A security vulnerability has been found in Visa Cards which does not exist in MasterCard. Basically, it involves the number of times you can try to process a transaction with an incorrect expiration date (or CVV).  Visa allows multiple attempts to process a transaction, and Mastercard allows only 10 attempts before the transaction is blocked not.

Why does this matter?  Because if a computer can make an unlimited number of attempts, then it can try different numbers until it guesses the correct number.  In  this case, criminal that illegally purchased a 16-digit credit card number can (literally) guess different month/year combinations until they find correct information.  On average, there are roughly 60 likely month/year combinations that are available for a valid Visa card at any given time. 

This process can also be used for the Card Verification Value (CVV), which is a 3-digit code on Visa cards.  Mathematically, three digits have exactly 1,000 possible combinations.  So, in total, a criminal with a 16-Digit credit card number can figure out the corresponding expiration date and CVV in a little over 1,000 attempts which will only take few seconds, depending on the processing speed of their computer.

Again, this does not effect Mastercard accounts because Mastercard has a 10-attempt limit before blocking the transaction.  If this exploit becomes widespread for Visa, they will probably implement a limit on incorrect attempts to process a transaction.  If we get confirmation of that, I will be posted here.

For more details, see Steve Gibson’s Security Now episode 589 (Listener Feedback #244),  Here is an excerpt from the transcript:

This is one of these where it’s sort of always been there, and it never occurred to us.  And that is a group of security researchers have figured out how to crack the unknown information on any credit card.  (…) The bad news is not all sites that process credit cards check (all available verification information, like  CVV, address, zip code, etc.).  There are some that only do the absolute minimum, which is the credit card number, known as the PAN, the P-A-N, the Primary Account Number, and the expiration date.  Those two things are the absolute minimum, and it’s all that some sites do.  Some do three fields.  They’ll do the PAN; the expiration date; and that CVV, that verification number, the three digits, sometimes it’s four, printed on the back.  But that is explicitly not in the mag stripe, the idea being that it’s not possible for anyone who electronically reads the card to determine what was printed on the outside.  And then you may have the ‘full monty,’ which is what GRC does, which is the credit card number, expiration date, CVV, and both numeric portions of the physical address, the street number and the postal code.

So what these guys very cleverly realized was, by identifying what things a huge number of ecommerce-enabled sites on the Internet check, they are able to step through and determine all of the fields.  So, for example, there are only 60, six zero, possible expiration dates because cards are only issued with expirations a limited time in the future.  And expiration dates are only granular to the month – 12/2016, for example.  So they’ve identified a large number of sites which only check two fields.

So they just guess.  They put in the credit card number they want to crack, and they try expiration dates from – I don’t know if they did it from now to further out, or start in the middle and go both directions.  There’s probably one strategy that would tend to work more than another.  But the point is there’s only 60 possible expiration dates.  So they’re going to get a success, eventually, on one of those sites.  But they may not want to buy any squirrels today.  So the (less diligent) ecommerce site is not where they want to perpetrate their fraud……….so now they have the expiration date that matches the credit card as approved by the backend verifier.  They cancel the purchase instead of following through with it.  Or maybe they buy something for a dollar.  But basically that allows them to take that first step.  Now they go to a site that checks the credit card number, the expiration date, which they have both of now, and the CVV.  Well, that’s three digits.  So there’s only a thousand of those.  Lots of ecommerce sites.  So they again guess until they get it right.

Now they’re down to the address.  And it’s a little trickier there.  First of all, it should be noted that most sites don’t incorporate address.  That is, just the three fields – the credit card number, the expiration date, and the CVV – they’re regarded as, well, how could a bad guy know that?  That’s got to be secure enough.  So it’s very likely that that’s all they need, then, in order to essentially reverse-engineer the information.  So the weakness comes from the fact that the backend verifier is not smarter, is not as smart as it could be.

It turns out MasterCard processing is.  It will notice 10 global attempts and failures on the same card and lock it down.  Visa, the largest processor/credit card network in the world does have no similar protections.  So MasterCard will tend to thwart this because, if you’ve got to guess…..30 – and maybe 500 CVVs.  Still, now you’re at 530.  And on average guessing a MasterCard locks you out after 10.  So you cannot attack MasterCard that way.  But you can attack Visa that way.  I just thought this was very clever.  I mean, it’s just been, again, one of these things that’s been sitting here in the open that nobody really thought about.

And, for example, GRC also, as I’ve mentioned before, puts a strict limit on the number of anything that happens on our ecommerce system.  That is, I have a counter, and I count up.  And as soon as that thing hits a maximum, I say, I’m sorry, I mean, for any reason at all because you can’t have any exceptions.  I just say, you know, whatever you’re doing is not in compliance with the policies of this site.  We’d love to sell you a copy of SpinRite, but apparently that’s not going to happen.  Many sites do perform a lockout like this, but there are others that don’t.  And even those that do, that are not testing everything, can still be abused.

So this proof-of-concept software that these guys developed uses a site until it locks them out, and then they go somewhere else.  And again, there’s tens of thousands of them on the Internet, no coordination among them except for the central clearinghouse.  MasterCard got it right.  For whatever reason, Visa decided not to do that.  And these guys noted that, once you get enough information, you can then transfer money through Western Union to Russia or wherever, and that money is gone.  Now, of course, Visa indemnifies its cardholders for that kind of fraud, so you just say, “Hey, I didn’t buy this,” and they remove the charge from your statement.  At some point, if this continues to escalate, this gets expensive for Visa.  And I imagine they’ll think about creating a better lockout system.