Visa’s online payment system fails to pick up on multiple invalid credit card attempts across multiple websites
Credit cards can be hacked within six seconds using nothing more than guesswork, researchers from Newcastle University have discovered.
The hack attack exploits a flaw in the Visa payment system that enables the card number, expiry date and security code of any credit or debit card through automatically and systemically generating different variations of a card’s security data and channel it at multiple websites.
The technique allows would-be hackers to score a ‘hit’ in seconds on a website and verify all the necessary security data. The researchers found that the multiple invalid attempts to gain access to the credit card credentials could not be detected by the Visa network or the banks providing the cards.
Credit card hack
The current Visa system does not detect multiple invalid payment requests made with the same card on multiple websites, so unlimited attempts at guessing the credentials can be gained by taking this distributed attack technique.
“Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them,” said Mohammed Ali, PhD student at Newcastle University’s School of Computing Science and the lead author of the research.
“The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts,
“The CVV [three-digit security number on the back of Visa cards] is your last barrier and theoretically only the card holder has that piece of information – it isn’t stored anywhere else.
“But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it – all the data you need to hack the account.”
Correct credentials can be picked out from across multiple websites and stitched together to provide the data needed to crack into a credit card.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” added Ali.
While the hack technique is alarming, Dr Martin Emms, another author of the research said there are ways to protect credit card details and money from being stolen online, though he said there is no magic bullet to completely defeat the myriad of attack vectors both researchers and hackers dig up.
“But we can all take simple steps to minimise the impact if we do find ourselves the victim of a hack. For example, use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it,” said Emms.
“And be vigilant, check your statements and balance regularly and watch out for odd payments. However, the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend!”
In a statement to Silicon UK, Visa noted the research did not take into account fraud protection the credit card company offers that can mitigate the researcher’s hack.
“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world,” the company said.
“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally. We provide issuers with the necessary data to make informed decisions on the risk of transactions. There are also steps that merchants and issuers can take to thwart brute force attempts.
“For consumers, the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability.”
All clued up on mobile payments? Try our quiz!