17.1 C
London
Tuesday, August 22, 2017
Home Tags Mastercard

Tag: Mastercard

Visa, MasterCard, and Symantec among dozens affected by "suspicious" BGP mishap.
The fingerprint reader aims to target in-store fraud by reducing the need of PIN codes and signatures.
Sweet MFA... but there's no documentation available for users Mastercard has unveiled its new biometric card which adds a fingerprint sensor to the chip as a replacement security measure to the four-digit PIN.…
Mastercard said it is acquiring NuData so it can integrate its technology into its fraud management and security products.
Avoid the risk that your gift voucher becomes worthless if a retailer goes into insolvencyA radical new way to gift money, free from the risk of retailer insolvency, has been launched in the UK. LoveFromMe is a personalised gift card scheme which can be redeemed anywhere in the World that accepts MasterCard.Thish De Zoysa, Co-founder and Director, LoveFromMe, stated: “We all buy gift cards – for Christmas or at other times during the year as... Source: RealWire
Personalised gift cards you can spend anywhere in the world that accepts MasterCardA £350,000 equity crowdfunding round has been launched on Seedrs by LoveFromMe, a personalised gift card scheme which can be redeemed anywhere.Available to spend online and in-store at over 30 million locations around the world that accept MasterCard, LoveFromMe is changing the face of the gift card market, currently estimated to be worth over £5 billion, according to The UK Gift Card and... Source: RealWire
Bamberg and Hong Kong – December 15, 2016 – Computop, a leading payment service provider, and AsiaPay, one of Asia-Pacific’s most distinguished payment service providers, today announced their new strategic partnership.

The relationship enables retailers to securely process payments in Asia-Pacific through Computop’s Paygate payment gateway using the payment methods that consumers in the region prefer and trust, helping to positively impact sales and the overall customer experience.A recent e-Marketer report noted that Asia-Pacific will remain the world’s largest retail e-commerce market, with sales expected to top $1 trillion in 2016 and more than double to $2.725 trillion by 2020.

Findings also noted that the region will see the fastest rise in retail e-commerce sales, increasing 31.5% this year.
In addition, according to a study by Kantar TNS, Asia-Pacific is leading the world in mobile payment with over half (53%) of connected consumers using their mobile phones to pay for goods or services at the point-of-sale via apps.

As such, the Computop and AsiaPay partnership enables retailers to capitalize on the growth opportunity that Asia-Pacific presents. “Expanding business into foreign markets may seem daunting, but working with companies that have a strong foothold in those regions and that understand the payment behaviors and preferences of consumers in those countries is key to retailer success,” said Ralf Gladis, CEO of Computop. “Through our partnership with AsiaPay, Computop is able to provide merchant customers with the opportunity to take advantage of Asia-Pacific consumers’ appetite for e-commerce. With Computop Paygate integrated with AsiaPay, retailers benefit from the secure payment options that southeast Asian consumers expect and trust.” “We are very honoured to be a strategic partner of Computop,” said Joseph Chan, CEO of AsiaPay. “Our company has more than 16 years of experience in credit card processing and international business service, giving us a solid position as a premier e-Payment player in the region.

Furthermore, we have a keen understanding of merchants’ payment requirements in the fast-paced e-commerce business environment. We believe that a strategic cooperation with Computop can help merchants improve their processing efficiency, thereby contributing to their business growth as well as support their global endeavor,” he added. Founded in 2000, AsiaPay offers secure and cost-effective electronic payment processing solutions and services to banks and e-businesses globally.

The company offers a variety of card payments, online bank transfers, e- wallets and cash payments across over 16 countries, including Hong Kong, China, India, Indonesia, Malaysia, Singapore, Philippines, Taiwan, Thailand and Vietnam.
It is a certified international 3-D secure vendor for VISA, MasterCard, American Express and JCB. Computop Paygate is a PCI-certified omnichannel payment platform that provides retailers with secure payment solutions and efficient fraud prevention for international markets.

