Did Tesco Bank attackers guess victims’ payment card details?

A group of researchers from Newcastle University have discovered a practical and easy way for attackers to quickly guess individuals’ Visa payment card info needed to perform fraudulent card-not-present transactions (e.g. when online shopping).

payment card details

Actions and parties in online payment

They dubbed the method Distributed Guessing Attack, and believe it likely that it has been used in the recent attacks against Tesco Bank customers, to steal around £2.5 million from some 9,000 customers through fraudulent transactions.

Tesco Bank has reimbursed the affected customers and resumed full service, but has yet to share insight on how the attackers managed to pull off this heist, as the criminal investigation is still ongoing.

The Distributed Guessing Attack

The attack setup is as follows:

  • A computer with an Internet connection and an Internet browser (they used Firefox)
  • Software to carry out the attack (a website bot and automated scripts), and
  • Several Visa cards (they also tried Mastercard, but the attack doesn’t work on it).

The attack relies on several things.

“The first weakness is that in many settings, the current online payment system does not detect multiple invalid payment requests on the same card from different websites. Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” the researchers pointed out.

“Secondly, the attack scales well because different web merchants provide different fields, and therefore allow the guessing attack to obtain the desired card information one field at a time.”

“Starting with a valid card number (PAN), to guess the expiry date an attacker can utilise several merchants’ websites that check only two fields: the card number and the expiry date. Once the expiry date is known, the attacker can use it along with the card number to guess the CVV2 information using another set of websites that check 3 fields (the card number, the expiry date, and the CVV2),” they explained.

Valid PANs can be easily obtained by buying bulk lists of card details online, and after the expiry date and CVV2 number is guessed in this way, the attacker has all the information they need to make purchases at many online shops.

Some require an address field to be also filled, but they just verify numerical values of the street/house and postcode fields, and those are again easy to ferret out.

“This can be done by querying the first six digits of a PAN through well-known online databases such as BinDb and ExactBins, which will reveal the card’s brand, issuing bank name, and card type. Once the issuing bank is known, the attacker can increase the probability of guessing the right postcode by assuming that the victim is likely to be registered with one of the branches nearby,” they note.

Finally, websites might require the name of the card holder to be entered, but according to the researchers, no website checks that the name entered is the correct one.

All in all, they found that with the bot bombarding some 30 websites with guesses at the same time, an attacker can discover all the information needed in mere seconds. That IS quick and easy.

So what now?

While testing the attack against their own Visa and Mastercard cards, the researchers have discovered that it doesn’t work for the latter. That’s because Mastercard’s centralised network detects the guessing attack after fewer than 10 attempts – even when those attempts were distributed across multiple websites.

A Visa spokesman has commented the research by saying that it “does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.” Also, that the company provides issuers with the necessary data to make informed decisions on the risk of transactions, and that they have their own “Verified by Visa” (3D Secure) system which uses an added authentication step for online payments, improving security for online transactions.

“Our experiments confirmed that 3D Secure payments are protected from the distributed guessing attack described in this article since the issuing bank has visibility of all transaction requests directed at a single card, even if those requests are distributed across many websites,” the researchers noted, but from the perspective of the merchant, 3D Secure has several drawbacks and that results in just a minority of merchants implementing it.

The easiest solution for this problem is to either for the card payment network (in this case Visa) to implement the capability to detect and prevent such a distributed attack, or for all merchants to offer the same payment interface so that the guessing of each of the fields separately is made impossible.

While the latter is unlikely to be achieved, the former could be (as Mastercard has proved).