If you didn’t know by now, credit card numbers are actually based on a mathematical equation. Many websites can validate a credit card number using the The Luhn or mod 10 algorithm.
Researchers have come up with a program that uses this formula to generate hundreds of permutations along with bank location details, expiry dates, and CVV numbers. The numbers are then plugged into various e-commerce websites to validate the authenticity of the card numbers.
The program could then be used to guess CVV numbers, expiry dates, ZIP codes, and even street locations, which could then be used to make illegal purchases.
Fundamentally, much of the problem with card payment stems from the fact that the identity of the payer needs to be established in the ‘card-not-present’ mode. This is inherently problematic since it is at odds with the original use of cards (where the card and cardholder are present at the moment of purchase). It also implies that, for instance, Chip-and-PIN is not available to establish the identity of the payer. This is exacerbated by the fact that the Internet facilitates distribution of guesses for data fields over many merchant sites.
Luckily for Mastercard holders, this brute force method MAY not be effective as the credit card would be instantly frozen if unsuccessfully queried more than 100 times. Unfortunately VISA card holders do not enjoy this privilege and stand a higher chance of being found out.
Unfortunately, the issue does not seem easily correctable as the researchers suggest that online payment gateways be standardized and centralized to mitigate the risk of card brute force attempts.
To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.
Here is the program in action.