Wednesday, December 28, 2011

Are ICICI Credit Cards In India Insecure?

Recently news about virus attack upon ICICI bank transactions was reported. While it is premature to consider this fact true or false yet truth and authenticity of the claims of either the security professional or the ICICI bank must be established through an official channel.

Now another person has raised hypothetical doubts about the security of ICICI Credit Card in India. The author has tried to explain the hypothetical weakness in ICICI Credit Cards, as issued in India. On plain reading of the fact, the doubts also seem to be very genuine and reasonable.

This may be a single case or this may be the regular practice adopted by ICICI bank. But at this stage it is too early to comment upon that aspect. Let us analyse the facts provided by the author of the website. He writes:

“When a card is blocked and new card is reissued by ICICI Bank, the first 14 digits of the new card are the same as the old card. The 2 changing digits are also in a series. I did it twice on the same card i.e. block a card and request for a reissue. So the three card numbers were having same first 14 digits and the following last two digits.

(1) xxxx xxxx xxxx xx08
(2) xxxx xxxx xxxx xx16
(3) xxxx xxxx xxxx xx24

So say if your card details was leaked online and you request ICICI to block the old card and get a new one, then all the attacker has to do is wait for a month for a hypothetical new card to reach and then use all other details (except for the CVV of course, but cvv is just a 3 digit attack vector) and guess the last two digits. The last two digits also following a series. According to my totally unlearned eyes, this is a weakness. What do you say?”

He further explains in the comment “Once you have a card number + personal details from previous attack, expiry date is the lamest to crack. Cards are issued for years and not months, so it will mostly be the same month as when the card was issued, i.e. the same month as the card was blocked. Year part will be a company policy right? i.e. from the year of issue + x years types. CVV is just a 3 digit numerical hack. If you have all other info, cracking CVV should not be a challenge”.

Can somebody shed light upon this hypothetical doubt?