信用卡容易受到暴力破解攻击。

信用卡容易受到暴力破解攻击。
Credit cards are vulnerable to brute force kind attacks

原始链接: https://metin.nextc.org/posts/Credit_Cards_Are_Vulnerable_To_Brute_Force_Kind_Attacks.html

## PCI DSS 与信用卡安全：个人经历行业标准如 PCI DSS 旨在通过在用户界面和收据上屏蔽敏感信息来保护信用卡数据（仅显示卡号前六位和后四位，以及有效期）。然而，最近的个人经历表明，这些措施提供了一种虚假的安全性。尽管使用了带有双因素身份验证的虚拟卡，作者的账户仍然被攻破，攻击者利用了部分可见的卡数据——屏蔽的卡号（PAN）和有效期——尝试进行未经授权的购买。他们利用了支付系统中的漏洞，包括来自支付网关的有用错误信息，这些信息有助于暴力破解缺失的 CVV。攻击者通过电子钱包成功提取了资金，展示了一条复杂且难以追踪的流程。虽然作者获得了退款，但该事件凸显了即使是屏蔽的数据也可能被轻易利用，尤其是在免除 3D Secure 验证的商家那里。作者发现，支付行业内的许多人对这种漏洞并不感到惊讶，他们承认尽管符合 PCI DSS 标准，但仍然存在系统性弱点。该事件强调了超越最低标准、提高对即使是部分暴露的卡信息相关风险的认识的必要性。

## 信用卡漏洞与安全问题一篇近期文章强调了信用卡容易受到暴力破解攻击，引发了 Hacker News 的讨论。核心问题似乎是密码泄露导致欺诈性收费，而商家未使用 3D Secure 身份验证则加剧了这一问题。用户建议通过使用专门用于在线购物的单独信用卡并限制其可用资金来降低风险。虽然信用卡提供欺诈保护和退款选项，但一些用户报告称，借记卡欺诈解决的体验不一致。对话还深入探讨了系统性问题，有人猜测整个信用卡系统可能已被攻破。一些人认为，美国国家安全局本可以在在线商务的早期阶段使用公钥密码学实施更安全的系统，但故意没有这样做。最后，Amex 在其应用程序中引入动态变化的 CVV2 代码，被认为是对此类漏洞的回应。

原文

These days, storing and showing what's visible on UI's and receipts are highly standardized and regulated by the industry standards such as PCI DSS. And even when you save your card on an ecommerce website, which strictly follows the PCI DSS, your card can still be stolen - or derived. As it happened to me.

PCI DSS is the widely known and implemented industry standard for defining bare-minimum security measures that should be taken when handling sensitive banking data such as credit cards. It's the layer of security to available data when an account is breached, or somehow the credit card data is taken by a third party, it ensures the data is not fully available to the attacker, by restricting storage of some data by the entities, limiting the digits visible on the UI's, receipts, logs and anywhere else by masking.


+------------------------------------+
|                                    |
|  1234 56** **** 7890               |
|                                    |
|  VALID THRU                        |
|  08/29                             |
|                                    |
|  METIN OZYILDIRIM                  |
+------------------------------------+

My credit card, as what's visible on a saved card on an ecommerce website.

What you can actually show with PCI-DSS 4

Primary Account Number (PAN) - PAN is masked when displayed. The BIN and Last 4 digits can be displayed
Cardholder Name - As is
Service Code - As is
Expiration Date - As is

What you can't show

Full Track Data
Card verification code
PIN/PIN Block

As said, it's the minimums that the industry should've taken into consideration when designing their flows. But in practice, because of the nature of certification and the required amount of tests to get certified makes companies to implement only bare minimums as described in the standards. And when they are informed about the vulnerabilities their behaviors cause, they don't want to change as they already deemed enough for the certification process.

As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.

Story Time

I have a virtual credit card with limits, 2FA (3d Secure) enabled, and only saved and used in very well known merchants. But i got an SMS, with a purchase attempt from a website i saved my card to. You know, it happens a lot when you use the same password for everywhere, which is not the case for me anymore but that was an account that i set up long ago, that is my fault. But upon getting the SMS, I immediately logged in, changed passwords, checked if something bought, significantly reduced limits of my virtual card. Not completely disabled my card, because, it's not compromised?

Or, i thought so. Later that day, around 6 hours later than the initial breach, I suddenly got 3-4 3D Secure SMS attempts from different merchants, that i didn't use. All unsuccessful attempts, but the data from here is valuable for understanding how it happened.

