Mohammed Aamir explains how easy it can be for fraudsters to find out your CVV.
In this video Mohammed Aamir Ali explains recent work at Newcastle University which has exposed flaws in the VISA payment system. Mohammed describes the vulnerabilities involved and finishes by describing steps that have been taken to improve the payments system.
We’ve seen in previous steps how the world of online payments involves a number of parties: the online merchant, the payment gateway, the credit card company’s payment network, and the customer’s card issuing bank, all of whom have responsibilities as well as a financial stake in the transaction. We then looked at how the online retailer makes choices in designing their payment systems, to strike a balance between security against fraud, and ease of use for customers.
Mohammed describes how the customer needs to provide data to the retailer to confirm they are the cardholder: this data includes cardholder name, 16 digit card number, expiry date, CVV (card verification value, the final three digits on the reverse of the card), and cardholder address. Since different websites use different schemes to verify card data, this exposes vulnerabilities in the system which can be exploited to allow an attacker to generate all the necessary cardholder data by a “distributed guessing” attack. Mohammed shows how two weaknesses are combined to allow this attack: first, that different groups of merchants use only a subset of the cardholder data to verify details; and that multiple guesses are permitted by payment networks. This allows the data to be “guessed” one field at a time, by distributing thousands of guesses across a network of online retailers.
After finding this vulnerability, the researchers at Newcastle University informed the most affected online merchant websites, some of whom have since changed their checkout systems and limited the number of attempts permitted. Researchers are now working with banks and payment networks to help them mitigate this type of attack.
As we’ve seen, this vulnerability comes to light because of online retailers prioritising convenience – not requiring all data, allowing unlimited attempts to verify – over security. This revisits a running theme for us: the trade-off between security and usability.
Would you be deterred from making a purchase if the retailer used extra payment gateway checks such as 3D-Secure?