Business Updates – Brute Force

Visa have shared recommended best practices to prevent brute-force authorization attacks.

In a brute-force attack fraudsters use automated software known as “botnet” which continuously attempts to guess account data such as account number, card expiration date, PIN or Card Verification Value 2 (CVV2), as well as a user password for online account access, until a positive authorisation response is returned.

In order to help prevent this kind of fraud, Visa recommends that merchants apply the following best practices:

Real-time fraud detection:

  • Where available, use a layered validation approach that employs CVV2 and Address Verification Service (AVS).
  • All online merchants should manage fraud-detection systems that support device fingerprint, email validation and botnet detection.
  • Analyse time zone differences and browser language consistency from the cardholder’s IP address and device. A transaction may be classified as a higher risk and be sent for manual review instead of bypassing the automatic approval process.
  • Look for multiple tracking elements in a purchase linked to the same device. For example, multiple transactions with different cards, using the same email address and same device ID, may be a trigger for fraud classification or review.
  • Look for logins for a single card account coming from multiple IP addresses.
  • Look for excessive usage and bandwidth consumption from a single user.
  • Review logins with suspicious passwords that hackers commonly use. For example, today some merchants are detecting fraud based on a grey list with set passwords or combinations of passwords commonly used in fraudulent transactions.
  • Payment gateways should implement tracking rules to alert simultaneous transactions testing with low amounts at the merchant ID level.

Front-end controls:

  • Consider using Three-Domain Secure (3DS) authentication and captcha controls to prevent automated transaction initiation by robots or scripts (for example, five authorizations from one IP address or card).
  • Lock out an account if a user guesses the user name / password and any account authentication data incorrectly on “x” number login attempts.
  • Inject random pauses when checking a card to slow a brute-force attack that is normally dependent on time. This can be done on certain Bank Identification Numbers (BINs) that have been determined to have a high fraud incidence.
  • Include IP address with multiple failed card payment data in a fraud detection’s black-list database for manual review.
  • In addition to velocity checks for small and large transactions, use velocity checks for low amounts or authorization-only transactions.

Analytics:

Create a Management Information System (MIS) or report based on “Invalid Account Number” fraud detection attempts at the issuer BIN level, the account number or terminal ID level, or the IP address or device ID level.

Please speak to our support team regarding our suite of fraud solutions.