Pages

2011-12-30

Visa payment processing case study: network flaws

On July 20, 2011, I went to purchase the new Macbook Air in Delaware -- the home of tax free shopping. My Visa card was declined and I called to confirm the purchase. After returning home, I investigated the matter and found that my account had been put on hold due to suspicious activity. (They could have called me first, but problems with calling credit card customers to confirm purchases is already a documented problem.)

Someone used my card for a purchase at McDonalds for $1 (probably small fries), then a $400 purchase at Target and then another $400 purchase at a different Target -- all in Virginia. I was also buying lunch at Chick-fil-a and buying a MacBook in Delaware at the same time. Naturally this triggered an alert because why would anyone who has access to a Chick-fil-a also eat at a McDonalds during the same meal period?

I called Target security at the store and asked them to find a purchase under my name that day... none found. Then I asked to look up any purchase for $417.36 on that day. Within seconds they had two camera angles of the purchase, on register #27 at 1:17:10pm. (They start counting registers at #20, they don't actually have 27 registers). The security person would not send me the video, due to problems in the past with them being uploaded to YouTube, but she would let me see them if I filed a police a report.

The security person confirm that this was a swipe purchase, so obviously someone has copied my Visa card. But then the next obvious question: if there were no search results for my name, what name WAS on the card that made this purchase? The answer: there was no name, this transaction was posted as a gift card with no name. Visa later confirmed this. So the security flaw is this:
In the processing payments on the Visa network, information on the card regarding the authorized signer and card type can be recorded and trusted by the merchant, but this information is never sent to or verified with Visa.
In other words, the design of Visa's network allows the following types of exploits assuming the attacker has access to print credit cards.
  • Copy a real credit card as a gift card and make purchases without needing ID
  • Copy a real credit card and change the authorized signer to make purchases using a different ID
Naturally, this could be fixed easily by verifying ALL credit card details against a central database at the time of purchase.