December 5, 2016
As India attempts an upgrade to a cashless society, cyber security experts have raised serious concerns and revealed how to find credit card information – including expiration dates and CVV numbers – in just 6 Seconds.
And what’s more interesting? The hack uses nothing more than guesswork by querying multiple e-commerce sites.
In a new research paper entitled “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” published in the academic journal IEEE Security & Privacy, researchers from the University of Newcastle explains how online payments remain a weak spot in the credit card security which makes it easy for fraudsters to retrieve sensitive card information.
The technique, dubbed Distributed Guessing Attack, can circumvent all the security features put in place to protect online payments from fraud. The similar technique is believed to be responsible for the hack of thousands of Tesco customers in the U.K last month.
The issue relies on the Visa payment system, where an attacker can guess and attempt all possible permutations and combinations of expiration dates and CVV numbers on hundreds of websites.
Researchers discovered two weaknesses in the way online transactions are verified using the Visa payment system. They are as follows:
Online payment systems do not detect multiple incorrect payment requests if they’re performed across multiple sites. They also allow a maximum of 20 attempts per card on each site.
Web sites do not run checks regularly, varying the card information requested.
Newcastle University PhD candidate Mohammed Ali says neither weakness is alone too severe, but when used together and exploited properly, a cyber criminal can recover a credit card’s security information in just 6 seconds, presenting “a serious risk to the whole payment system.”