Researchers at Newcastle University in the UK claims that Visa’s credit-card payment system can be compromised online in “as little as six seconds.” The security flaw was possibly the point of entry for the cyber-attack on the UK’s Tesco Bank that lost £2.5 million.This isn’t some high-level hacking going on here either — all it takes for a determined thief to grab card data and a laptop with an internet connection with some basic guesswork, the paper says.
The team of researchers, led by PhD student Mohammed Ali, call the method “the Distributed Guessing Attack.” The approach: a thief generates random numbers to guess combinations of card numbers, expiration dates and CVV codes (that three-digit number typically found on the back of the card). The video below demonstrates just how easy it is to generate all of these fields quickly: According to the paper, there are three levels of data fields used by web merchants: Card Number + Expiry date; Card Number + Expiry date + CVV; Card Number + Expiry date + CVV + Address.
It takes just a few attempts to guess the data once the hack is put into motion with an active card number. Most cards are valid for 60 months, so guessing the expiration date takes at most 60 attempts.
The CVV is a bit more difficult to find, but not by much: the team estimates about 1,000 attempts at most. “Spread this out over 1,000 websites and one will come back verified within a couple of seconds,” Ali said.
The research paper, whose lead author is a 26-year-old PhD student, said the good news for people with MasterCard debit and credit cards was that this form of hacking did not work on MasterCards, because its systems were able to detect the attacks. It added that the minority of online retailers that used so-called 3D Secure technology to provide extra protection – such as the Verified by Visa, Mastercard SecureCode and American Express SafeKey systems – were also “safe” from this type of attack.