How to Guess Credit Card Number and Security Code in Just Six Seconds


Criminals can guess your Visa credit or debit card number, expiry date, and its security code in just six seconds, researchers have warned.

Experts at the Newcastle University, UK have claimed that it is "frighteningly easy" to compromise Visa's credit card system online. It could take criminal hackers "as little as six seconds" using guesswork, with access to a laptop and an internet connection. Distributed Guessing Attack, the attack method identified by Newcastle researchers was possibly also used in the recent Tesco Bank heist, where the bank lost £2.5 million.

Attackers used DGA to get around the security features that are employed to stop online fraud, giving hackers an entry point for the attack on the UK bank.

Only Visa cards are susceptible to the security flaw

In a clever brute force attack, researchers figured out that if you made the guesses for the card's security number from a number of different websites, the card's security system wasn't triggered. The process involves guessing and testing hundreds of permutations of expiry dates and CVV numbers on hundreds of different sites to avoid triggering fraud protection measures.

Researchers have outlined the method in IEEE Security & Privacy paper, that confirms that this hacking method doesn't even require any sophisticated level of hacking knowledge or equipment, as it only takes a laptop and a connection to the internet.

MasterCard credit and debit cards aren't vulnerable to this security exploit, as they track this same attack method when an attacker tries to guess across different websites. The payment system is designed to shut down cards after 10 attempts or fewer, researchers added.

Visa, however, isn't designed to take account of multiple websites. As shown in the video at the end of this post, an attacker can easily compile the gathered information to bombard multiple vendors' sites, trying out different combinations of card number, CVV, and expiration code, easily dodging individual site limits and avoid detection of fraudulent activity.

Talking about the prevention techniques that could be pursued, PhD research student Mohammed Ali said:

To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.

Before publishing their findings, the research team contacted Visa. The payment giant unfortunately didn't take the research too seriously. In an email to the Independent, it said, that "the research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world."

Tesco Bank said the fraud last month affected 9,000 customers. But Visa doesn't want you to worry about it; "the most important thing to remember is that if their card number is used fraudulently, the cardholder is protected from liability."