Credit cards are vulnerable to brute force kind attacks

Related story and wondering if the OP may have been chasing red herrings. I recently noticed an unauthorized charge for a small amount on my credit card (something about FB/Meta). Likely someone probing the card to see if anyone would notice. I called the CC company, had them removed the charge, canceled the card and had them send me a new card (5-7 business days). With the brand new unused card (new CC number, new expiration date, new CVV), the fraudulent payments resumed (again FB/Meta). How is this possible? The reason: digital wallets. Your credit card number, etc. transfers via digital wallets even when you cancel the card. I again called the credit card company and this time, told them to cancel all the digital wallets (there were 99 of them!). There is no way to do this online. You have to speak to a human in a call center. You then have to sit through a lecture about how all your renewing payments are going to reset and you will have to re-establish them will all merchants. "Yes, I understand that. Please cancel the card and all digital wallets!" Then you have to hold for twenty minutes (why? what are they doing? manually canceling all the digital wallets?). The lesson I learned here is that canceling your credit card may not be what you think. Also recurring payments must be incredibly lucrative and canceling them must amount to a big loss in revenue. (Edited for grammar.)

This blog doesn't mention the most critical part

Settlement the part where the bank agrees to transfer money from your account (in this case increasing your debt on the card) to the merchant is completely separate from Authorization.

Authorization is the modern EMV ("Chip and pin") authentication, the CVV stuff for online, and any other mechanism by which the bank protects themselves from your fraud and, maybe, as an afterthought protects merchants.

The network is completely OK with Amazon saying here's a card number, we say they're paying us $400. That's just a settlement, goes on your bill. No sophisticated cryptography, nothing even as clever as a 4 digit PIN, or remembering your mother's maiden name, just OK, we trust you. Which means you, as a consumer, need to read your credit card bills and dispute anything you don't recognise or you'll pay.

There is very little incentive for the networks to care if you get ripped off. If you don't dispute it then everybody is happy, and if you do they just claw it back from the merchant and it's not their problem.

Payment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].

1) https://stripe.com/newsroom/news/card-testing-surge

2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...

3) https://docs.stripe.com/disputes/monitoring-programs#enumera...

>As a consumer, I thought I was safe; when saving my credit card to a billion dollar valued european merchant, or when i purchase something from supermarket and ignore the receipt, but the reality is slightly different from that.

>I got the money back via chargeback in short time.

So as evidenced, you are protected by the fraud infrastructure. The bank ate the loss for the fraud and you were made whole. In the end, the banking system cares about fraud loss. And they are exceptionally good at finding the fraud. Making changes to the card payment system is extremely difficult, due to the vast scale of the systems, so without a very good justification that a particular change will move the needle on fraud rates, the banks will opt to not make the changes.

If 3D secure was mandatory everywhere that would help a lot, but if I understand correctly, it’s not really used in the US and with them being so big, card issuers are largely forced to allow non 3D secure requests or their clients will be unable to use their cards for too many things.

So an enormously good anti-fraud mechanism is severely handicapped.

It’s really frustrating for most of the rest of the world.

I don’t get it, do US citizens prefer being defrauded over what is perceived as a slight inconvenience?

Even for non-victims of fraud, they still pay for the fraud as all merchants up the prices of their goods to cover fraud costs/insurance.

I once had a person that was hired by my company and then started bragging about finding a way to add stored value to gift cards. Then come to find out they were under investigation by the FBI. This was a government contractor mind you, so the biggest security guard I’ve ever seen showed up to escort them out.

People should have a separate card for online payments and have just enough money on it for a payment.

I know that I am naïve :)

Back to the article: Weak point was a password that lead to another merchant not using 3D secure.

It seems from the article that bad actors have fully automated system, so (big) merchants should have handle automatic login attempts from the same ip address with different accounts. I see it from our wordfence logs that ip rotation is not so quick so it could be handled with some permanent ip blocking.

Virtual credit cards have been a thing for years. I remember bank of america or Citi providing them to me 15+ years ago. If I recall it was a java app or maybe even a standalone exe. Shocked they never took off more broadly.

Robinhood absolutely nails this. Best virtual credit card system I have ever used. So seamless. Can auth a card for one time use, 24 hours, or indefinite until you cancel. Such a great UI / UX

Recently I got an sms from my bank about a suspicious transaction overseas from my wife’s card, it was literally listed as zero USD, at a time when she was not using her phone or computer.

I initially thought the sms itself was phishing, but after checking online, the sms format matched and the bank webpage ensured the feedback process will not ask for any information so we proceeded to confirm that we did not purchase anything.

The bank immediately cancelled the card and shipped a new one.

