Gone in six seconds: how easily fraudsters can get your Visa details


Criminals are finding it "frighteningly easy" to work out the security details for Visa cards, according to a new study from Newcastle University. 

By making multiple, rapid invalid attempts on different websites, fraudsters can work out expiry dates and security code numbers of debit and credit cards.

The research team say this "Distributed Guessing Attack" system takes advantage of the fact that the fact that the current online payment system can't detect multiple invalid payment requests.

It is thought this method was employed in the recent Tesco Bank hack saw money being withdrawn without permission and cards being blocked, affecting thousands of customers in the UK.

Lead author and PhD student Mohammed Ali said:

"This allows unlimited guesses on each card data field, using up to the allowed number of attempts - typically 10 or 20 guesses – on each website.

"Also, different websites ask for different variations in the card data fields to validate an online purchase. This means it's quite easy to build up the information and piece it together like a jigsaw.

"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time."

"Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds – just like any online payment.

"So even starting with no details at all other than the first six digits a hacker can obtain the three essential pieces of information to make an online purchase within six seconds."

The research, published in the IEEE Security & Privacy journal, did not look at additional layers of security, so if you're met with a Verified by Visa screen, the transaction is likely to be far safer.

Meanwhile, MasterCard's security network was able to detect attacks after less than 10 attempts.

A Visa spokesman told the BBC:

"The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.

"Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally."

Back to top