How To Fight Off A Brute Force Credit Card Attack
Researchers at Newcastle University found that hackers can use guesswork to uncover Visa credit or debit card numbers in under six seconds, this is known as a brute force attack.
All it takes is a laptop and Internet connection.
In less than six seconds they could have your customers’ card numbers, expiry date and three-digit (CVV) security code. For websites that already use 3D Secure automatic verification that is all a hacker needs to use your customers card details to make a purchase.
Every available method is used to steal valuable data, including login details and passwords. Another method, similar in many ways, known as a Distributed Guessing Attack isn’t deterred by the usual fraud prevention methods. The aim is entry, by any means necessary, which is why fraudsters don’t care when cards are declined or blocked in the process.
Brute force attacks work, responsible for 25% of all online attacks, according to a 2015 McAfee Security Report. It is also suspected that an attack on Tesco Bank in 2016 costing £2.5 million and affecting 9,000 customers, was caused by brute force or a distributed guessing process.
How Brute Force Attacks Work
Similar to the military concept of overwhelming force, brute and distributed guessing attacks involve a cybercriminal throwing hundreds of versions of the same data at multiple weak points. In some cases, various card entry fields (card numbers, expiry dates, CVV numbers) are tried up to 20 or 30 times across hundreds of websites simultaneously.
At present, payment and card security systems can’t automatically detect multiple payment attempts on the same card at the same time. Part of the problem is that each attempt will come from a slightly different card number, reducing the chances of a hacker landing on the correct details at the same time on two different websites to almost zero.
According to Mohammed Ali, a computer scientist researcher at Newcastle University*, another part of the problem is that “different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.”
“Each generated card field can be used in succession to generate the next field and so on. The unlimited guesses, when combined with the variations in the payment data fields, make it frighteningly easy for attackers to generate all the card details one field at a time,” said Mr Ali.
All of this can operate automatically. Hacking on this scale uses software and systems, available on the dark web, to ensure hundreds of attacks take place simultaneously.
How to prevent Brute Force attacks
No one wants to become a victim of these attacks. Merchants and payment providers need to make every reasonable attempt to protect customer data. Tokenisation is one method. Another option is to automatically locking an account password after more than three failed login attempts, effective because brute force normally takes considerably more attempts to uncover a customer’s password.
Another prevention method is to watch out for unexpected spikes in web traffic. Brute force attacks will involve multiple automated attempts to access a website and/or put payments through the checkout at the same time. Discuss with your payment provider whether blocks can be put in place to prevent multiple attempts to complete a purchase when they all appear to come from the same IP address, country or device.
Also watch out for any corresponding spikes in abandoned carts. They’re likely to include multiple versions of the same card number; then set your systems up to prevent further attempts from the same IP address. Even when botnets are used, hiding IP addresses, your website would still experience an unexpected spike in traffic, which is a good time to implement automatic blocking procedures to prevent fraud.
With the right payment provider and security partner, you can keep your customers and your brand safe from cyber threats and brute force attacks.
To discuss any of the points raised in this article with a security expert, please get in touch. Call 0333 240 6000 or email [email protected]