- Jun 9, 2013
- 6,720
Attack works only on Visa network, Newcastle University researchers say.
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.
Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.
The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.
The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.
All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.
The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.
These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.
Full Article. 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds
Researchers at the UK’s Newcastle University have developed what they say is an almost absurdly easy way to get the card number, security code, and expiration date of any Visa credit or debit card using nothing but guesswork -- six seconds flat.
Their so-called Distributed Guess Attack, which is detailed in a paper published this week in the IEE Security & Privacy Journal, essentially circumvents all security features for protecting online payments.
The researchers believe it is likely the same tactic that attackers recently used in stealing a total of £2.5m from about 20,000 customers of Tesco Bank.
The attack takes advantage of two factors in the payment card ecosystem. One is the manner in which different online merchants request different types of information for processing a debit or credit card payment.
All merchants at a minimum require the card number or Primary Account Number (PAN) and expiry date. In addition, some merchants also ask for the card verification value (CVV), the three-digit security code on the back of each card. Some also ask for the cardholder’s address in addition to the other three fields.
The attack also exploits the fact that in many cases there is no mechanism currently in place to detect multiple invalid payment requests that are being made on the same card from different online merchant sites. That makes it possible for someone to take an unlimited number of cracks at guessing a card’s CVV or an expiration date by spreading the guesses across multiple sites.
These two factors together create a scenario where an attacker can obtain full card details one field at a time by automatically generating and verifying different combinations. The process takes as little as six seconds to generate complete information for a card, the researchers claim.
Full Article. 'Frighteningly Easy' Hack Guesses Full Credit Card Details In 6 Seconds