We’ve reported on some really scary security lapses that are being exploited by hackers but this one appears to be a serious one too. Hackers can now guess your Visa card details in less than six seconds.
Security researchers from the University of Newcastle in a paper titled “Does The Online Card Payment Landscape Unwittingly Facilitate Fraud?” said there is a security hole in your bank card that makes it easy for hackers to guess sensitive information such as your PIN. In the video attached, you’ll see that using a special tool, it actually takes about six seconds to get aa card’s secure code and it’s easy for them because if guesses for your card’s CVC number (the three digits behind) are spread out across different websites, there’s no security alert sent to you about this. So exploiting this loophole across different websites, they are able to come up with the CVC number for that card as well other basic data like your postal address. The good (maybe not good) news is that this doesn’t affect all cards according to the research carried out. It only affects Visa cards.
The attackers are able to get this information because different websites demand different authentication data from you to process transactions. , websites that only require card number and expiry can be used to glean the expiry date in no more than 60 guesses (because cards are only valid for a maximum of 60 months) and then this card number/expiry pair to can be used to guess the three-digit CVV in no more than 999 guesses.
Seeing as card numbers are region based (you can know this from the first six digits of the card), it becomes easy to hackers to narrow down once they have other data attached to the card. So one difficult one is the address attached to the card, but with the ability to narrow down cards to regions, this can be guessed over time too.
According to tech website BoingBoing, “Mastercards are not vulnerable to this attack because “MasterCard’s centralised network detects the guessing attack after fewer than 10 attempts (even when those attempts were distributed across multiple websites),” but Visa cards are, because “Visa’s payment ecosystem does not prevent the attack.”
To deal with this threat though, the researchers propose a uniform standard required by different websites so that the accuracy of guessing is cut down. Other proposed solutions include use of IP address instead of Captcha and other Visa induced authentication requirements.
To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.
Last month, researchers in Lancaster University developed an algorithm that can guess passwords of even more security conscious internet users. Called TarGuess, it is able to guess passwords with a 73 percent accuracy.
MasterCard on the other hand is now attempting to replace passwords with selfie and finger print authentications to make it harder for such guesses to happen.