According to the latest research [Pdf] carried out by the University of Newcastle in the UK, hackers only require 6 seconds’ time to acquire sensitive details about your VISA credit or debit card along with its security code and expiry date. This particular study was published in the IEE Security & Privacy journal.
As per the analysis of Newcastle University’s research team, the “Distributed Guessing Attack,” which caused the recent cyber attack on Tesco and helped fraudsters deceive customers and deprive them of millions of dollars back in November is the main threat.
The reason why this so-called Distributed Guessing Attack is believed to be a real threat is that it can easily circumvent almost all security measures that are implemented to secure online payments from frauds. It only needs a few seconds to perform the task.
The study exposed vulnerabilities that exist in the VISA payment system and highlighted the fact that neither the banks not the network could detect the hackers’ attempt to guess the details of VISA cards.
Hackers can easily attack multiple times regardless of the number of invalid attempts to get the data they require simply by generating automated variations of the security data. Once done, they need to keep trying them on various websites till they hit the jackpot and manage to verify the necessary security information.
It is worth noting that such an attack is quite easy to conduct, as noted by the paper’s authors:
“[It is] frighteningly easy if you have a laptop and an internet connection.”
According to Mohammed Ali, a Ph.D. student of computer science at the Newcastle University and study’s lead author, such as attack seeks to exploit two key weaknesses that otherwise are not too severe but when combined can cause serious risk for the entire payment system. The two weaknesses are as follows:
“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website,” added Ali.
“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw. The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” Ali explained.
Every card field that is generated, states Ali, can be used to generate another field and the process goes on. If the hits are distributed across multiple websites, then it is possible to expect a positive response to every question within merely two seconds. This is same as any online payment process.
“So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds,” says Ali.
To get card details the hackers need to use online payment websites for guessing the data and the transaction’s reply would confirm whether their guess was right or wrong.
The paper’s co-author Dr. Martin Emms said that there is “no magic bullet” for those concerned about the security of their debit and credit cards but some steps can be taken to curb the potential risk of getting card hacked.
“Use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it,” recommends Emms.