Distributed guessing attacks allow fraudsters to perform mass theft using botnets

Impetus

According to an article in today’s Financial Times on payment card fraud British banks were victims of ‘distributed guessing attacks’ which involved creating Visa card numbers and trying them out against bank payment systems at high speed, often guessing a valid payment card number, expiry date and CVV in as little as six seconds.

Basically all the fraudster has to take a valid IIN (the first 4 to 6 characters issued to a bank), they then pre-compute 16 digit card numbers from a valid IIN group, using Modulus 10 check digit verification to remove about 90% of the fabricated numbers from the guessing attack, that couldn’t be valid.

They then can do a bell shaped curve to compute the most popular card expiry month and year for each IIN group and use the most popular expiry dates first in the attack.

As the use of payment cards (debit and credit) becomes more prevalent this type of attack will be easier to reproduce.

The remaining variable is the CVV which is not always used by banks in practice. But if it is just adds 1000 guesses at most – which is a second or two using a high speed bot net.

Where they find ranges of card account numbers working in their hack attack, they can concentrate future hacking around this number range.

Visa does not check multiple attacks on a global central database, allowing fraudsters to keep trying until their hacking program is successful. MasterCard does this central check which allows them to detect guessing attempts in under 10 attempts, even if multiple IP numbers and locations are involved.

As the number of debit and credit card payments increases, this type of attack will become easier and more successful.

B00MSTICK

The issue around Visa's lack of account lockout/susceptibility to brute-forcing was published a long time ago - pretty sure we had a thread on it here too.

https://arstechnica.com/security/2016/12/thieves-can-guess-your-secret-visa-card-details-in-just-seconds/