Computop integrated AsiaPay into Paygate to offer merchants a wide range of payment methods in the Asia-Pacific region to support their cross-border and global commerce efforts. Payment methods available on Paygate include Alipay, American Express, JCB, Tenpay and WeChat, along with many other widely-accepted payment options that consumers in these countries use. About ComputopComputop is a leading global payment service provider (PSP) that provides compliant and secure solutions in the fields of e-commerce, POS, m-commerce and Mail Order and Telephone Order (MOTO).

The company, founded in 1997, is headquartered in Bamberg, Germany, with additional independent offices in China, the UK and the U.S.

Computop processes transactions totalling $24 billion per year for its client network of over 14,000 mid-size and large international merchants and global marketplace partners in industries such as retail, travel and gaming.

Global customers include C&A, Fossil, Metro Cash & Carry, Rakuten, Samsung and Swarovski.

Following the recent asset deal with the Otto Group, Computop is now processing payments for merchants that previously used EOS Payment, including all 100 Otto retail brands.
In cooperation with its network of financial and technology partners, which it has expanded over many years, Computop offers a comprehensive multichannel solution that is geared to the needs of today's market and provides merchants with seamlessly integrated payment processes. For further information, please visit www.computop.com. About AsiaPayFounded in 2000, AsiaPay, a premier electronic payment solution and technology vendor and payment service provider, strives to bring advanced, secure, integrated and cost-effective electronic payment processing solutions and services to banks, corporate and e-Businesses in the worldwide market, covering international credit card, China UnionPay (CUP) card, debit card and other prepaid card payments. AsiaPay is an accredited payment processor and payment gateway solution vendor for banks, certified IPSP for merchants, certified international 3-D Secure vendor for Visa, MasterCard, American Express and JCB.

AsiaPay offers its variety of award-winning payment solutions that are multi-currency, multi-lingual, multi-card and multi-channel, together with its advanced fraud detection and management solutions. Headquartered in Hong Kong, AsiaPay offers its professional e-Payment solution consultancy and quality local service support across its other 12 offices in Asia including: Thailand, Philippines, Singapore, Malaysia, Mainland China, Taiwan, Vietnam, Indonesia and India.

For more information, please visit www.asiapay.com and www.paydollar.com. ### For further information, please contact:Jessica MularczykAscendant Communications, for Computop in the U.S.Tel: 508-498-9300E-mail: jmularczyk@ascendcomms.net Charlotte HansonAscendant Communications, for Computop in the UKTel: +44 (0) 208 334 8041E-mail: chanson@ascendcomms.net Valerie SanchezSenior Channel ManagerAsiaPayTel: (632) 887-2288E-mail: valerie.sanchez@asiapay.com Alvin ChanAssociate Director, Sales & MarketingAsiaPayTel: +852-2538 8278E-mail: alvin.chan@asiapay.com

When you can get a seriously full-featured, security-conscious password manager for free, what would entice you to pay? How about even more features, and no limits on existing features? LogMeOnce Password Management Suite Ultimate 5.2 pulls out all the stops, removing limits on the number of shares and beneficiaries, and adding advanced features that include anti-theft and an unusual selfie-based two-factor authentication system. A few quirks in its mobile editions are still being ironed out, but overall, it's a feature-packed password powerhouse.

At $39 per year, LogMeOnce Ultimate costs the same as Dashlane 4.0. Sticky Password goes for $29.99 per year, and LastPass for just $12. But this big, sprawling utility has a ton of features, including some I haven't seen in any competing product.

The free edition doesn't impose any limits on the number of saved passwords, or of synced devices. If you're interested in the product but not sure if you want to pay for it, go ahead and install the free edition, and familiarize yourself with its impressive capabilities. You can upgrade to Ultimate any time the free edition's limits begin to chafe.

Shared Features

The free LogMeOnce Password Management Suite Premium 5.2 is loaded with features, enough that it outperforms many competing products that aren't free. I'll summarize its capabilities here, or you can read my full review of the free edition for more details.

