Security researchers have confirmed that Visa has no mechanism to prevent attackers from using multiple merchant sites to make unlimited guesses on the values for fields such as CVV2. The potential for real harm from coordinated attacks is huge, but such attacks could also be blockable, now that the flaw has been identified.
Mohammed Ali, a Ph.D. student in Newcastle University’s School of Computing Science and lead author of an IEEE paper on the topic, said the security hole involves two separate problems.
“The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts — typically 10 or 20 guesses — on each website. Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw,” Ali said. “The unlimited guesses, when combined with the variations in the payment data fields, make it frighteningly easy for attackers to generate all the card details one field at a time.”