New Visa Attack Hole Demands New Fraud Defenses

Evan Schuman is a guest contributor to the Sift Science blog. 

When security researchers recently published that multi-merchant attacks gave them unlimited attempts at guessing Visa card fields (but not Mastercard fields), it was a reminder of the inherent fragility of payment card security today.

One way to successfully defend against such an attack is by using a service that tracks transactions across a wide range of merchants. This kind of centralized protection is supposed to come from the card brands, but – at least in Visa’s case – that is simply not happening.

The protection could, in theory, come from processors, but they are going to have visibility into a far smaller number of transactions. It’s also relatively easy for cyberthieves to determine a merchant site’s processor and simply only attack one from each processor. Cyberthieves tend to think through their attacks, forcing everyone else to carefully think through their defenses.

How the attack works

The Visa attack used bots to specifically take advantage of the lack of information-sharing between websites. Although a site may limit the number of times a shopper can incorrectly enter a field before they are blocked and need to talk with customer service, there’s nothing stopping the attacker from hitting more sites to try and figure out each line. Done methodically enough, it’s an effective tactic.

And yes, these attacks also tend to hit the smallest of sites, on the assumption that they will then encounter the weakest security.

For those merchant executives who may be thinking “Why should I worry about this? I’m merely a tiny cog in the machine to help them identify payment card fields. How does that hurt me?,” you may want to remember that these thieves know about your site and may have concluded that your security isn’t great. When they complete their investigations and have enough verified data to start making bogus transactions, which sites do you think will be at the top of their hit list?

“Once they know that they have the keys to your kingdom, it’s really just a matter of time before they work through their list and take advantage of your store,” said Kevin Lee, Trust & Safety Architect at Sift Science, who has also managed risk or spam operations for Facebook, Square, and Google.

The aggregated defense

Lee argues that attacks such as this multi-site Visa effort makes it clear that retailers need to deploy a much more aggregated approach to defending themselves. In short, they need near-realtime visibility—whether it’s direct or indirect—into what is happening on thousands of other sites.

“For example, there may be 10 individual merchants. If Sift Science is integrated with them, we can see that an attack is coming from a particular device or IP address. We’ll often see sequential Gmail accounts [Jdoe1234@gmail.com, Jdoe12345@gmail.com, etc.] used for this,” Lee said. “Sift Science is able to see across our entire portfolio and we instantly adjust the fraud score for the next transaction.”

The multi-merchant Visa attack, for instance, used bots, which makes it easy to identify. It pasted the data into individual fields as part of its guessing effort, as opposed to typing the data in one character at a time. “That’s definitely outside of the norm,” Lee said.

This attack method overall, though, didn’t especially impress Lee. “The sophistication that these folks used was pretty basic,” he said. For example, in an IEEE paper the researchers wrote, the attack was thwarted by an ordinary CAPTCHA. “Many bots wouldn’t be thwarted that easily,” Lee said.

How did the attack get by Visa?

Of greater intrigue, Lee said, was why this attack consistently got past Visa systems, but did not fool the same kind of defenses from Mastercard. The report said they made sure that multiple processors were hit on both sides, to rule out if it was the processors—and not Mastercard—that blocked the attacks.

“I would assume that Visa is watching this data. They should have visibility across their portfolio,” Lee said. “I think they should be able to detect this stuff. This is a fail on their side.”

In a statement issued after the research was published, Visa suggested that merchants should use Verified by Visa. “Visa also offers enhanced security using Verified by Visa based on the 3DSecure standard, which offers improved security for e-commerce transactions. The 3DSecure 2.0 specification was recently announced and Visa is actively developing Verified by Visa to incorporate the advances in security it offers,” Visa said. “Where a merchant chooses not to use Verified by Visa for a card not present transaction, they will assume the risk for fraud.”

Lee said this Visa pitch for its Verified By Visa program is unlikely to go anywhere. Visa “has been talking about that for more than five years. The friction is so high, along with the implementation costs by the merchants. Merchants hate it because you lose good customers and pay high implementation costs,” he said. “I’m inhibiting my business more because I’m turning away good customers.”

A centralized approach makes sense, but it needs to be one that has visibility across all payment types and doesn’t accomplish its anti-fraud efforts by making shoppers jump through hoops.