Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Distributed guessing attacks allow fraudsters to perform mass theft using botnets

  • 14-03-2017 8:51am
    #1
    Registered Users, Registered Users 2 Posts: 1,667 ✭✭✭


    According to an article in today’s Financial Times on payment card fraud British banks were victims of ‘distributed guessing attacks’ which involved creating Visa card numbers and trying them out against bank payment systems at high speed, often guessing a valid payment card number, expiry date and CVV in as little as six seconds.

    Basically all the fraudster has to take a valid IIN (the first 4 to 6 characters issued to a bank), they then pre-compute 16 digit card numbers from a valid IIN group, using Modulus 10 check digit verification to remove about 90% of the fabricated numbers from the guessing attack, that couldn’t be valid.

    They then can do a bell shaped curve to compute the most popular card expiry month and year for each IIN group and use the most popular expiry dates first in the attack.

    As the use of payment cards (debit and credit) becomes more prevalent this type of attack will be easier to reproduce.

    The remaining variable is the CVV which is not always used by banks in practice. But if it is just adds 1000 guesses at most – which is a second or two using a high speed bot net.

    Where they find ranges of card account numbers working in their hack attack, they can concentrate future hacking around this number range.

    Visa does not check multiple attacks on a global central database, allowing fraudsters to keep trying until their hacking program is successful. MasterCard does this central check which allows them to detect guessing attempts in under 10 attempts, even if multiple IP numbers and locations are involved.

    As the number of debit and credit card payments increases, this type of attack will become easier and more successful.


Comments

Advertisement