Distributed Guessing Attack can ‘compromise Visa cards in just six seconds’

Cybercriminals can compromise Visa credit cards in around six seconds through a so-called Distributed Guessing Attack, according to new research from Newcastle University in the UK.

The study reported that shortcomings in Visa’s payment system could allow cybercriminals to work out the card number, expiry date and security code of a debit or credit card.

Moreover, the fraudulent activity, which sees the criminals make numerous attempts to access payment data via this guessing strategy, is not picked up by Visa or the banks.

“The current online payment system does not detect multiple invalid payment requests from different websites,” explained Mohammed Ali, a PhD student at the university and lead author of the research paper.

“This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.

“Secondly, different websites ask for different variations in the card data fields to validate an online purchase.”

The result is that with all the information that is then gathered, fraudsters can piece together, “like a jigsaw”, all the details needed to commit fraud.

“So even starting with no details at all other than the first six digits a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds,” Ali concluded.

It has been suggested that this technique may have been used in the attack on Tesco Bank, although this has not been officially confirmed by the bank or investigators.

In terms of what can be done to thwart this kind of malicious activity, according to Dr. Martin Emms, co-author of the study and a research associate at Newcastle University, “sadly, there’s no magic bullet”.

“But we can all take simple steps to minimize the impact if we do find ourselves the victim of a hack,” he added.

“For example, use just one card for online payments and keep the spending limit on that account as low as possible. If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it.”

Author , We Live Security

Follow us

Copyright © 2017 ESET, All Rights Reserved.