A team of computer scientists from Newcastle University have found that card fraudsters can hack Visa debit or credit cards, in just six seconds.
The new research from the University of Newcastle also suggest that neither banks nor networks are able to detect such cyber-attacks on the cards, highlighting the flaws of the VISA system.The process of the attack is described as ‘nothing more than guesswork’.
Hackers are able to gain access to electronic payment cards via the card number, expiry date and security code in just a matter of seconds.
Labelled as the ‘Distributed Guessing Attack’, hackers generate multiple versions of the data provided on Visa cards and then hit several websites at once.
It takes a mere few seconds before a match is found; this ‘hit’ then allows the hacker to confirm and verify the security data, related to the card, to make an online purchase.
The process has been described as ‘frighteningly easy’ for those with just a laptop and an internet connection.
The method has since been linked to the cyber-attack which hit Tesco Bank customers in the ‘most serious’ attack on a UK bank.
At least 20,000 customers lost money through the attack while a further 40,000 reported ‘suspicious activity’. It is reported that the attack defrauded customer of around £2.5 million.
Mohammed Ali, a PhD student in the University’s Computer Science School and lead author of the paper, explained the process:
“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,”
“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites.
“This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.
“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”
The Newcastle University team also tested other card providers such as Mastercard, yet the flaw could only found within the Visa system.
Mr Ali said: “MasterCard’s centralised network was able to detect the guessing attack after less than 10 attempts – even when those payments were distributed across multiple networks.”
The Visa system’s flaw is also very difficult to manoeuvre around as nearly all online payment systems require the same information.The co-author of the paper, Dr Martin Emms, said:“Sadly there’s no magic bullet,”
“But we can all take simple steps to minimise the impact if we do find ourselves the victim of a hack.
For example, use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.”
“However, the only sure way of not being hacked is to keep your money in the mattress and that’s not something I’d recommend!”
Last modified: 5th December 2016