Top

Why distributed guessing attacks worry Visa users

December 9, 2016

Category:

Trying to decrypt the way Tesco Bank hackers operated, researchers unveiled a surprisingly fast and efficient method of hacking VISA cards. Successful in just 6 seconds, this technique, dubbed distributed guessing attack, allows cyber-attackers to access all necessary data and pose as credit card owners.

Let’s break down this hacking method for better understanding.

The main security feature invalidated by the distributed guessing attack

As with any login, e-commerce sites allow a limited number of failed authentication attempts. Every inadequate entry of the card expiry date and card verification value (CVV) counts as a failed attempt. Therefore, due to this protection feature, cyber-attackers found it difficult to take control of online accounts. That is, unless they did not have the correct data, or at least some strong clues.

With the distributed guessing attack, fraudsters obtain the missing account details by making use of the multitude of e-commerce websites their target uses or might use. The hackers submit hundreds of synchronous requests. By the end of this 6 seconds session of trial and error they are actually able to enter the correct data. Access granted.

An attack facilitated by Visa cards

The method exposed above is in fact a matter of logic. Each site would block a credit card number after 10 or 20 such attempts, provided the hackers submit the wrong data. Keep the number of attempts under the maximum allowed on each site and no over-the-radar blocking alerts the credit card owners (aka the targeted accounts’ owners). Yet, when spreading the thousands of guessing requests over multiple websites, the desired correct data gets in the fraudsters’ hands, without any card blocking involved.

There are credit card companies which allow an even smaller number of incorrect login attempts. By consequence, this limits the overall number of such online attempts. The cyber-attackers have less combinations, and less useful information gets harvested in the process. As PC World mentions, MasterCard allows only 10 failed authorization attempts before blocking the card account access.

Therefore, not enforcing a hard limit on the number of failed attempts allowed per card number made Visa cards an easier target than others. The Newcastle University researchers found that only the Visa network presented this particular vulnerability. Nevertheless, the simplicity of the method and the way hackers use the immensity of the Internet to their nefarious advantage created quite a reaction to this recent study.

The Tesco Bank connection

The team of Newcastle University academics prompts that in the Tesco Bank Hack this method might have played a crucial role. In their version, the hack that “affected 9,000 customers and resulted in the theft of £2.5m” was more likely the result of clever guesswork than tech-based hacking.

The study itself involved 400 of the most prominent global commercial websites. The websites that protected the accounts via 3D secure systems proved invulnerable (47 of them).The rest of 342 websites allowed the Visa-based account be successfully breached.

By putting the two cyber-events together, the hack and the study, we may have increased clarity into the attack, but there also are extra questions. Considering how the Tesco Bank hack was one of the most severe of its kind that hit the UK banking sector, with 20,000 accounts breached, we wonder whether all these accounts were Visa-based.

Most likely, the investigation into the Tesco case should further detail how it all happened. Unless it is not decided to keep the details private, so they will not serve as an inspiration for further hacking activities.

How can consumers protect themselves from this type of attacks?

One of the study’s coauthors, Dr. Martin Emms, advises consumers on how to decrease the risks when managing their online shopping accounts. As with any modern facility, electronic and online payments also bring extra responsibilities. Keeping informed and vigilant is important.

Deposited funds, whenever possible, should remain at a minimum. So should the spending limit. Regular balance and bank statements checks are useful. For the usual consumer it should be easy to keep track of all the last month’s payments just by reviewing a list of transactions. All odd entries should not be ignored.

Studies, such as the one coming from the Newcastle University team, point out vulnerabilities that banking companies may choose to remedy or not. In the meantime, those of us who are more cyber-security sensitive can restrict the usage of the more vulnerable accounts or gadgets.

Cyber-vulnerabilities in an interconnected world

It may be that some companies are not trying enough when it comes to protecting their customers. As other studies revealed, there are websites that do not employ the safest security measures for their user accounts.

Depending on the uncovered issues, and on the speed of reaction when it comes to remedying the flaws, consumers may decide to change their company of choice due to cyber-security issues.

The fact is that in today’s interconnected world, one particular vulnerability can branch out into various risk points. Even when a hacking incident is almost forgotten, often there may appear new consequences.

Ensuring each and every potential entry point is protected is therefore extremely important. We are all responsible for our devices, gadgets and banking operations. Leaving them weakly protected may cause dire consequences for the owners, as well as for others.