Anonymous attacks put credit card users at risk

Digital vigilante group Anonymous may be putting credit card users at risk with its attacks on MasterCard and Visa, preventing access to security systems the companies introduced to prevent on-line card fraud.

Both companies use a password-based authentication system, known as 'MasterCard SecureCode' and 'Verified by Visa' respectively, which loads a page on their own servers in an encrypted frame on third-party sites that have signed up to the programme. It's the on-line equivalent of Chip and Pin, and holds the promise of making it harder for a ne'er-do-well to go on a web-based shopping spree if he or she captures your credit card details.

With the recent attacks from the Anonymous group downing MasterCard's website with a coordinated Distributed Denial of Service (DDoS) attack on Wednesday, the security of the programme has been called into question.

Because both Verified by Visa and MasterCard SecureCode rely on loading pages from the company's respective web servers, they are unable to function if the server is under a sustained DDoS attack - as has been the case in recent days. Rather than reject the payment attempt due to a failure of the web server, the security system fails 'gracefully' - allowing the payment to go ahead without prompting for the password to be entered.

This offers would-be credit card fraudsters a window of opportunity: while Anonymous continues its campaign of retribution for the treatment of WikiLeaks founder Julian Assange by attacking MasterCard and Visa's web servers, the SecureCode and Verified by Visa programmes won't operate - meaning stolen credit cards can be used without having to know the associated password.

Several test purchases carried out by THINQ on sites that are signed up to the MasterCard SecureCode programme, both late last night and early this morning, resulted in the payments going through without a password being required.

THINQ has highlighted the issue with both MasterCard and Visa, but at the time of writing only MasterCard has commented on our findings with the following statement: "MasterCard has made significant progress in restoring full-service to its corporate web site. Our core processing capabilities have not been compromised and card holder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."

It's probably worth mentioning at this point that MasterCard SecureCode is a 'web-based service' that has likely seen 'limited interruption' - but it sounds like MasterCard is on the case.

Visa has yet to respond to our concerns.