All the Visa card holders, time to get cautious as hackers can guess your Visa credit card’s number, expiry date and CVV number within few seconds, says a new a research study conducted by Newcastle University.
The trick, described in a new academic paper, published in the journal IEEE Security & Privacy may have been responsible for the hack of thousands of Tesco customers in the U.K.
According to the paper, cyber criminals and online fraud artists use a Distributed Guessing Attack to edge past online fraud prevention measures. The hackers use bots to submit credit card information to hundreds of retailers at once in order to guess the missing security code information. Since the code is only three numbers, it takes a maximum of 1,000 guesses to crack it.
Researchers discovered two weaknesses in the way online transactions are verified using the Visa payment system. Firstly, online payment systems do not detect multiple incorrect payment requests if they're performed across multiple sites. They also allow a maximum of 20 attempts per card on each site. Also, websites do not run checks regularly, varying the card information requested.
According to PhD student, Mohammed Ali, Newcastle University, both the weaknesses when exploited in tandem can result in a credit card's security information being stolen in mere 6 seconds, presenting "a serious risk to the whole payment system."
In a response to the research paper, Visa claimed that the paper did not take into consideration the multiple layers of fraud prevention that exist within the payments system.
T R Ramachandran, Group Country Manager, India & South Asia for VISA said, “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world. Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.”