LogMeOnce runs strictly as a browser extension, so it's not limited to a specific platform. If your browser supports extensions, you can use it on Windows, macOS, or even Linux. There are also apps for Android and iOS.

Just about every password manager starts off by asking you to define a strong master password, something that you can remember but that nobody could guess. LogMeOnce now offers password-less authentication as its default. To set this up, you pair your smartphone or mobile device with your LogMeOnce account. Now when you log in on your desktop, you verify when prompted on the mobile device, using a PIN, a fingerprint, or what the company calls PhotoLogin.

Those who've upgraded to Ultimate get more information along with the request for PIN, fingerprint, or PhotoLogin. Swipe left to see the requester's email address, GPS location, IP address, and more, or swipe right to view the location on a map. If you get an unexpected login request, this data may help you figure out who's trolling you.

For PhotoLogin, LogMeOnce snaps a photo with the webcam and sends it to the device. You simply verify that the photo is what you expected. If the computer has no webcam, you can compare a visual one-time password that's sent along with the photo. It's also possible to use PhotoLogin on the mobile device itself, but this isn't quite as secure. It involves you verifying that you are seeing the photo you just snapped; it's a bit self-referential. When I mentioned this to the developers, they quickly modified on-device PhotoLogin to also require entering a PIN.

The free edition captures logins (which it calls applications) as you enter them, and offers to play back your saved credentials when you revisit the site. It also includes a catalog of almost 4,500 known websites. Choose one of these and you can be sure that LogMeOnce will handle it, even if it uses a non-standard login page. However, if you somehow manage to find an oddball login that's not in the catalog, you can't just capture all form fields the way you do with LastPass or Sticky Password Premium. Clicking the browser toolbar button displays all your saved websites. Clicking one of them navigates to the site and logs in.

The password generator defaults to creating 15-character passwords, using all character sets, which yields a very tough password. It also rates any password you type, estimating how long it would take to crack. By default, you must change your master password every three months, without re-using previous passwords. Those using Ultimate can change the password expiry time, in a range from one month to one year.

You can use Google Authenticator, or a workalike such as Duo Mobile or Twilio Authy, for two-factor authentication. Other options in the free edition include receiving a one-time passcode via email, SMS, or voice call. In an unusual move, LogMeOnce charges two credits for each SMS authentication and four credits for each voice call. Those using Ultimate get an allowance of 50 credits per month, with the option to purchase more, $10 for 1,000 credits. I'll cover the Ultimate edition's additional two-factor options below.

An interesting feature called Mugshot gives you a look at anyone who tries to log in on a lost or stolen phone. On any failed login attempt, it snaps photos with the front and rear cameras and sends them to your online dashboard, along with the device's GPS location and IP address. Using this information, you may be able to locate and recover the device. Upgrading to Ultimate gets you a more complete anti-theft system.

LogMeOnce stores personal, address, phone, and company data, for use in filling Web forms. You can save multiple instances of each data type. New since my last review, it also saves and fills credit card data. Like Dashlane, it helpfully displays the saved cards as images, using the color and bank name you specified. It doesn't have the flexibility of form-filling whiz RoboForm Everywhere 7, but it does the job.

Like LastPass and Dashlane, LogMeOnce can display a list of all your passwords, with a strength rating for each, and a flag for any duplicates. In addition, its report page offers several other views on your security, some of which aren't functional in the free edition. If you find you've got weak or duplicate passwords, just click the link next to each one to go change it. For many popular websites, LogMeOnce can even automate the password change process, something few competing products manage.

LogMeOnce includes the ability to securely share passwords with other users. You can choose whether the recipient gets to see the shared password, or just to use it for logging in. There's also an option to define a beneficiary who will receive either your whole account or a specific password in the event of your death. The free edition allows one whole-account beneficiary, five password beneficiaries, and five shared passwords. In the Ultimate edition, there are no such limits.

