is news to me, it must always have been known by card issuers, payment gateways, and basically everyone who cared to find out (including fraudsters). It’s certainly not news that an expiry date, CVV and address provide only trivial security if they can be brute-forced.

I am slightly confused, because I thought Visa was basically just a protocol-- I read somewhere that “Visa” itself has like 6 employees-- so I would have assumed every attempt to validate my Visa card goes through my bank (who ought to spot 700 failed validation attempts in a row).

The only way to truly solve this is going to be to replace credit card numbers with some sort of network based crypto embedded in a physical card. Put card readers in cell phones and laptops, next to the fingerprint sensor, and now you don’t need card numbers anymore.

Powered by a Difference Engine? Those sites are so slow!

I can’t say much, but Visa is one of my employer’s major clients. Rest assured they have well more than six employees. It’s very much not “just a protocol.”

Huh. Anyone’d think that common mode failure had never been invented.

NFC is standard on most phones at this point, so that would be a logical option. Adding it to more traditional computers seems like a trivial task as well.

Wouldn’t a much simpler way be for Mastercard, Visa and American Express to provide Paypal-esque online accounts that let you conduct transactions using them as an intermediate? That way you could use password authentication, which has issues as well but at least those can be managed by users if they have the will to do so, and it avoids the inevitable security issues when they start selling NFC readers able to access chip cards to authorize transactions, not to mention saving consumers from buying an NFC reader for every device with which they plan to make credit card transactions.

as a former PP employee - PP accounts are NOT more secure. They are only as secured as the persons choosen password. which means not at all.

yeah, this isn’t new. Been the case since well forever. As you mentioned, the way to prevent this is not at the card number itself but all the parties involved in getting that txn processed (gateways, processors, merchant account banks, card issuers). For the most part, all the big players have velocity checks, rate limiting, geolocation and proactive measures based on transaction history. You run into problems though with smaller banks, smaller card issuers, smaller gateways, smaller retailers who don’t take the time/money to invest in proactive fraud prevention.

My point wasn’t that making Visa and Mastercard transactions authenticate like Paypal transactions will make them secure, since as you say many Paypal accounts are poorly secured. Instead, my point was that, for the small but informed minority of people who will choose a good password, it will significantly increase security, since it will no longer be capped by a measly 3 digit code and a not as private as it should be card number, particularly since both of those bits of information get shared with every site that you make a transaction with, whereas with an intermediate authentication system like Paypal you don’t give your password to every merchant you transact with. Note that in addition to leaving aside the issue of poor passwords (since we’re talking about what Mastercard and Visa can do, you’re never going to make people secure if they’re willfully careless), we’re ignoring the human factors of operating these services, which can introduce their own issues.

“Crooks” Aren’t crooks extinct? If a headline was needed that didn’t duplicate “Criminals”, why not use the more colorful “Miscreants”?

This topic was automatically closed after 5 days. New replies are no longer allowed.