My initial thought is that the bank safety system could be overreacting, but it was likely that someone was doing exactly what is described in this article and the bank detected it earlier.

It’s 2026, I have a laser guided vacuum robot that auto cleans my floors… we just flung people around the moon…

And we still don’t use public/private keys to secure transactions. Why

One other thing to add to the story is that the merchants can’t select what level of security they want from the credit card processor. For example, with authorize.net, you can accept the payment with the address doesn’t matter it doesn’t match.

I guess the real question here is how are they able to steal from you? Were they purchasing gift cards from a merchant with lax security?

It’s one thing to guess a number it’s another thing to get the money out of the system

They absolutely are. Fun example: when Revolut launched in Japan few years back they had a period of a relatively explosive success (especially within the immigrant community), so most of the cards of the period were issued with the same expiration month and with the same IIN (I'm assuming specific to Japan as well) which left very little entropy and lead to brute-force attacks via merchants not requiring 3DS (Uber etc.). Within only one community (approx. 1.5k people) we have had a handful of a 100% verified cases when the card was compromised without any exposure at all (i.e. the card was not used online or offline).

In all cases Revolut promptly reverted the charges and eventually they did a complete reissue of the cards for Japanese market (not sure how they've got around the entropy issue: maybe they've randomized the expiry dates or spread out IINs some more).

Pretty standard now to keep your card frozen when not in use, at least for me personally.

Some banks let you set specific limits for recurring payments.

Unlike US, in some regions such as JP,TW,HK, almost every online card transaction requires 3D Secure. But many real-world cases show that banks then refuse to take responsibility for fraudulent transactions once 3DS was completed, even when the OTP leak was caused by failures in the banking and telecom systems rather than by the cardholder.

Another mistake:

> The data they took with the attempt of purchase is the card is still usable (not cancelled)

The payment flows should not distinguish between a nonexistent card, a cancelled card, and a valid card that needs 3D Secure. I bet the banks could even implement that without any cooperation on the part of the merchants.

Rate limiting and anomaly detection are the real gatekeepers here. A lot of "fraud prevention" is still reactive.

At least with a credit card you have some fraud protection. Report it and the charge should be reversed. And chargebacks are possible.

With a debit card you’re playing with your own money.

We had a 5.15 cent charge for "TikTok" on a business card we never used. We have very good password hygene, and we have Ubikey authentication for all our business accounts. The bank initially told us to file a police report (!) for identity theft.

I knew it wasn't identity theft. We got a notice a week later that the charge had been reversed; we never bothered with a police report, we just cancelled the card. It had been flagged as suspicious by the bank when it was initially processed, but I'm not sure what was wrong. Perhaps one factor, like expiration date or zip code wasn't right.

I have a feeling it was stolen with some scheme like this where people just guess numbers by some algorithm.

Credit cards as a while use a security model from...what, the 1970s? Sure, they've patched by adding the 3-digit CVC, but really? A huge industry can't do better than that? Honestly, it's pathetic...

Credit cards are a horrible idea. We are essentially forced to use them. It's like giving every person you buy from the password to your bank account and trust them not to steal your money. Wire transfers are better.

Why not debit cards too?

Some have speculated that the entire credit card system is compromised, end to end. I think the real question is why NSA didn't intervene in the early 1990s. Online commerce was just beginning, and the importance of electronic funds transfer was obvious, but the method wasn't set in stone. NSA knew about public key crypto well before the rest of us did. They could have helped set up very secure electronic payments, but chose not to for unknown reasons.

Oh okay, so this is why Amex launched the online card in the app that changes the Cvv2 every few minutes.

Okay but... so what? Authentication is a means, not an end. They seem to be missing that what matters at the end of the day is how much money/time/resources actually get lost, and who's on the hook for it. If that's negligible then isn't that mission accomplished? If we could live in a society where your name was enough and you didn't need a card number at all, and yet theft was still low and you still got your money back, that would be even better, not worse.

Why credit card numbers are full persistent baffles me. They were never meant to be memorable, and the whole process is electronic: surely this can be replaced by cryptography at this point?

I've deliberately demagnetized me and my wife's cards and we have black electrical tape over the numbers in public now.

Online purchases are the last remaining problem which would be completely solved if payments were to random keys rather then depending on everyone having the same number.

[dead]

[dead]

I'll get the usual hate for this, but in this instance using bitcoin is safer, since it forces you to verify the transaction on your phone (i.e. you use your phone to pay - either scanning QR code or now NFC). In the US the Square payment terminals can now accept bitcoin from any lightning enabled wallet app, CashApp does it natively, etc.