Fraudsters can steal your credit card details in just six seconds, researchers have discovered.
Experts from Newcastle University in the UK said stealing someone’s credit or debit card details was “frighteningly easy” with just a laptop and connection to the internet.
The researchers found that hackers can easily obtain the number, expiry date and three digit security of any Visa card – which is all the information someone needs to transfer money from an account or make transactions online.
The researchers used a method known as a Distributed Guessing Attack to bypass online security systems.
The same method was believed to have been used in the recent cyber attack on Tesco Bank in the UK which resulted in 9,000 customers losing more than £2.5 million.
A Distributed Guessing Attack (DGA) could be used by hackers who had obtained a valid credit card number but did not know the 3 digit security code or the expiry date.
The hackers then enter the credit card number into a purpose built computer programme to fire the credit card number along with different variations of the security code and expiry date at thousands of different websites simultaneously. Once the hackers get a match they then have access to the security code and expiry date.
The researchers said that despite sounding complex, the whole process can take as little as six seconds.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time”, said Mohammed Ali, from Newcastle University’s School of Computing Science and lead author of the research paper
Ali even warned that hackers do not need a complete Visa card number to carry out the hack.
“Most hackers will have got hold of valid card numbers as a starting point but even without that it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.
“The next step is the expiry date. Banks typically issue cards that are valid for 60 months so guessing the date takes at most 60 attempts.
“The CVV is your last barrier and theoretically only the card holder has that piece of information – it isn’t stored anywhere else.
“But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it – all the data you need to hack the account.”
The researchers found that it was only Visa cards that were affected, as Mastercard blocks any card that has several failed attempts across multiple websites.
Newcastle University’s Dr Martin Emms, who also co-authored the paper warned that there is no single way to protect yourself from fraudsters:
Sadly there’s no magic bullet,” he said.
“But we can all take simple steps to minimise the impact if we do find ourselves the victim of a hack. For example, use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.
“And be vigilant, check your statements and balance regularly and watch out for odd payments.
“However, the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend!”
In response a spokesperson for Visa told the BBC:
“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.
“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.”
Jonathan is our Google Nexus and Android enthusiast. He is also fanatical about football which makes it all the more strange that he should support Stockport County. In addition to writing about tech, Jonathan has a passion for fitness and nutrition and has previously written for one the UK’s leading watch and horology websites.