A group of security researchers from the Newcastle University devised a method to hack VISA credit cards is just six seconds.
The technique relies on a Distributed Guessing Attack in which online payment websites are used to discover the data on VISA credit cards. The attackers submit data to online payment websites and analyze the reply to the transaction to discover whether or not the data was correct.
“Research published in the academic journal IEEE Security & Privacy, shows how the so-called Distributed Guessing Attack is able to circumvent all the security features put in place to protect online payments from fraud.” reads the press release. “
“By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data.”
Below a video PoC of Distributed Guessing Attack:
The investigators speculated the method is likely to have been used in the recent cyber attack against the Tesco bank that resulted in the theft of £2.5m.
The researchers demonstrated that is is possible to launch a Distributed Guessing Attack to guess card numbers, expiry dates and security codes of any Visa credit or debit card. The method is simple as effective, the experts discovered that online payment systems don’t detect multiple invalid payment requests from different websites. An attacker can try an unlimited amount of guesses on each card data field splitting the attempts os several websites. The attackers can make between 10 and 20 guesses on each website.
“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” explains Mohammed Ali, a PhD student in Newcastle University’s School of Computing Science and lead author on the paper.
“Firstly, the current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.
“Secondly, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.”
Ali explained that attackers can gather the card information one field at a time making impossible for merchants to detect the fraudulent activity.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”
The attacker can use each generated card field in succession to generate the next field and so on.
“So even starting with no details at all other than the first six digits – which tell you the bank and card type and so are the same for every card from a single provider – a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”
The researchers highlighted that only the VISA network was vulnerable to the Distributed Guessing Attack.
The MasterCard network is centralized and is able to detect a Distributed Guessing Attack after less than 10 attempts, even when those payments were distributed across multiple networks.
(Security Affairs – Distributed Guessing Attack, VISA)