Using nothing more than a laptop and an internet connection, hackers can guess credit card information in as little as six seconds, new research has found.
A research team at Newcastle University in the United Kingdom found that simple guesswork can help hackers figure out Visa credit and debit card numbers, expiry dates and the security codes on the back of the card.
The research, published in the IEE Security & Privacy journal, explains how the so-called Distributed Guessing Attack is able to circumvent security features that are supposed to prevent fraudulent use of credit cards online.
“By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a 'hit' and verify all the necessary security data,” the study says.
"So even starting with no details at all other than the first six digits -- which tell you the bank and card type and so are the same for every card from a single provider -- a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds."
The researchers found that “neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data.”
They suspect that the same method was used in a recent cyberattack that saw 2.5 million British pounds stolen from Tesco Bank customers in the U.K.
Using online payment websites, hackers keep guessing credit and debit card data until they get a hit. Researchers found that the current Visa online system “does not detect multiple invalid payment requests on the same card from different websites,” allowing hackers to make unlimited guesses by distributing them over many sites.
The U.K. researchers found that only the Visa network seemed to be vulnerable to such attacks.
"MasterCard's centralized network was able to detect the guessing attack after less than 10 attempts -- even when those payments were distributed across multiple networks," the study’s lead author, Mohammed Ali, said in a news release. Ali is a PhD student at Newcastle University's School of Computing Science.
Researchers say there’s no “magic bullet” for protecting yourself from hackers while shopping online. Study co-author Martin Emms suggests using just one card for online payments and keeping the spending limit on that account “as low as possible.”
He also urges consumers to check their credit and debit card statements regularly, and watch for any unusual payments.
In a statement to CTVNews.ca, Visa said that it welcomes efforts to identify and address “perceived vulnerabilities in the payment system.”
In the company’s opinion, the research “does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.”
Visa said “the most important thing” for consumers to keep in mind is “that if their card number is used fraudulently, the cardholder is protected from liability.”
The company added that it works closely with card issues to make it “very difficult” to obtain cardholder data illegally and offers an extra layer of security called “Verified by Visa.”
“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally,” according to the statement.
