The ways in which scammers and hackers work to obtain personal credit card information can be very numerous. They are constantly developing and improving upon ways to try and obtain payment card data. One way in which they have been doing this is a system called “Distributed Guessing.” This is a technique in which hackers, when possessing part of the data from a payment card, can obtain the rest of the fields. Generally, there are about three data fields from a card that are minimally required for a payment to be verified and processed. These are the card number, expiration date, and CVV code. A hacker possessing one of these, generally the card number, can obtain the other fields using distributed guessing.
What is “Distributed Guessing”
Distributed guessing is essentially when the hacker, using a piece of the card information, sends out an assault of variations of the card information in an attempt to make purchases until the full card information is found. They do not even necessarily need the entire card number. For example, they could have the first six digits, which are the numbers that identify the bank and card type, and are identical for all cards from a single entity. Using this method, they can have almost unlimited guesses at the rest of the card information.
The way in which partial card information is obtained can vary. It could be through skimmers, card number lists sold online, or simply knowing the bank and card type numbers. Beginning with one partial piece of information, a bot program can throw a barrage of payment attempts on different websites to find the rest of the card data by process of elimination. It is suspected that this might have been the method used in the Tesco Bank hack.
How Distributed Guessing Exploits Security
Distributed guessing is unfortunately a type of exploit that can bypass several different points of security, simply because it is not a hack, malicious virus or software infiltrating a single system. It surreptitiously sneaks under the radar through the guise of a day to day type of operation. It combines two different weaknesses, which when standing alone are not issues. The first being that online payment systems often do not detect multiple invalid payment requests from different websites. This creates a situation where, through the use of several websites, they can have essentially unlimited guesses. The other, being the fact that different websites require different variations of card data for validation. These two combined allow the hacker to build up the data needed and piece it together for full card data. A multitude of websites all being used for attempts at card info simultaneously can return full card info within the matter of seconds.
The varying fraud protection between card companies can play a role in this. For instance, Visa tends to be the most highly affected by this issue. Whereas, the same exploitation, when attempted upon MasterCard cards, did not work as it did with Visa. The fraudulent invalid attempts were detected in fewer than ten attempts and stopped. A solution to this exploitation would be centralization and standardization of the card data requirements of websites. A centralized system would allow an assault of invalid attempts from a single card to be recognized with haste. This way when purchases are attempted on a website, a centralized check is done, which can curb any possible multiple attempts from several websites. MasterCard has this type of centralized system in place, whereas Visa does not, which is why they are much more vulnerable to this type of attack even with other layers of security in place.