1

Topic: Fundamental vulnerability of system VISA

How it takes just six seconds to hack a credit card Mohammed explains: "Most hackers will have got hold of valid card numbers as a starting point but even without that it's relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them." The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts. "The CVV is your last barrier and theoretically only the card holder has that piece of information - it isn't stored anywhere else." But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it - all the data you need to hack the account. "Never would think that credit cards crack with a search method, and for few seconds.

2

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: L> Never would think that credit cards crack with a search method, and for few seconds. On idea, in system the classical time delay between repeated attempts of authorization at least for 15-30 seconds should be provided. In this case that one site that one thousand, weathers do not make. If it is not present - really hole.

3

Re: Fundamental vulnerability of system VISA

Hello, Evgenie Muzychenko, you wrote: I eat> On idea, in system the classical time delay between repeated attempts of authorization at least for 15-30 seconds should be provided. In this case that one site that one thousand, weathers do not make. If it is not present - really hole. Well, time successfully breaks, means, the classical time delay is not present. By the way, in article write that card MasterCard with a similar method to crack it does not turn out. "MasterCard's centralized network was able to detect the guessing attack after less than 10 attempts - even when those payments were distributed across multiple networks," says Mohammed.

4

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: L> How it takes just six seconds to hack a credit card L> Mohammed explains: "Most hackers will have got hold of valid card numbers as a starting point but even without that it's relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them. L>" The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts. L> "The CVV is your last barrier and theoretically only the card holder has that piece of information - it isn't stored anywhere else. L>" But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it - all the data you need to hack the account." L> Never would think that credit cards crack with a search method, and for few seconds. What means "crack"? You received this information and what further with it will do?

5

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: L> Never would think that credit cards crack with a search method, and for few seconds. So already everywhere sms-authorization, though .

6

Re: Fundamental vulnerability of system VISA

Hello, vsb, you wrote: vsb> That means "crack"? You received this information and what further with it will do? define:

7

Re: Fundamental vulnerability of system VISA

Hello, Sharov, you wrote: S> So already everywhere sms-authorization, though . If that, not my motor scooter. P.S. Found article of 5-year-old prescription:  card number, CVV2 and period of validity by means of the Master Bank site / Habrahabr

8

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: vsb>> That means "crack"? You received this information and what further with it will do? L> define: without the 3DS-password or a PIN code you will not deduce this money anywhere reliably. The person sees a sms with transfer which did not do, calls in bank, blocks a card and cancels payment (and the bank where you did transfer, will hold anyway this money in the unit and does not allow to you them to remove, yet do not transit all periods  payment). A maximum that you can make it to create a small headache to the owner of a card.

9

Re: Fundamental vulnerability of system VISA

Hello, vsb, you wrote: vsb> Without the 3DS-password or a PIN code you will not deduce this money anywhere reliably. The person sees a sms with transfer which did not do, calls in bank, blocks a card and cancels payment (and the bank where you did transfer, will hold anyway this money in the unit and does not allow to you them to remove, yet do not transit all periods  payment). A maximum that you can make it to create a small headache to the owner of a card. It is clear. If that, I in this question not only not an expert, but at all the theorist. It became simply curious that, it appears, till now there are automated methods of mass breaking of payment cards. P.S. Article of 2-year-old prescription: As well as what for "break" e-commerce shops / company Pentestit Blog / Habrahabr One of comments: Klaster on November, 18th 2014 at 02:18 the Western shops and additional authorization do not ask, I pay the same card in our shop, it is necessary  from , for acknowledgement, ,  at , , wow such things do not ask, they simply write off money and everything, noted yes. In this case as I understood ours are reinsured.

10

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: L> One of comments: L> Klaster on November, 18th 2014 at 02:18 L> the Western shops and additional authorization do not ask, I pay the same card in our shop, it is necessary  from , for acknowledgement, ,  at , , wow such things do not ask, they simply write off money and everything, noted yes. In this case as I understood ours are reinsured. Well if you in WoW or DigitalOcean pay and tomorrow will roll away payment, it is obvious that they in the same way freeze your account before clearing up of circumstances so you from it will not receive anything. It is possible to find any little shop on , to order any nonsense and if they have time to send it before payment roll away, yes, you will receive this nonsense, the little shop receives a small loss. To deduce the serious totals of a cash, already circuits here are necessary. For certain any is, but about them on  do not write Well it is possible to rent a heap of virtual machines on any cloud, to launch on them   and while them do not block, how many  you will squeeze out. Or to sell these cards for copecks to spamers, for example they create an account in WoW, pay it and go  advertizing in game, yet did not block. But it is exact not so that took also all money removed to itself in a pocket.

11

Re: Fundamental vulnerability of system VISA

Hello, Evgenie Muzychenko, you wrote: I eat> In this case that one site that one thousand, weathers do not make. If it is not present - really hole. ? While transaction is led by one site - remaining should wait? If speech to  search of the data for specific number of a card - so it too not panacea. It is possible to be scaled in breadth: Let check on a site occupies 1-2 seconds. To take 60/2 (expiry) * 1000/2 (cvv) numbers which are transiting CRC check and being potential numbers of credit cards. Total 15,000. Just for 15-30 seconds it is possible to do one more check for each number. Means in 4-8 hours 15,000 numbers with selection CVV and ExpiryDate will be processed. It not too is not enough, considering that, according to Wikipedia, 6 first digits it ID bank and last CRC. Also type of payment system (Visa/Mastercard/etc.) Probably somewhere it is stored (laziness to search). I.e. a pool of numbers of cards at each bank of all 1. Pieces. I will not be surprised, by the way, if this pool in addition shares on segments, and cards during each time frame are issued only with numbers of one (or only several) a segment (). The generator  credit cards

12

Re: Fundamental vulnerability of system VISA

Hello, IID, you wrote: IID> While transaction is led by one site - remaining should wait? On a card with the same number - it is unconditional. IID> if speech to  search of the data for specific number of a card - so it too not panacea. Panaceas do not happen. There are adequate measures of counteraction. IID> it is possible to be scaled in breadth: payment systems should have statistics on calls and allocation of successes/refusals, it should be close to the normal. Similar attacks give sharp change allocation, the system should react to it. The attacks which are laying down in normal distribution, on determination will not be effective.

