Researchers from the University of Newcastle have developed a credit card querying system that has exposed some loopholes in online payment systems. The query system might allow cyber thieves using a similar method to essentially ‘guess’ your credit card number.
What is this system?
One of the main goals of cyber thieves is of course to obtain credit card details, but what if there was a way to go in through the ‘front’ of online payment systems to get them rather than hacking?
The Newcastle University team led by PhD student Mohammed Aamir Ali have developed a system that simultaneously submits payment requests to multiple websites and is essentially a brute forcing program designed to ‘guess’ card numbers over a number of different websites.
In tests, this system was able to start with the first 6 digits of the long card number, ‘guess’ the other numbers, and then try out different combinations of those numbers, expiry dates and security codes on other websites. The researchers were able to piece together this information because different sites ask for different credentials to verify a purchase, and it was therefore possible to piece the fragmented details from each of the many sites to get the full, correct credit card details.
The ‘distributed guessing attack’ software based system worked so quickly and so effectively that in tests (using only Visa and MasterCard) the researchers were able to obtain correct card details in less than 10 seconds. Which is astonishing. Imagine the devastation if cyber criminals ever use technology like this!
The test showed in essence that the very purpose of payment validation in online payment systems can actually be subverted to help attackers to generate the security data fields require to make successful online transactions.
No Alarms Were Raised.
The researchers found that they were able to run multiple software bots with multiple queries on many hundreds of website payment systems without triggering any alarms or arousing any suspicion. The cards used in the experiment do not enforce centralised checks across transactions from different sites.
Good Guys Shared The Information.
As part of a responsible disclosure exercise, the researchers shared their findings with the top 36 (out of 342) vulnerable websites. Although 8 sites changed their security systems as a result the disclosure, the other 28 are reported to not have made any changes yet.
Could This Spell Trouble For Your business?
As the researchers pointed out in their paper about the experiment, online fraud is now the largest category of card fraud in the UK, representing 45% of the total value of the fraud committed against UK credit and debit cards.
Although there is no evidence that this ‘distributed guessing attack’ method is currently being used, the experiment has serious implications for all businesses that have an online payment system on their website, or indeed for anyone with a credit card. Visa for example is the most popular payment network in the world and the discovered vulnerabilities greatly affect the entire global online payments system.
If cyber thieves were to adopt this system, the broad outlines of which are now in the public domain, it could also be the case that parts of credit card numbers that have been stolen in previous cyber-attacks around the world could be used to successfully obtain the rest of the numbers.