A personal account of credit card fraud combined with an explanation of how PCI DSS masking rules inadvertently enable brute-force attacks on card details. After an account breach, attackers used the visible BIN and last 4 digits plus expiration date to brute-force the remaining PAN digits and CVV at ~6 requests/second across multiple merchants. Payment gateway response codes reveal which fields are wrong, aiding attackers. Some merchants are exempt from 3D Secure, allowing transactions without additional authentication. The author recovered funds via chargeback but found merchants, banks, and payment engineers largely unsurprised by the vulnerability.
Sort: