2

If I'm not wrong, the CVV code almost always follows a certain pattern based on the credit card number and dates. What are the possibilities to go through to hypothetically brute-force a CVV code? Is an online attack possible?

Rodrigo de Azevedo
  • 242
  • 2
  • 13
MaskyS
  • 89
  • 2
  • 2
  • 3

3 Answers3

9

Actually it was possible, at least for Visa cards. There was no per-card lockout across the entire network, so by hitting different payment processors (to prevent from reaching any brute force limit they might have) you could brute force a CVV2. I am not sure whether this is still possible, I would expect (and hope) that Visa implemented network-wide protections against this.

André Borie
  • 12,706
  • 3
  • 39
  • 76
0

If I'm not wrong, the cvv code almost always follows a certain pattern

No you are wrong, it could be completely random, 3, 4 or n chars.

After some failed activity with the card(could be 3, 5 etc...), it will be disabled. Plus you need to provide captcha for every request.

Sounds like you are much into hack rather security. A hacker at first is a great security geek.

-3

No. It is not possible Cryptographically brute force. CVV generation uses one round DES and one round Triple-DES encryption and then first 3 numeric digits are selected from output(decimalization). As strong cryptographic algorithms are used for generation it is not possible to brute force CVV Cryptographically. Refer to my answer : https://stackoverflow.com/a/59116013/6225803

Yes. CVV generation being lossy encryption which produces 000-999 values. If you can make 1000 attempts and issuer does not block card after defined failed attempts.

krishna Telgave
  • 101
  • 3
  • 1
    The keyspace of 1000 is *incredibly small* and if I say the CVV printed on your card is 269, there is a chance that someone reading this will be surprized that I guessed their CVV correctly. –  Nov 30 '19 at 12:50
  • @MechMK1 Only guessing cvv is not sufficient, you need to guess cardno, expiry and usually pin/otp to successfully complete a transaction. – krishna Telgave Nov 30 '19 at 12:55
  • Yes, that is usually correct, although you may be in a situation where these are known and only the CVV is not. –  Nov 30 '19 at 12:58
  • @MechMK1 the probability is around 0.003 to successfully guess cvv in three attempts.not impossible but highly unlikely. – krishna Telgave Nov 30 '19 at 13:09
  • 1
    According to [this answer](https://security.stackexchange.com/a/158416/163495), it at least used to be possible. If no measures are in-place to prevent further attempts (which is also a problem, as you can effectively disable a card like that), you can spread your attempts over different stores and sites. If you have 3 attempts per store, then you are likely to succeed after 150 stores. Quite a lot, though it may still be worth it. –  Nov 30 '19 at 14:59
  • @MechMK1 The invalid cvv counter stored in database is not per store or per site. If you attempt invalid cvv 3 times anywhere it will be blocked. also in most cases there there is effectively two factor authentication enforced(In India Reserve Bank of India mandates two factor authentication). CVV is nothing but MAC on track data. – krishna Telgave Dec 01 '19 at 06:31
  • The comments explain the reasons, I think. – schroeder Dec 02 '19 at 07:44
  • 1
    @krishnaTelgave well, if you have 10000 stolen card numbers, then trying (for example) 269, 270 and 271 as CVV for all these cards will most likely result in approximately 300 successful guesses. – Peteris Dec 02 '19 at 11:45
  • @Peteris Wasn't mentioned in question. it will be around 30 for 10000 cards not 300. – krishna Telgave Dec 02 '19 at 14:26