Matercard supposedly has a single back end but VISA does not, according to the article. Given the distributed nature of the attack I imagine only the card processors could detect it; if you pick sufficiently broad set of web site to test with the chances of them sharing a server that could detect something is probably low.
It says this: "Whereas MasterCard’s centralised network
detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multiple websites), Visa’s payment ecosystem does not prevent the attack"
As another poster said, you don't run one card 1000 times. You run 100 cards 10 times and achieve almost the same probability of guessing one without burning the card.
On another note, I wish they'd get rid of the number + exp + cvv. Quit concatenating more codes and just go to an alpha numeric model. You could have fewer digits and a bigger probability space. Even when you remove certain letters that sound alike.
That frankly sounds like a strong security argument to use MasterCard over Visa. But more research on how MasterCard would handle a similar attack might be necessary.
This does not require hindsight - it is literally the first thing you would ask about in an audit of the system's security. The real issue is what it says about the competence of the people running these systems.
Source? Do you audit credit card security systems or are in a related industry?
I personally tend to air on the side of NOT assuming people I have never met working on a problem I have never had to try to solve (and therefor may not see all the complexity) are incompetent.
I find it way more likely they are competent it is just a problem that is significantly more complex when dealing with the kind of big-data volume they do than it would be on a smaller scale.
Actually, I have worked on the development of security software, but if you want a source, I suggest you start with the work of the researchers mentioned in the article.
Among the facts there, you can find that Mastercard is apparently capable of detecting these guessing attempts, so as we are on the subject of sources, what is your source for your suggestion that this is an insurmountable volume-related problem?
You have a point about not casually attributing incompetence, but this does seem to be a particularly facepalm-inducing issue. I am willing to be corrected.
> your source for your suggestion that this is an insurmountable volume-related problem
I wasn't. But a problem not being insurmountable does not make you incompetent for not solving it (yet). Curing cancer is not insurmountable yet we don't call scientist incompetent for not having it done yet (at least I don't).
And before you say it. No, I am not saying this is as difficult as curing cancer.
I don't know enough about the issue to correct you or not. I just know a lot of great software engineers who have poured their sweat and blood into systems only to be called incompetent.
I've also seen open source developers develop brilliant pieces of software and then get called incompetent for a single bug. Because the bug was "obvious" (in hindsight)
That kind of attitude keeps people from taking risks. I personally think we need to encourage people to go into the tough problems and a lot of people won't if they risk being ridiculed for not solving them.
The situation is not remotely like the scenario you are concerned about. We (the e-commerce industry collectively) have a history of making many of the same basic security mistakes repeatedly, even though both the mistakes and the ways to avoid them are well-documented (SQL injection is a classic example, as is the use of easily-guessable secrets.) In my opinion (the source of which is me) the industry should be held accountable for its complacency and, yes, lapses in competence. Of course, being criticized by me in an HN comment is hardly being held accountable.
