Hackers can guess your credit card details in just 6 seconds

Here's how

Tech Desk December 06, 2016

Many of us like to shop online because it's easy, as well as hassle-free. But, are these transactions safe enough? A latest study says hackers can acquire your credit card information in just about six seconds!

According to the research report, “Does the Online Card Payment Landscape Unwittingly Facilitate Fraud?” from the University of Newcastle, hackers can work out the number, expiry date and security code of any Visa credit or debit card in as little as six seconds using nothing more than guesswork.

The study shows how the so-called ‘Distributed Guessing Attack’ exploits the flaws in the Visa payment system to circumvent all the security features put in place to protect online payments from fraud.

Researchers claim that neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data.

20,000 defrauded as UK's Tesco Bank hit by hack attack

“By automatically and systematically generating different variations of the cards' security data, and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data,” the study found.

To the horror of online shoppers, investigators believe the software was possibly used in the recent cyber-attack on the UK's Tesco Bank that lost £2.5 million.

How ‘Distributed Guessing Attack’ works

To obtain card details, the software uses online payment websites to guess the data.

[brid video="83086" player="7247" title="Hackers can guess your credit card details in just 6 seconds"]

Russian central bank loses $31 million in cyber attack

Different websites ask for different variations in the card data fields and these can be divided into three categories: Card Number + Expiry date (the absolute minimum); Card Number + Expiry date + CVV (Card security code); Card Number + Expiry date + CVV.

Because the current online system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made by distributing the guesses over many websites.

Explaining how the attack works, Mohammad Amir, a PhD student in Newcastle University’s School of Computing Science and lead author on the paper said, “This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system.”

“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”

However, the researchers found it was only the Visa network that was vulnerable.

“MasterCard’s centralised network was able to detect the guessing attack after less than 10 attempts – even when those payments were distributed across multiple networks,” Amir said.


Replying to X

Comments are moderated and generally will be posted if they are on-topic and not abusive.

For more information, please see our Comments FAQ


Most Read