A productivity dock along the bottom of the screen displays a baker's dozen of live icons that expand when you mouse over them. You can use these icons to quickly reach important features like mugshot or security scorecard. That is, you can if you've paid for the product. Those using the free edition just get a reminder that the productivity dock is only for paid users.

Selfie Two-Factor Authentication

Upgrading to Ultimate unlocks several additional options for two-factor authentication, the most unusual of which is Selfie-2FA. It works like this. You log in to the browser extension, either with the default password-less authentication or a master password. LogMeOnce snaps a webcam photo and sends it to the mobile device you've specified for Selfie-2FA. If the received photo matches what you expected, you simply tap to authorize. MasterCard is exploring a similar type of selfie-based authentication.

What if you're using a desktop device with no webcam? In this case, LogMeOnce sends a generic image with a visual one-time password at the bottom. If the OTP on your mobile device matches the one on your browser, you simply tap to authorize. It's less tech-sexy than using a selfie, but it totally works.

My LogMeOnce contact pointed out that you can make it even harder for an attacker to beat this system by being unpredictable. Just keep changing which of your devices is the one authorized to respond to Selfie-2FA.

Those who've paid for the program can prepare a USB flash drive for use as a physical second authentication factor. There's also an option to add an X.509 Certificate as an authentication factor, but this is more logical in a business setting.

You can enable as many of the two-factor options as you wish, and log in using whichever is logical at the time. For example, if you logging in on a mobile device with no socket for your USB authentication key, you could opt to receive a code via SMS or email, or get a code from Google Authenticator. True Key by Intel Security also offers multiple authentication options, but goes further by letting you require more than just two of them for authentication.

Device Management and Anti-Theft

The free edition receives the GPS location of any failed login attempt, but the paid edition lets you check device location whenever you like. The Device Map page in the Security section displays the location of all your registered devices. Clicking on a device gets you more information, along with a button that remotely logs out of any active LogMeOnce session on the device.

The separate Device Management page lists all the devices you've configured for use with LogMeOnce. If you've lost or replaced a device, you can remove it from the list, thereby disconnecting it from your account. You can flip a switch to define whether each mobile device can accept password-less login requests.

When you select a device from the list, other actions become available. You can send a request to locate a mobile device. A Details tab displays a huge amount of information for iOS devices, quite a bit less for Android devices. However, for Android devices only, you can view a list of installed apps.

The Commands tab appears for both Android and iOS devices, but the available commands differ. You can remotely cause an Android smartphone to ring at top volume, handy in case you've simply misplaced it, and you can lock it remotely using the system lockscreen. You can even change the lockscreen password remotely before locking it down.

On both Android and iOS, you can send a message, perhaps something like, "I've seen your mugshot, phone thief, and I'm coming for you!" But don't get too excited about this feature. Unless you've enabled viewing notifications on the device's lockscreen, the only way a phone thief could read the message would be by logging in to LogMeOnce, which shouldn't be possible.

That brings me to the final command, available on iOS and Android, the Kill-Pill. This dramatically named feature simply wipes all personal LogMeOnce data. I sent the Kill-Pill command to my Apple iPad Air and watched as LogMeOnce reverted to the initial setup screen, with no sign of my email address or any other configuration data. Oddly, sending the same command to my Nexus 9 never worked; it timed out repeatedly in my testing. My company contact confirmed that while the feature works on most Android devices, it doesn't yet work on a Nexus 9. Gotta love Android fragmentation!

Using a trusted mobile device as part of the authentication process is becoming more and more common. Like LogMeOnce in password-less mode, oneID skips the master password in favor of device-based authentication. You can configure True Key to use other forms of authentication, including a trusted device, in place of a master password. But LogMeOnce is the only product I've seen that adds anti-theft features to protect the security of that trusted device. It's a smart move.

Enhanced Reporting

Even the free edition of LogMeOnce lists all your passwords ordered by strength, rates your total security status, and displays what it calls a hybrid identity score. If you've paid, you also get an overall password strength rating, with a breakdown of statistics such as the number of passwords of at least 15 characters, and the number that contain at least one of each character type.

