Hackers need only 6 seconds to guess credit card details, claims study
A new study carried out by researchers from the University of Newcastle in the UK reveals that it takes hackers as little as six seconds to guess your VISA credit or debit card number, expiry date and security code.
The study, which was published in the IEEE Security & Privacy journal, shows how a so-called ‘Distributed Guessing Attack’, which is believed to be responsible for the recent Tesco cyberattack, used to defraud customers of millions of dollars last month, can circumvent all security features meant to protect online payments from fraud in a matter of seconds.
While exposing the flaws in the VISA payment system, researchers found neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data. Hackers can automatically generate variations of the security data and try them on multiple websites until they get a ‘hit’ and verify all the necessary security data. Experts warn such an attack is ‘frighteningly easy’ to carry out.
Newcastle team warn such an attack is “frighteningly easy if you have a laptop and an internet connection.”
“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” said Mohammed Ali, computer science PhD student in Newcastle University and lead author of the paper.
“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites,” said Ali. “This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website,” he said.
“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw,” Ali said. “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” he said.
“Each generated card field can be used in succession to generate the next field and so on,” Ali said. “If the hits are spread across enough websites then a positive response to each question can be received within two seconds – just like any online payment,” he said.
“So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds,” he said. To obtain card details, the attacker uses online payment websites to guess the data and the reply to the transaction will confirm whether or not the guess was right.
The fact is “there is no magic bullet” for anyone worried about how to keep their credit and debit cards safe, according the paper’s co-author Dr. Martin Emms.
However, he added that there are some measures consumers can take to decrease their risk of becoming a victim of credit card fraud.
“Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it. And be vigilant, check your statements and balance regularly and watch out for odd payments. However the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend,” Emms advises.