New Hacking Technique Can Guess Credit Card Information In Seconds

Visa customers have reason to worry as a new research paper in the academic journal IEEE Security & Privacy revealed a weak spot in online credit card security that allows hackers virtually unlimited hacking attempts at Visa accounts. What's worse, the vulnerability lies in the way merchants accept online payments, meaning that there's little the average Visa card customer can do to protect themselves.

The vulnerability lies in the fact that the Visa payment system allows users to attempt all possible permutations and combinations of expiration dates and CVV numbers across hundreds of websites. To exploit this vulnerability, hackers can use a technique called Distributed Guessing Attack (which is similar to a DDoS attack). When this technique is executed properly, a hacker can recover a credit card's security information in as little as six seconds.

How Does Distributed Guessing Attacks Work?

At the heart of the issue is the fact that an online Visa payment system allows a maximum of 20 attempts per card in order to guess credentials like card numbers, expiration dates, and CVV numbers. That number may sound reasonable enough, but considering that all of the various payment websites do not coordinate their security efforts regarding the attempted use of a particular credit card, nothing stops a hacker from simultaneously running number combinations through the payment system on several websites until a working expiration date and CVV number is found.

Considering that it only takes 1,000 attempts to crack a three character CVV number and only 60 attempts to guess the correct expiration date, a hacker doesn't have to attempt their guesswork on many sites before successfully gaining access to the funds associated with that Visa account. Essentially, it plays out like a twisted version of the classic game 20 Questions.

Now, based on this description, you may picture a lone hacker sitting at a computer, plugging away at guessing CVV numbers one at a time. However, today's hackers have borrowed elements of a brute force attack in order to fully automate the guesswork. This allows the hacker to attempt thousands of different permutations per second, and explains how it only takes a few short seconds to cycle through different websites until the account is breached.

To make things even more interesting, consider the fact that stolen credit card numbers can easily be obtained on the black market for as little as one dollar. One reason these stolen card numbers are so cheap is that without the accompanying CVV number, the credit card number by itself is relatively useless. Today's hackers, however, have a workaround that essentially makes the lack of a CVV number a moot point. In fact, there are tutorials online that anyone can access on how to bypass the lack of a CVV code.

Visa's Response

Regarding the attack, Visa issued the following statement, which was was dismissive of the findings of the IEEE paper, “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.” Although, as pointed out by Computerworld, “The problem with Visa's defense is that, according to the IEEE paper, this wasn't a theoretical attack. The researchers said they tried it and it worked.”

What Can You Do to Protect Yourself?

Unfortunately, safeguarding yourself from a Distributed Guessing Attack has little to do with you and everything to do with how online merchants set up their payment systems.

Essentially, this vulnerability will continue to be an issue for consumers until Visa overhauls their online security system and makes it more like MasterCard's where a card is locked when someone tries multiple guesses, even when tried across multiple websites.

For your part, you should be extra cautious when using a Visa credit or debit card, especially online. You can help keep your card number out of the hands of hackers by staying clear of websites and stores with questionable card security measures, as well as by checking your statements often in order to locate and report any inconsistencies.

For more best practices on how to shop smart and avoid scams, check out these helpful blogs from Directive:

• Shop Safe While Online With These 3 Common-Sense Tactics
• Protect Your Online Identity With These 8 Tips
• Escape the Phisherman's Hook - 4 Tips to Get You Off the Line