Distributed guessing attack could reveal Visa card details

A "frighteningly easy" distributed guessing attack can figure out Visa credit card details in seconds, researchers from Newcastle University in the UK have discovered.

The researchers studied credit card payment protection mechanisms [pdf], and discovered that Visa, the largest credit card network in the world, is vulnerable to allowing unlimited guesses if they're distributed across multiple sites.

Competitor Mastercard is able to detect a guessing attack after fewer than ten tries through centralised checks on transactions from multiple sites.

By exploiting web sites asking for different pieces of information, the researchers were able to piece together full credit card details quickly. The flaw could make it easy for attackers who have obtained partial credit card information from data breaches to get around payments verification protection measures, the researchers said.

Combined, the two weaknesses in Visa's payments verification system could enable an automated guessing attack across multiple websites that quickly returns complete card information and allows for fraudulent transactions, experiments showed.

"... it is possible to run multiple bots at the same time on hundreds of payments sites without triggering any alarms," the researchers wrote.

A bot configured to run on 30 sites could collect the necessary information within four seconds, the researchers found.

The researchers mapped out 342 payments sites that are vulnerable to the distributed guessing attack, and disclosed the vulnerability to the top 36 of these, as well as Visa.

Several of the sites have changed their approach to payments processing since the researchers' disclosure. However, the vast majority (78 percent) of the sites did nothing, and some added credit card verification fields that made the attack easier. 

Sites should standardise their payments interfaces, and ask for the same number of credit card fields to be completed for transactions, the reseachers said, to stop the attack from scaling any further.

It is not known however if Visa could modify its system with globally distributed payments gateways, to include centralised detection of multiple guesses spread out over several sites.