13

Re: Fundamental vulnerability of system VISA

Hello, Lazytech, you wrote: L> it became simply curious that, it appears, till now there are automated methods of mass breaking of payment cards. And still there are magnetic bands (an old hole in safety) and noncontact payment (a new hole in safety). Plus not at all is service of mobile bank and even if and is, not the fact that the person sees . And, of course, fast payment with the help , and after all on the smart phone with the necessary resolution them completely supervises applications, can not show at all to the owner of the device transferring to the malefactor. Or old kind social technologies, you ring and you ask the person the code for transfer into operation which itself and initiated. Actually security arrangement of plastic cards through full of holes. And who tells differently, will advise to ring in the bank and so on. And on it we see a heap of comments on the Internet from clients as the bank sent them with the claims. In mobile bank though two-factor authentication is used that is if to come there from one device, and  to receive on another, still all right. But plastic it on that and plastic to lower risks it is possible, and completely it is impossible to eliminate them. It is possible to disconnect fast payments on , to use mobile bank for the notification about operations, not to give the given cards to doubtful shops, not to use a card for storage of money, and to use for this purpose separate accounts and contributions. And that know, the hand at the saleswoman moves and types a superfluous zero or two in the end. Though all it is not so important, after all the biggest thief in the country sits above. People try to save the pity savings that only a dust under his feet.

14

Re: Fundamental vulnerability of system VISA

Hello, velkin, you wrote: V> In mobile bank though two-factor authentication is used that is if to come there from one device, and  to receive on another, still all right. Not, already anything does not go anywhere And and a case with one device for an input and obtaining one-time (OTP) the password, and in a case with several. This year so much approaches to breaking 2FA on the basis of sms even in the second case have been shown that NIST were delivered of article in which urged to refuse usage SMS as channels for OTP-passwords, and also imported respective alterations to the standard Digtial Authentication Guideline.... <<RSDN@Home 1.0.0 alpha 5 rev. 0>>

15

Re: Fundamental vulnerability of system VISA

S> So already everywhere sms-authorization, though . Well, in Russia or Europe, can be. In states it is a rare rarity.

16

Re: Fundamental vulnerability of system VISA

Hello, watchyourinfo, you wrote: W> In states it is a rare rarity. So all is bad?

17

Re: Fundamental vulnerability of system VISA

Hello, Sharov, you wrote: S> So already everywhere sms-authorization, though . W>> well, in Russia or Europe, can be. W>> in states it is a rare rarity. S> so all is bad? Judging by articles in the USA still roll cards on a magnetic band. And as a whole some recommend it to destroy, as in such countries as Russia is enough chip.

18

Re: Fundamental vulnerability of system VISA

Hello, kochetkov.vladimir, you wrote: KV> Not, already anything does not go anywhere And and a case with one device for an input and obtaining one-time (OTP) the password, and in a case with several. At first it is necessary to crack the computer on which login and the password, then the device accepting  which gives the temporary code for authorization of the user on a bank site is entered. Further the client performs desirable operations and again to it comes  on everyone. Basically not such and the bad circuit, as  here not principal, but an additional condition, on a case of breaking of the computer. And in practice we see a heap of any "conveniences". Payments purely on , that is one channel, moreover . Or all do from one device, for example, from the smart phone. All right there a magnetic band which is copied by malefactors, here though it is necessary to be strained with the skimmer. But to take at least noncontact payment, simply take and draw out from a card money. And what decision invented  - a cover from a foil.

19

Re: Fundamental vulnerability of system VISA

Hello, kochetkov.vladimir, you wrote: KV> Not, already anything does not go anywhere And and a case with one device for an input and obtaining one-time (OTP) the password, and in a case with several. This year so much approaches to breaking 2FA on the basis of sms even in the second case have been shown that NIST were delivered of article in which urged to refuse usage SMS as channels for OTP-passwords, and also imported respective alterations to the standard Digtial Authentication Guideline. Generally, the idea to perform operation on the device, and with its help to receive acknowledgement, even on mine  the sight seems in a root defective, the one-time password here adds not protection, but only hemorrhoids.

20

Re: Fundamental vulnerability of system VISA

Hello, velkin, you wrote: V> Judging by articles in the USA still roll cards on a magnetic band. And as a whole some recommend it to destroy, as in such countries as Russia is enough chip. And in "Lerua" it is already possible with the chip? When the last time bought something, as always, led a magnetic band and asked the signature.

21

Re: Fundamental vulnerability of system VISA

Hello, velkin, you wrote: V> Judging by articles in the USA still roll cards on a magnetic band. And as a whole some recommend it to destroy, as in such countries as Russia is enough chip. If to destroy a magnetic band the card will be not not accepted by a cash dispense. As he at first reads a magnetic band, and then reads out the chip. On a magnetic band there is a sign - whether there is at a card a chip. Thus payment in terminals transits normally - in terminals the card is stuck at once by the chip.