Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Visa's credit card network has some serious security gaps

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.

December 5, 2016

Academics say that criminals can easily guess credit card numbers in as little as 6 seconds per attempt thanks to various security gaps in Visa's network.

Brute force attacks can allow criminals to rapidly bombard Visa with credit card payment requests across multiple sites with each attempt narrowing down the possible combinations until a valid card number and expiration date are determined by their effort.

Visa, unlike its competitor Mastercard, doesn't detect the flood of requests as unusual, the researchers say, and that's the root cause of the security issue.

Useful for criminals with only partial breach records of personal information, the attemtps work against the Alexa Top 400 online merchant sites, according to various findings in the whitepaper 'Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?' written by Newscastle University's Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms and professor Aad van Moorsel.

"We investigated the Alexa top-400 online merchants’ payment sites, and realized that the current landscape facilitates a distributed guessing attack," the authors say.

This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions.

"Different websites present alternating sets of fields to identify the cardholder. This disparity inadvertently creates the perfect conditions for a scalable distributed guessing attack," the authors assert.

The attacks exploit the differences in authorization proofs under which some sites accept expiration dates while others require criteria like street addresses.

About seventy-eight percent (or 303 websites) of the affected merchants did absolutely nothing when the security team disclosed the attack. It is still unknown why no action was taken.

A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented some updates that made their checkouts even less secure.

The attacks rely on card-not-present fraud, in which merchants do not require the three-digit CVV number found on on cards' rear faces to authorize a credit card transaction.

Fraud of that type is increasingly uncommon in countries with advanced anti-fraud technology, with North America's established chip-and-PIN and advanced payment systems making it one of the tougher targets.

The researchers assert that all merchants should use standard payment authorization fields to knock out the ability for the attacks to scale. We'll keep you updated.

Source: Newscastle University.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer