Working out the card number, expiry date and security code of any VISA debit or credit card can take as little as six seconds using nothing more than guesswork.
Research published in the academic journal IEEE Security & Privacy shows how a "distributed guessing attack" is able to circumvent all the security features put in place to protect online payments from fraud. Exposing flaws in the VISA payment system, a team from Newcastle University, UK, found that neither the network nor the banks were able to detect attackers making multiple, invalid attempts to obtain payment card data.
By automatically and systematically generating different variations of cards' security data and firing them at multiple websites, within seconds hackers were able to get a "hit" and verify all the necessary security data. This technique is believed to have been used in the recent Tesco cyberattack, which defrauded customers of £2.5m, according to the researchers.
“This sort of attack exploits two weaknesses that on their own are not too severe but when used together present a serious risk to the whole payment system,” says Mohammed Ali, PhD student in Newcastle University’s School of Computing Science and lead author of the paper. According to Ali, those flaws are:
- The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, up to the allowed number of attempts—typically 10 or 20 guesses—on each website.
- Different websites ask for different variations in the card data fields to validate an online purchase. This means it is quite easy to build up the information and piece it together like a jigsaw.
According to Ali, most hackers will have gotten hold of valid card numbers as a starting point. But even without them, it is relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them. The next step involves guessing the expiry date. Banks typically issue cards that are valid for 60 months, so guessing the date takes at most 60 attempts.
The card verification value is the final barrier. Guessing this three-digit number takes fewer than 1,000 attempts. Spread this inquiry out over 1,000 websites, and one number will come back verified within a couple of seconds.
Ali notes that these problems are specific to the VISA payment system. MasterCard’s centralized network was able to detect the guessing attack after fewer than 10 attempts—even when those payments were distributed across multiple networks.
Until a fix is instituted, he recommends VISA cardholders use just one card for online payments and keep the spending limit on that account as low as possible. For bank cards, consumers are advised to keep ready funds to a minimum and transfer over money as required.