A breached ecommerce account exposed masked PAN + expiry, enabling attackers to brute-force the remaining ~99k card numbers and 999 CVV combinations across multiple payment APIs in 6 hours.
Key Takeaways
PCI DSS allows showing BIN (first 6) + last 4 digits + expiry, leaving only 6 middle digits to brute-force; Luhn checksum reduces that to ~99,999 candidates.
Payment gateway error codes distinguish “invalid card”, “expired”, and “wrong CVV”, directly enabling staged brute-force with feedback.
Attackers used ~6 req/sec spread across multiple stolen merchant APIs and rotating proxy IPs, making rate-limit detection nearly invisible per endpoint.
Some merchants are bank-exempted from 3D Secure, creating liability-shifted payment paths that bypass SMS auth entirely.
Physical receipts showing BIN + last 4 + expiry provide the same attack surface without any account breach required.
Hacker News Comment Review
Commenters pushed back that card scheme rules (Visa/Mastercard) heavily penalize merchants and processors for card enumeration; Stripe and others use ML to detect it, suggesting the attack exploited weak processors not mainstream ones.
Consensus that 3D Secure adoption gap is the core systemic issue: it is rarely enforced in the US, which forces global card issuers to support non-3DS flows, undermining fraud prevention worldwide.
Several commenters noted that authorization and settlement are architecturally separate, and that chargeback liability shifts to 3DS-exempt merchants, meaning fraud costs are ultimately socialized across all consumers via pricing.
Notable Comments
@janpeuker: Card testing is actively penalized by card schemes; this attack vector relies on processors that do not enforce enumeration controls.
@tialaramex: Settlement and Authorization are separate; the blog omits how merchant liability shifts in chargeback cases involving 3DS-exempt merchants.
