Skip to 0 minutes and 13 seconds I’m currently a PhD research student at Newcastle University, my research centres around exploiting the potential vulnerabilities in payment ecosystems. I have an ongoing research which involves landscaping the development and security challenges in the online payment system. An online payment site requires customers’ existing credit or debit card to transfer funds from the customer’s bank account to the merchant’s bank account. This process involves a number of parties, each with a different set of responsibilities. A customer enters their payment card details on the merchant web site. The merchant controls which data fields are used to authorise the payment.
Skip to 0 minutes and 50 seconds The merchant then passes the card details to their chosen payment gateway or aquiring bank, which provides a service of authorising and processing the merchant’s payment request. The payment gateway on behalf of the merchant can also implement additional security filters at this point. The payment gateway then connects the merchant to the card payment network to request payment from the customer’s bank account held at the card-issuing bank. The payment networks provide the link between payment gateways and the thousands of card-issuing banks. The card issuer holds the customer bank account and makes the approval of the payment.
Skip to 1 minute and 29 seconds The card issuer maintains customer card record file, which contains information such as account balance, customer name, full address, and other card details not visible to the rest of the payment network. In the final step called a settlement, the card-issuing bank subsequently deposits the customer’s money to the merchant’s bank account. An online payment is a card not present credit or debit card transaction. This implies that the merchant cannot physically verify that the customer actually has the card. Therefore, the security of online payment is dependent upon the customer providing card data which only a valid card holder could know. So by card information I meant cardholder name, the account holder names as printed on the card.
Skip to 2 minutes and 15 seconds We found that no website checks a name entered is correct. 16 digit card number; a unique identifier printed on the front of the card by the card-issuing bank. Also referred to as primary account number, it links the card to the customer’s bank account. Card expiry date printed or embossed on the front of the card. Card verification value; a three digit number printed on the reverse side of the card. It is meant to be only known to the person possessing the card. It should not be stored electronically anywhere in the payment ecosystem.
Skip to 2 minutes and 50 seconds Cardholder address: not visible on the card, but sometimes used for payment authorisation purposes. Address verification is performed only on the numerical values of the street and postcode fields. Any alphabetical characters are ignored. We investigated the Alexa top 400 merchant web sites and came to an important observation that the difference in the security solutions provided by different web sites introduces a practically exploitable vulnerability in the overall payment ecosystem. This vulnerability allows an attacker to generate all of the card information required to make an online payment. To obtain card details, we can use a web merchant’s payment page to guess the data. The merchant’s reply to a transaction attempt will state whether the guess was correct or not.
Skip to 3 minutes and 40 seconds The reason this attack works in practise is due to two weaknesses, each not too severe on its own, but when used together, present a serious risk to the global payment system. So the weaknesses are, there are variations in the card data fields validated by online merchants. These online merchants can be divided into three different groups. The first group of online merchants, they only validate card number and expiry date. The second group of online merchants, they validate card number, expiry date, and CVV. And there is this third group of online merchants which validate card number, expiry date, CVV, and as well as address information.
Skip to 4 minutes and 21 seconds Second weakness, online payment system does not detect multiple invalid payments requests on the same card from different web sites. These variations, when combined with unlimited guesses, makes it possible to generate all the card details one field at a time.
Skip to 4 minutes and 45 seconds We take ethics very seriously. Soon after we found this vulnerability, we informed the most affected online merchant web sites. Some of the online merchant web sites, they have changed their checkout systems and limited the number of attempts they used to offer before. Now we are talking to banks and card payment networks to help them mitigate this distributed guessing attack.
Exploring vulnerabilities in online payments
In this video Mohammed Aamir Ali explains recent work at Newcastle University which has exposed flaws in the VISA payment system. Mohammed describes the vulnerabilities involved and finishes by describing steps that have been taken to improve the payments system.
We’ve seen in previous steps how the world of online payments involves a number of parties: the online merchant, the payment gateway, the credit card company’s payment network, and the customer’s card issuing bank, all of whom have responsibilities as well as a financial stake in the transaction. We then looked at how the online retailer makes choices in designing their payment systems, to strike a balance between security against fraud, and ease of use for customers.
Mohammed describes how the customer needs to provide data to the retailer to confirm they are the cardholder: this data includes cardholder name, 16 digit card number, expiry date, CVV (card verification value, the final three digits on the reverse of the card), and cardholder address. Since different websites use different schemes to verify card data, this exposes vulnerabilities in the system which can be exploited to allow an attacker to generate all the necessary cardholder data by a “distributed guessing” attack. Mohammed shows how two weaknesses are combined to allow this attack: first, that different groups of merchants use only a subset of the cardholder data to verify details; and that multiple guesses are permitted by payment networks. This allows the data to be “guessed” one field at a time, by distributing thousands of guesses across a network of online retailers.
After finding this vulnerability, the researchers at Newcastle University informed the most affected online merchant websites, some of whom have since changed their checkout systems and limited the number of attempts permitted. Researchers are now working with banks and payment networks to help them mitigate this type of attack.
As we’ve seen, this vulnerability comes to light because of online retailers prioritising convenience - not requiring all data, allowing unlimited attempts to verify - over security. This revisits a running theme for us: the trade-off between security and usability.
Would you be deterred from making a purchase if the retailer used extra payment gateway checks such as 3D-Secure?
© Newcastle University