There are well-specified rules for coming up with valid credit card account numbers, and at most, say, 60 valid expiration dates (12 months × 5 years into the future).<p>Once an attacker has a valid credit card number and expiration date, there are only 10⁴ = 10,000 four-digit security codes possible, which the attacker tries with parallel requests to hundreds of websites. Each website gives the attacker at least a few tries to enter valid credit card information.<p>Worst case, it takes only 10,000 parallel requests to guess the correct security code. Worst case.<p>I don't know whether to cringe or laugh at this.
So criminals can guess a valid CC/CVC/Zip in 6 seconds, and merchants that get nothing but green lights across the board from their credit card processor will be left holding the bag when the card holder disputes the charge.<p>Merchants doing everything they can need better protection from this crap.
Shouldn't this be easy to detect, though? Every attempt to use a credit card number online involves a request to the bank providing that card to determine if it's valid, right? So the bank would see thousands of attempts across hundreds of websites for the same card number in a matter of seconds, which is clearly impossible for a human, and flag the card as "stolen".<p>Or maybe I'm just way too optimistic about how this all works.
The power of distributed attacks. Of course they can only guess a random correct credit card + exp + code not yours. Given the relative limited number of codes for each bank, I wonder what the odds are for them to wind up with yours.
Securing the current protocol for credit card transactions is completely hopeless. It is <i>inherently</i> insecure because the "secret" information used to authorize a transaction is not bound to that transaction, and so it's reusable. Even if you were able to secure the system against brute-force attacks like this one, you can never secure against phishing. The only way to fix it is to change the protocol to one that relies on public-key cryptography and secure digital signatures.<p><a href="http://blog.rongarret.info/2013/02/a-simple-solution-to-credit-card-fraud.html" rel="nofollow">http://blog.rongarret.info/2013/02/a-simple-solution-to-cred...</a>
I'm no means on expert on this, but having delt a little with online transactions from testing responses from a payment processor.<p>The things that needed to match also involved the customers street address, zip and name. If I recall these were scored and if the match wasn't good (zip was entered wrong) the transaction was rejected. Maybe different payment processors have different thresholds for rejecting a transaction?<p><a href="https://help.chargify.com/payment-gateways/Error-FAQ.html" rel="nofollow">https://help.chargify.com/payment-gateways/Error-FAQ.html</a>
A solution that some banks provide is to enable a credit card for only transactions using 3-D Secure [1], in which you are expected to enter a 2FA code sent to your phone by the bank during transaction to a webpage of the bank that gets opened.<p>Unfortunately, some (most) websites don't support 3-D Secure. I remember that almost all Turkish e-commerce sites I shopped supported it but almost none of the American sites supported it.<p>[1]: <a href="https://en.wikipedia.org/wiki/3-D_Secure" rel="nofollow">https://en.wikipedia.org/wiki/3-D_Secure</a>
The paper:<p>Ali, Mohammed Aamir and Arief, Budi and Emms, Martin and van Moorsel, Aad (2016)<p>Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?<p>IEEE Security & Privacy<p><a href="http://eprint.ncl.ac.uk/file_store/production/230123/19180242-D02E-47AC-BDB3-73C22D6E1FDB.pdf" rel="nofollow">http://eprint.ncl.ac.uk/file_store/production/230123/1918024...</a>
That's why you should enable two factor authentication on your credit card: online transactions would require confirmation with single-use password you receive by SMS.
These attackers are probably brilliant enough to make their mark in the honest tech business world. I suppose they are driven by the challenge of the crime.
If you total the credit card numbers for any particular card the answer would be the same. For example: totaling the visa credit card number might be 32. The hackers would have to guess the 3 set of numbers if they get the fourth set.<p>So my guess is they would try out different combination with the available expiry date/cvv number
This is a good argument to be used against the creditcardization (war on cash[1]) of the world some governments are promoting.<p>[1]: <a href="https://www.google.com.br/search?q=war+on+cash" rel="nofollow">https://www.google.com.br/search?q=war+on+cash</a>