Working out the card number, expiry date and security code of any Visa credit or debit card can take as little as six seconds and uses nothing more than guesswork, new research has shown.
Research published in the academic journal IEEE Security & Privacy, shows how the so-called Distributed Guessing Attack is able to circumvent all the security features put in place to protect online payments from fraud.
Exposing the flaws in the Visa payment system, the team from Newcastle University, UK, found neither the network nor the banks were able to detect attackers making multiple, invalid attempts to get payment card data.
By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data, they say.
Investigators believe this guessing attack method is likely to have been used in the recent Tesco cyberattack which defrauded customers of £2.5m and which the Newcastle team describe as “frighteningly easy if you have a laptop and an internet connection.”
“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” explains Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science and lead author on the paper.
To obtain card details, the attack uses online payment websites to guess the data and the reply to the transaction will confirm whether or not the guess was right.
Because the current online system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made by distributing the guesses over many websites.
However, the team found it was only the Visa network that was vulnerable.
“MasterCard’s centralised network was able to detect the guessing attack after less than 10 attempts - even when those payments were distributed across multiple networks,” says Mohammed.
At the same time, because different online merchants ask for different information, it allows the guessing attack to obtain the information one field at a time.
Mohammed explains: “Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.
It takes at most 60 attempts to guess the expiry date, he says, and up to 100o tries to uncover the three digit CVV code.
Newcastle University’s Dr Martin Emms, co-author on the paper, has this advice for consumers shopping online: "Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.
“However, the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend”
“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.
In response, Visa states: "We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts."
The card scheme points to upcoming improvements in security through the 3D Secure 2.0 specification and the liability shift to merchants that fail to implement the standard.
"For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability," it states.