Cybercriminals can compromise Visa credit cards in
around six seconds through a so-called Distributed Guessing Attack, according
to new research from Newcastle University in the UK.
The study reported that shortcomings in Visa’s
payment system could allow cybercriminals to work out the card number, expiry
date and security code of a debit or credit card.
Moreover, the fraudulent activity, which sees the
criminals make numerous attempts to access payment data via this guessing
strategy, is not picked up by Visa or the banks.
“The current online payment system does not
detect multiple invalid payment requests from different websites,” explained
Mohammed Ali, a PhD student at the university and lead author of the research
paper.
“This allows unlimited guesses on each card data
field, using up to the allowed number of attempts – typically 10 or 20 guesses
– on each website.
“Secondly, different websites ask for different
variations in the card data fields to validate an online purchase.”
The result is that with all the information that is
then gathered, fraudsters can piece together, “like a jigsaw”, all the details
needed to commit fraud.
“So even starting with no details at all other than
the first six digits a hacker can obtain the three essential pieces of
information to make an online purchase within as little as six seconds,” Ali
concluded.
It has been suggested that this technique may have
been used in the attack on Tesco Bank, although this has not been officially
confirmed by the bank or investigators.
In terms of what can be done to thwart this kind of
malicious activity, according to Dr. Martin Emms, co-author of the study and a
research associate at Newcastle University, “sadly, there’s no magic bullet”.
“But we can all take simple steps to minimize the
impact if we do find ourselves the victim of a hack,” he added.
“For example, use just one card for online payments
and keep the spending limit on that account as low as possible. If it’s a bank
card then keep ready funds to a minimum and transfer over money as you need
it.”