The Live PasswordTracker chart is another paid-only feature. It takes two weeks to get a baseline for reporting, so I didn't see its full capabilities. For starters, it charts a solid line that's your overall password strength each day. If you're using the product correctly, that line should only go up. It also charts what the company calls a heartbeat line. Solid line segments represent days that you used LogMeOnce, dotted segments days that you did not. The line's height above the axis is based on the strength of the passwords you used on that day. The purpose of the chart is to encourage you in proper password hygiene, replacing weak passwords with strong ones and always relying on the password manager to keep track.

A Few Oddities

In testing the free edition, I glossed over the few little quirks I ran into, given the fantastic features that you get for free. Running into those same quirks—and a few new ones—in the paid edition, I'm slightly less forgiving.

LogMeOnce is a work in progress, in a good way. While working on this review, I confused the PhotoLogin feature with what was then called Photo-2FA. Overnight, the developers renamed it to Selfie-2FA, to avoid confusion. Because I mused about the possibility of an unauthorized person picking up a phone that was left unlocked, they changed the local-only PhotoLogin to also require PIN entry. This is an agile team, indeed.

On the other hand, I also ran into some oddities that aren't yet fixed. I couldn't make the Kill-Pill personal data erasure work on my Android device. To use Selfie-2FA from my all-in-one desktop PC, I had to crank the webcam brightness to the max, so high that Skype images appeared washed out. On an iPad, the iOS edition runs in the dated 2x mode, just a blown-up version of the iPhone edition. And even though a paid account should be ad-free, the "Go ad-free" link still appears, and I saw ads on some mobile screens. Pending updates for the Android and iOS apps should fix at least some of these oddities. Overall, though, this utility's breadth of features and its inclusion of innovative, security-focused features overshadows these few quirks.

Passwords Plus

LogMeOnce Password Management Suite Ultimate takes the vast feature set of the free LogMeOnce password manager and kicks it up to the next level. I haven't seen another product offering selfie-based two-factor authentication, or a built in anti-theft system. It lacks the ability to manage password for applications, but it checks just about every other box. On the flip side, you get almost all of these features in the free edition, and for some the vast array of features may prove off-putting.

LastPass Premium comes the closest to matching LogMeOnce's breadth of functionality, though with the latest edition LogMeOnce has taken a significant lead. For those who are more into simplicity and ease than a prodigious number of features, Dashlane 4 does everything you could want, with flair. LogMeOnce joins these two as an Editors' Choice for commercial password managers.

Back to top

PCMag may earn affiliate commissions from the shopping links included on this page. These commissions do not affect how we test, rate or review products. To find out more, read our complete terms of use.

Enlarge / A website bot as it distributes CVV guesses over multiple sites.Ali, et al. reader comments 2 Share this story Thieves can guess your secret Visa payment card data in as little as six seconds, according to researchers in the UK.

Bad actors can use browser bots to distribute guesses across hundreds of legitimate online merchants. The attack starts out with a card's 16-digit number, which can be obtained in a variety of ways.

Attackers can buy numbers on black-market websites, often for less than $1 apiece, or use a smartphone equipped with a near-field communication reader to skim them.

The numbers can also be inferred by combining your first six digits—which are based on the card brand, issuing bank, and card type—with a verification formula known as the Luhn Algorithm. Once an attacker has a valid 16-digit number, four seconds is all they need to learn the expiration date and the three-digit card-verification value that most sites use to verify the validity of a credit card.

Even when sites go a step further by adding the card holder's billing address to the process, the technique can correctly guess the information in about six seconds. The technique relies on Web bots that spread random guesses across almost 400 e-commerce sites that accept credit card payments. Of those, 26 sites use only two fields to verify cards, while an additional 291 sites use three fields.

