Online Payment Distributed Guessing Attack Research

Online Payment Distributed Guessing Attack Research

Martin Emms

Research Associate at Newcastle University

Views 881

Online Payment Distributed Guessing Attack Research

13.01.2017 09:00 am

Our latest research, lead by Mohammed Aamir Ali, shows that a distributed guessing attack can exploit the online payments system to generate all of the information required to make fraudulent payments from any Visa card.

The full research paper will appear in IEEE Security & Privacy magazine early 2017. However, the research has already grabbed the attention of media generating a flurry of news articles in December (listed below).


When Mohammed first started to investigate the possibility of using the response codes from the online payment system to determine the correct CVV2, we all thought that the payment network would pick up the invalid attempts. Unfortunately we were wrong; we found that the Visa network did not 1000s guesses the distributed across attack whereas the MasterCard network did detect the attack after just 4 guesses spread across 4 different online merchants.

The problem is two fold:

  1. distributing the attack across multiple websites give the attacker unlimited guesses to find the card number, expiry date and CVV2 (everything required to make an online payment)
  2. different online merchants require different fields in their online payment pages so form one set of payment websites the attack can extract the expiry date, and from a different set of merchants the attack can extract the CVV2 security code (see video above).

We made sure that we made full disclosure of our research over a year before the paper was published and the research hit the news headlines. However this is still very much unresolved. Some of the online retailers reduced the number of attempts to put in the correct CVV2 on their websites following our disclosures, which does help but does not resolve the problem. This would require the Visa network to link together the multiple incorrect guesses coming from multiple different websites.

Latest blogs

Simon Black Awaken Intelligence

Boom or Bust: How the Financial Services Sector is Coping

Covid-19 has had an impact across all industries and businesses are feeling the sting. However, is it equally devastating within every sector? As industry and individual concerns grow during the inevitable economic crisis, financial services are Read more »

n/a n/a

Tips on How to Successfully Trade CFDs

A CFD or contract for difference is a financial product that allows a trader to speculate on asset classed without owning a portion of the underlying asset. A CFD trade is not an investment but high-risk speculation that carries the risk of losing Read more »

Patrick McKinney and Joe Fuchs Wolters Kluwer Finance, Risk & Regulatory Reporting

Building an Integrated Data Management System: A Guide for Digital Banks

Digital banks and other FinTechs are emerging as more nimble competitors to established legacy banks. The digital banks that are on their way to becoming fully chartered have the opportunity to setup fully automated processes and systems without Read more »

n/a n/a

How COVID-19 Is Ushering In a New Era of Cashless Technology

  Image source:   Cashless technology isn't a completely fresh concept. People have been using credit cards for decades, and the market for fintech services has been Read more »

Jean Shin tyntec

Using WhatsApp for 2FA is the Future of Banking

From user authentication and password resets to transaction verification, two-factor authentication (2FA) offers basic but useful protection for consumers. The 2FA process typically sends an SMS sent to the customer with a one-time password (OTP). Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel