Our latest research, lead by Mohammed Aamir Ali, shows that a distributed guessing attack can exploit the online payments system to generate all of the information required to make fraudulent payments from any Visa card.

The full research paper will appear in IEEE Security & Privacy magazine early 2017. However, the research has already grabbed the attention of media generating a flurry of news articles in December (listed below).

When Mohammed first started to investigate the possibility of using the response codes from the online payment system to determine the correct CVV2, we all thought that the payment network would pick up the invalid attempts. Unfortunately we were wrong; we found that the Visa network did not 1000s guesses the distributed across attack whereas the MasterCard network did detect the attack after just 4 guesses spread across 4 different online merchants.

The problem is two fold:

1. distributing the attack across multiple websites give the attacker unlimited guesses to find the card number, expiry date and CVV2 (everything required to make an online payment)
2. different online merchants require different fields in their online payment pages so form one set of payment websites the attack can extract the expiry date, and from a different set of merchants the attack can extract the CVV2 security code (see video above).

We made sure that we made full disclosure of our research over a year before the paper was published and the research hit the news headlines. However this is still very much unresolved. Some of the online retailers reduced the number of attempts to put in the correct CVV2 on their websites following our disclosures, which does help but does not resolve the problem. This would require the Visa network to link together the multiple incorrect guesses coming from multiple different websites.