Because different sites rely on different fields, the bots are able to enter intelligent guesses into the user field of multiple sites until the bots hit on the right ones. Once the correct expiration date is obtained for a given card—typically banks issue cards that are valid for up to 60 months—the bots use a similar process to obtain the CVV number.
In other cases, when sites allow the bots to obtain the CVV first—a process that can never require more than 1,000 guesses—the bots then work to obtain the expiration date and, if required, the billing address. "We came to an important observation that the difference in security solutions of various websites introduces a practically exploitable vulnerability in the overall payment system," researchers from Newcastle University in the UK wrote an a research paper titled Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?. "An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details (card number, expiry date, card verification value, and postal address) one field at a time." The researchers continued: Each generated field can be used in succession to generate the next field by using a different merchant's website. Moreover, if individual merchants were trying to improve their security by adding more payment fields to be verified on their site, they potentially inadvertently weaken the whole system by creating an opportunity to guess the value of another field, as explained later in the article. In an effort to make online purchases as easy as possible, many websites allow prospective customers to make as many as 50, and in some cases an unlimited number, of incorrect guesses.

Even in cases where the number is lower, the bots can still succeed by spreading the guesses over a large number of sites.
Surprisingly, Visa—the world's biggest payment card service—didn't employ any system-wide mechanism for detecting the mass guessing attack.

The Newcastle University researchers said that Visa competitor MasterCard, on the other hand, did detect the distributed mass guesses and shut down the attacks before they could succeed. One of the tasks the bots carried out was to create a fake account that could charge a credit card belonging to the researchers and transfer the balance to a contact in India. The researchers wrote: Within minutes, we received a confirmation e-mail for the order made, and our contact confirmed the pick-up of the money.

The time it took from the process of creating an account to collecting the money at the destination was only 27 minutes, which is short enough to avoid the bank reversing the payment. The researchers said they contacted the 40 biggest websites used in the guessing attack to notify them of the findings.

As a result, some sites have already changed some of their verification procedures. While that's a good start, a better solution would be for Visa to implement the type of Internet-wide alert system used by MasterCard and for online merchants to standardize the verification process. The findings provide another good reason for people to closely scrutinize credit card bills each month for fraudulent purchases.
It's also a good idea to use a single non-Visa credit card for all online purchases and to keep the spending limit on that card as low as possible.
Academics at Newcastle University have proven that an attacker in possession of a minimal amount of existing information can, in an automated way, guess payment card data by exploiting weaknesses in online payment processes. The issue lies in the fact that the global payment system lacks a centralized mechanism for monitoring invalid payment attempts across multiple websites. Using a purpose-built bot, an attacker can try multiple guesses on different websites until they land on all the necessary information without triggering a warning. The attack works only against Visa’s payment ecosystem, the researchers said, adding that their experiments against 400 of the top-rated Alexa websites, including PayPal and Amazon rendered card numbers, expiration dates, CVV numbers and additional data in a matter of seconds. The attack scales and is practical, the researchers caution.

The vulnerabilities and research were disclosed in advance to Visa and a number of the affected top websites, some of which have mitigated the attack.
Visa said that the paper “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” does not take into account its fraud prevention systems that protect against such attacks. Mohammed Aamir Ali, one of the report’s coauthors, said that the researchers does indeed demonstrate how advanced attackers could exploit Visa’s multiple layers of fraud protection. “This is about trying to stay one step ahead of the criminals, pushing the system, finding the flaws and learning from that,” Ali said. Ali and his coauthors Budi Arief, Martin Emms and Aad van Moorsel advocate for a centralized system of security checks across transactions to be implemented to prevent what the paper describes as a distributed guessing attack. “This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions,” the researchers wrote. “We will show that this attack would not be practical if all payment sites performed the same security checks.” It has been reported as well that the attack against Tesco, a U.K. retail bank, in which 20,000 account holders reported missing money, may have been carried out using this distributed guessing attack. “We don’t have enough evidence to support this claim,” Ali told Threatpost. The research was carried out against Visa and MasterCard; MasterCard has a centralized network that detects such guessing attacks after 10 tries, even if the 10 guesses are distributed across a number of sites.
Visa does not have such checks, the researchers wrote. “Attackers can just start with a laptop connected to the internet,” Ali said. “As a starting point, they will need the first six digits, also called the Bank Identification Number (BIN) of a bank, which is publicly available through the internet.” The paper points out that there are two weaknesses being exploited here, and standing alone, each is relatively benign. Used together, however, and the researchers believe they are a risk to the entire global payment system. Payment systems, the researchers wrote, often do not detect invalid payment requests on the same car from different websites. “Effectively, this implies that practically unlimited guesses can be made by distributing the guesses over many websites, even if individual websites limit the number of attempts,” the researchers wrote. The second weakness enables the attack to scare.