After couple of minutes, while i'm on a call with my bank to disable that card completely, they used another merchant, without 3D Secure; this time withdrawing all available limit (which i reduced) with multiple payments. This time the money is withdrawn to a e-wallet of a market, which allows you to withdraw the amount in cash from that market.

Honestly I'm impressed, this is a well designed pipeline, with more untraceability than i expected. At the end, after my chargeback request, i got the money back from my bank. But what exactly happened?

How did they do it?

The attackers breached my account, I know that part. But what did they got in the couple minutes before i react. They tried a purchase, seeing the banks 3D Secure page, cancelled the order and left. How it's enough to do a purchase from another merchant.

The data they took with the attempt of purchase is the card is still usable (not cancelled), the bank name (from the 3D secure page), my masked credit card number and the full expiration date. Normally for a purchase to complete from my card seamlessly, they should have the full PAN number (16 digit one), the expiration date, the CVC2 number, my phone used for 3D Secure etc. They don't have all of these details, or i thought so.

The PAN Number

A payment card number, primary account number (PAN), is the card identifier found on payment cards, such as credit cards and debit cards, as well as stored-value cards, gift cards and other similar cards. In some situations the card number is referred to as a bank card number. [wikipedia]

PANs have a certain level of internal structure and share a common numbering scheme set by ISO/IEC 7812. The parts of the number are as follows:

a six or eight-digit Issuer Identification Number (IIN)
a variable length (up to 12 digits) individual account identifier
a single check digit calculated using the Luhn algorithm

And the PCI DSS says the first 6 digits and last 4 digits can be safely shown along with the expiration date, as the first six digits are not sensitive, and last four to discriminate. But then what's remaining? My card has 16 digits, first six are known, last four are known and 1 out of 10 numbers can be a valid credit card because of the checksum. Thats 99.999 possible credit card numbers.

But my card and bank doesn't allow merchants to proceed with payments using only the credit card number, they should at least use PAN, Expiration date and the CVV altogether. Some banks and payment gateways can process payments only using a credit card number, that's another unbelievable point for me. My bank rejects the payments without these required values, but you know what, it also tells you which part of the data was faulty. The response codes from payment gateways, are something like that

That's not a valid credit card
That card is expired
You got all the details right but CVV is not correct

The fuck? It literally helps you to brute force it. And you only need to brute force 99k numbers first, then another 999 times for the CVV with some slow rate for the second phase and you got the card from masked PAN number. The attackers in my case did it in 6 hours, using multiple endpoints stolen from multiple merchants that provide credit card validation. Similar to the validation that tries to charge 1 USD from your card to validate your account and payment details. They got these API's ripped from register flows of some unrelated e-commerce applications.

So in practice, the attackers tested at rate of 6 request per second (around 2 request per second per API). That rate is very hard to spot from the merchants perspective, as the source ip's are changing via proxies, the credit card numbers are not same as the nature of the brute forcing and the very small rate of requests.

And it turns out there's also a list of merchants who are exempt from 3D Secure stuff. So they are deemed friendly by the bank, and can take payments and subscriptions without 3D Secure, which in turn they get the liability in case of chargebacks.

It was my fault to use unsafe passwords, but the PCI DSS is not only for e-commerce, it also standardizes the information to disclose on physical receipts. It happened to me because of a breached account and it can happen to you because you throw a receipt to a bin without destroying it.

image showing a receipt that shows first 6 and last 4 digits of the credit card. — A receipt, that i used to ignore. Depicting quite generous amount of data.

What happened next?

I got the money back via chargeback in short time.

I talked to the merchant about how their credit card to cash system is used withdraw money from my credit card without my authorization, they didn't care. Instead asked me to contact my bank.

I contacted the e commerce website in question about how exposing 10 letters of credit card along with the expiration date makes it easier. They didn't accept it as an vulnerability, instead they said they designed it intentionally to match the standard (PCI DSS 3 and 4).

Then i got curious and explained the situation to people that write payment API's and work in the payments industry, they didn't even got surprised; instead they told me there are merchants that can do transactions even without expiration date. It seems like to me, everybody knows it. The people creating gateways, the engineers, the hackers.

This happened last year, and since then the party that converts payments from credit cards to cast, is no longer doing that without 3d secure. My bank still has a generous rate limit for brute forcing CVC2 that temporarily blocks use of that card for like couple of minutes.

References

Wikipedia - PAN
PCI DSS v4.0.1
Pavel, my payments engineer friend