conejota - Fotolia

Academics link payment card vulnerability to Tesco Bank cyber heist

UK academics uncover a vulnerability in online payment systems, which they say could have been used in the Tesco Bank cyber heist

Researchers at Newcastle University have uncovered a payment card vulnerability that can be exploited to carry out fraudulent transactions online.

An investigation of the top 400 online merchants’ payment sites revealed that a “distributed guessing attack” can be used to work out the card number, expiry date and security code of any Visa card.

This attack subverts the card validation mechanisms of websites to help attackers generate all the security data fields required to make online transaction, the researchers said in an academic paper.

The researchers believe this attack method was probably used to defraud Tesco Bank customers of £2.5m in November 2016, according to The Guardian.

The researchers said this guessing attack method was “frighteningly easy” for anyone with a laptop and internet connection.

The researchers found that attackers can exploit the fact that payment sites use different security checks to build software tools to carry out a distributed guessing attack that uncovers payment card details one field at a time.

Each field can be used in succession to generate the next field by using a different merchant’s website, the researchers said. Experiments revealed this could be done in as little as six seconds.

The software tools generate different variations of a card’s security data and then tests the combinations across thousands of websites worldwide until a working combination is found.

The researchers believe the impact of their discovery is substantial because the card details can be used to transfer money from a victim’s bank account to an anonymous recipient overseas using a financial services firm.

Vulnerable commercial websites

The study, conducted using payment cards from Visa and MasterCard, found that Visa cards were vulnerable because they do not enforce centralised checks across transactions from different sites.

However, MasterCard’s centralised network detects the guessing attack after fewer than 10 attempts, even when these are across multiple websites, the researchers found.

The few online retailers that used the Verified by Visa service for an additional layer of protection were safe from this kind of attack, the researchers said.

Several websites, including some of the largest and most popular in the world, have changed their approach to online payment processing after the academics presented their finding before going public.

Out of the 400 commercial websites chosen for the investigation, only 389 provided enough information to be usable. Of these, 47 made use of additional security, making them safe from the attack, but 342 were found to be vulnerable.

Banks must work together to protect customers, says Tesco Bank

This type of attack could be prevented by standardisation or centralisation, the academics said. Standardisation would mean that all merchants need to offer the same payment interface that requires the same payment card information.

Centralisation can be achieved by payment gateways or card payment networks processing a full view over all payment attempts associated with its network.

“Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the internet or successful commercial activity, but they will provide the required protection,” the research paper said.

Visa said it welcomes industry and academic efforts to identify and address perceived vulnerabilities in the payment system, but that the research did not take into account the multiple layers of fraud prevention that exists in the payments system.

Visa said in a statement that it was “committed to keeping fraud at low levels, and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally”.

“We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts,” Visa said.

In cases where card details are used fraudulently, Visa said the cardholder was protected from liability and where a merchant chooses not to use the Verified by Visa system for a card-not-present transaction, they assumed the risk for fraud.

Tesco Bank, which refunded all those affected by fraudulent transactions, said the incident has highlighted that banks need to work together in the interests of customers and the financial system.

Read more about payment card security

  • The body that administers the payment card industry data security standard (PCI DSS) has published a guide on penetration testing.
  • Security firm found that 16 global companies had failed to effectively encrypt traffic to the payment portion of their websites and apps.

Read more on Hackers and cybercrime prevention

Data Center
Data Management