Online Payment Distributed Guessing Attack Research

Online Payment Distributed Guessing Attack Research

Martin Emms

Research Associate at Newcastle University

Views 807

Online Payment Distributed Guessing Attack Research

13.01.2017 09:00 am

Our latest research, lead by Mohammed Aamir Ali, shows that a distributed guessing attack can exploit the online payments system to generate all of the information required to make fraudulent payments from any Visa card.

The full research paper will appear in IEEE Security & Privacy magazine early 2017. However, the research has already grabbed the attention of media generating a flurry of news articles in December (listed below).


When Mohammed first started to investigate the possibility of using the response codes from the online payment system to determine the correct CVV2, we all thought that the payment network would pick up the invalid attempts. Unfortunately we were wrong; we found that the Visa network did not 1000s guesses the distributed across attack whereas the MasterCard network did detect the attack after just 4 guesses spread across 4 different online merchants.

The problem is two fold:

  1. distributing the attack across multiple websites give the attacker unlimited guesses to find the card number, expiry date and CVV2 (everything required to make an online payment)
  2. different online merchants require different fields in their online payment pages so form one set of payment websites the attack can extract the expiry date, and from a different set of merchants the attack can extract the CVV2 security code (see video above).

We made sure that we made full disclosure of our research over a year before the paper was published and the research hit the news headlines. However this is still very much unresolved. Some of the online retailers reduced the number of attempts to put in the correct CVV2 on their websites following our disclosures, which does help but does not resolve the problem. This would require the Visa network to link together the multiple incorrect guesses coming from multiple different websites.

Latest blogs

Hirander Misra GMEX Group

Are UK Banks profiting from the current coronavirus crisis and failing SMEs?

A UK business could be eligible for a Coronavirus Business Interruption Loan Scheme (CBILS), as set out by the UK Government. However, it appears that despite the Government’s best intentions, this scheme is not working in practice and some urgent Read more »

Otabek Nuritdinov Safenetpay

A strong fintech needs more than just access to funding

  Investors, both private and institutional, are excited about investing in fintechs that are in the payments services business. What are the issues that really should matter to you, as a client? In 2019, institutional investors Read more »

Martijn Bos Holland FinTech

Get your head up in the clouds, it’s good for business

How Digital Transformation is reshaping competition in financial services The message is clear and it’s coming at us from all sides: digitalize now. No business unit seems to be immune to the onslaught of cloud-based, AI-driven, real-time, Read more »

Sonny Aulakh Pure Storage

How to support remote working without compromising productivity

As the need to work remotely continues to impact the daily lives of people and businesses around the globe, it places unexpected demand on IT departments. How do you transition supporting 30% of your workforce to work remotely to 100% in a matter of Read more »

Martijn Bos Holland FinTech

Making it through the rain: Finance in times of turmoil

You’d need to be living on a remote island, without electricity or internet to not be aware of what the world is going through right now – a medical crisis that has spread across the world and disrupted supply chains, goods and services production, Read more »

Free Newsletter Sign-up
+44 (0) 208 819 32 53 +44 (0) 173 261 71 47
Download Our Mobile App
Financial It Youtube channel