Credit cards are vulnerable to brute force kind attacks
Summary
Attackers can exploit partially masked credit card data obtained through account breaches to perform brute-force attacks on the remaining Primary Account Number (PAN) digits and CVV. By targeting merchants exempt from 3D Secure (3DS) protocols, attackers can execute unauthorized transactions using reconstructed card details.
Key Points
- PCI DSS v4.0.1 allows the display of the Bank Identification Number (BIN) and the last four digits of the PAN, while masking the middle digits.
- PANs follow the ISO/IEC 7812 standard, comprising a 6-8 digit Issuer Identification Number (IIN), a variable-length account identifier (up to 12 digits), and a check digit calculated via the Luhn algorithm.
- Attackers can use 3D Secure (3DS) transaction attempts to identify the bank name and verify the validity of the masked card data.
- Brute-force attacks can be executed at a rate of approximately 6 requests per second (roughly 2 requests per second per API) using rotating proxies to evade detection.
- Certain merchants are exempt from 3DS requirements, assuming the financial liability for chargebacks in exchange for frictionless payment processing.
Technical Details
The vulnerability arises when the combination of visible PAN fragments (BIN and last 4 digits) and the full expiration date provides enough entropy for an attacker to reconstruct the full card number. When an account is breached, the attacker gains access to the masked PAN and expiration date. By initiating a 3DS-enabled transaction, the attacker can confirm the bank's identity and the card's active status through the 3DS authentication page.
The attack relies on iterating through the remaining digits of the PAN and the CVV via payment gateways. These gateways may leak information through specific response codes, such as "invalid credit card," "expired card," or "incorrect CVV," which allows the attacker to refine the brute-force loop. To bypass merchant-side fraud detection, attackers utilize proxies to distribute requests across multiple IP addresses, maintaining a low-frequency attack of approximately 2 requests per second per API, making the traffic difficult to distinguish from legitimate, low-volume transactions.
Impact / Why It Matters
Developers and engineers managing payment integrations must recognize that masking PAN digits according to PCI DSS standards does not inherently prevent card reconstruction via brute force. Implementing robust rate limiting and monitoring for distributed, low-frequency transaction attempts across multiple APIs is essential to mitigate this risk.