A recent study showed that cybercriminals could hack into your credit card account in about six seconds. This is possible even without your complete card details. All a criminal needs is your card number, security code, or expiry date – and a little guess and test.
A study published by the academic journal IEEE Security and Privacy focused on how the “Distributed Guessing Attack” is capable of bypassing all security measures implemented to fight fake online transactions.
The research team also found out that the VISA system was faulty; the network and the banks involved were not capable of identifying attackers attempting to steal the credit card information.
Hackers used an automated system that produced thousands of deviations of credit card numbers and their codes while using it at numerous websites – leading to verified accounts in record time.
Authorities posited that this method was most likely employed in the Tesco attack that led to 2.5 million pounds in losses, forcing them to say that it is “frighteningly easy if you have a laptop and Internet connection.”
All a criminal needs is your card number, security code, or expiry date – and a little guess and test.
Mohammed Ali, one of the lead authors in the research, said, “This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system.”
He added that the current online payment system does not have the capacity to detect multiple invalid payment requests from different websites. This allows hackers “unlimited” guesses for each card they use, maxing out the number of attempts (up to 20 attempts for some) on each website.
According to Ali, websites have different variations in the card data fields to validate an online purchase; meaning it can be quite easy to build up the data and piece it together like a jigsaw. When combined with the unlimited guesses it makes it “frighteningly easy for attackers to generate the card details one field at a time.”
Each card field generated can be used to generate the data for the next field until all fields are validated. If the “hits” are spread enough across the sites, it is possible to receive the correct information in as little as two seconds.
“So even starting with not details at all, other than the first six digits… a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds,” Ali concluded.
While this development is unquestionably alarming, the research team discovered that only the VISA network was vulnerable to this type of attack. MasterCard’s network was capable of detecting the attack in less than 10 failed attempts – even when they were spread across multiple networks.
Ali explained, “Most hackers will have valid card numbers as a starting point but even without that, it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.
After the card number, the next field would be the expiry date. Since banks issue cards valid for 60 months, guessing the date takes up to 60 attempts.
The security code is the last step in hacking the card, and ideally, the cardholder should be the only one with access to it. However, Ali said that hackers are still able to guess the code as long as it is spread over numerous websites.
When all this works out for the hacker, then the account is as good as theirs.
While there is no surefire way to avoid getting your credit card hacked, there are steps to minimise the chances of becoming a victim.
Using one card for online payments and keeping the limit to a minimum can help, while keeping ready funds to a minimum and transferring money as needed, according to Martin Emms, one of the study’s lead authors.
“Be vigilant, check your statements, balance regularly, and watch out for odd payments,” added Emms.
Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.