Shopping online is often a deterrent for some people as they believe they may become the unfortunate victim of an online credit card fraud. Those who are frequent online shoppers would only be familiar with the fact that retailers ask for additional credit card or debit card data such as the security code to minimize the risk of an online fraud.

However, a new study conducted by students at the Newcastle University, UK, reveals that hackers have a little trick up their sleeve which makes Visa credit or debit cards susceptible to a "distributed guessing attack."

The research conducted by Budi Arief, Mohammed Aamir Ali and Aad van Moorsel entitled "Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?" has been published in the academic journal IEEE Security & Privacy.

The research team reveals that hackers can guess the card information on Visa debit/credit cards by using a simple tool. The information this distributed Guessing Attack reveals includes sensitive data such as the CVV number of a card and its expiration date. This can be accessed by something as simple as querying e-commerce portals.

The exploit works on Visa card owing to a security flaw that allows hackers to build data garnered from guesses on multiple websites. The software is able to accumulate information such as the expiry date of the card, the owner's postal code, address and CVV quickly.

It is believed that hackers deployed this technique in the Tesco Bank incident, where 20,000 accounts were drained of the money.

That the researchers admit that the exploit is "frighteningly easy if you have a laptop and an internet connection" sets off alarm bells.

How Does The Exploit Work?

Hackers basically deploy bots to share credit card details to several hundred retailers at one go to aid them in guessing what the security code is.

A security code or CVV is only composed of three numbers and, therefore, it takes the hackers maximum 1,000 attempts to crack the code and successfully conduct the Guessing Attack exploit.

The fact that current online systems for payments do not perceive multiple void payment requests via different sites allows a hacker to make unlimited guesses in each data field of the card. This enables the hacker to use the permissible attempts on each site — usually 10 or 20.

Moreover, each site has a different variation in their data fields for cards that authorize an online purchase. What this does is, it makes it easier for the hacker to easily collate the scattered information and piece them together.

Can It Indeed Be Conducted In 6 Seconds?

Yes it can. The experiments from the research team reveal that hackers can successfully run multiple bots simultaneously on a large number of payment sites. They can do so without being detected or activating any alarms in the payment system.

Using this knowledge and the fact that any online payment system request is usually authorized within 2 seconds to their advantage, the hacker can easily conduct the Guessing Attack with ease and make it "scalable in real time."

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time. Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds — just like any online payment," explains Ali, the study's lead author.

So if for example, the bot has been configured to run on 30 websites, the hacker will be able access the requisite information in just 4 seconds per the research.

As Ali asserts, even if a hacker has just the first six digits of a card handy — this will clue them in on the card type and bank, and that it is the same for each card from a particular provider. Armed with this vital data, the hacker can garner the information that is needed to make a purchase online within 6 seconds. The video below illustrates just how!

Why Does The Exploit Work On Visa And Not MasterCard?

The details of a Visa card can be hacked with ease as opposed to MasterCard as the researchers opine that the former does not sense numerous attempts of a card being used across its network. On the other hand, the researchers reveal that MasterCard detects a Guessing Attack in less than 10 attempts, even if the guesses are divided across several websites.

How To Prevent The Attack?

The research team believes that standardization or centralization is the solution for preventing such attacks.

Standardization means that the same payment interface, i.e. same number of fields, needs to be offered by all the merchants. Then the hackers would not be able to scale the attack anymore. Centralization, on the other hand, can be accomplished by card payment networks or payment gateways that have a complete view of the payment attempts that are linked with its network.

"Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection," note the researchers.

Card holders should be vigilant and check their statements regularly and keep an eye out for any suspicious activity or payments.

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Join the Discussion