Different websites, for example, provide for different fields where card information can be entered; some merchants require a primary account number, expiration date, CVV number and address, while others require less information. “Starting with a valid card number (PAN), to guess the expiry date an attacker can utilize several merchants’ websites that check only two fields: the card number and the expiry date,” the researchers wrote. “Once the expiry date is known, the attacker can use it along with the card number to guess the CVV2 information using another set of websites that check 3 fields (the card number, the expiry date, and the CVV2).” The researchers built a bot and used automated scripts written in the Java Selenium browser automation framework to automate the guessing of card information across numerous sites.

The group’s experiments were run on Firefox and the bot did the heavy lifting of inputting and guessing values for each field.
The researchers said that CVV numbers can be obtained in fewer than 1,000 guesses, while the expiration date in 60 tries. “If all merchants would use three fields and ask for expiry date as well as CVV2, then it may take as many as 60 x 1,000 = 60,000 attempts,” the researchers wrote. “The difference between 1,060 and 60,000 is the difference between a quick and practical attack, and a tedious, close to impractical attack.” The researchers notified Visa and 36 of the top websites affected by the vulnerabilities. Within four weeks, they’d received 20 responses from people requesting more details, while the rest were automated responses.

Eight of the 36 websites patched the weakness by either adding delay or velocity filters, or CAPTCHAs, for example.

Twenty eight of the notified websites have yet to mitigate the issue. The researchers meanwhile suggest industry-wide changes such as merchant standardizing on the same payment interface, which would reduce the scale of the attack, or centralization where payment gateways or card payment networks have a full view of payment tries on its networks. “Neither standardization nor centralization naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection,” the researchers wrote. “It is up to the various stakeholders to determine the case for and timing of such solutions.”
Brit researchers find a way to figure out VISA card numbers just by going shopping Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network, academics say. The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined. Visa, unlike rival Mastercard, does not detect the flood of requests as unusual, the researchers say. The attacks, handy for criminals with only partial breach records oof personal information, work against the Alexa Top 400 online merchant sites accroding to findings in the paper Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? [PDF] written by Newscastle University's Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel. "We investigated the Alexa top-400 online merchants’ payment sites, and realised that the current landscape facilitates a distributed guessing attack," the authors say. "This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions. "... different websites present different sets of fields to identify the cardholder … [this disparity] inadvertently creates conditions for a scalable distributed guessing attack." Attacks exploit the differences in authorisation proofs under which some sites accept expiry dates while others require criteria like street addresses. Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack.
It is unknown why no action was taken. Attack flow. A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented updates that made their checkouts even less secure. Critically, the attacks rely on card-not-present fraud, in which merchants do not require the three-digit CVV number found on on cards' rear faces to authorise a transaction. Fraud of this sort us increasingly uncommon in countries with advanced anti-fraud technology, with Australia's established chip-and-PIN and advanced payment systems making it one of the tougher targets. Those seeking credit cards to abuse illegaly would probably be better off buying batches of cheap plastic from established fraud sites like Rescator.cm which serve as the monetisation mechanism for large scale breaches. The researchers say all merchants should use standard payment authorisation fields to knock out the ability for the attacks to scale. ® Sponsored: Customer Identity and Access Management