Thieves can break Visa bank card data in just six seconds, say online security experts at a British university.
The research team found software bots can attack hundreds of online merchants and fire card numbers, holder names and security codes at once to unlock credit and debit cards issued by the merchant.
First, they need a card number which can be bought for just a dollar each on black market sites or just try to guess the first six digits, which are a code holding the issuing bank.
A software algorithm provides the rest of a valid card number and the bots can come up with a security code and expiry date.
The first six digits, CSV and expiry date are all to guess because they are limited to a few numbers – the CSV is one of 999 numbers and the dates are months and years no more than five years ahead.
Bot attack unlocks payment cards
Although some web sites verify cards with addresses as well, even though there are millions in the UK, they are unique to a postcode and the database can be purchased from the Royal Mail.
All the crooks need is a lucky break and a fast computer with the right software to break the card’s data.
The researchers at Newcastle University looked at 400 popular ecommerce web sites and found 26 had two-step card verification and the rest three steps.
Because the sites relied on different fields for verification, a bot attack across all 400 allows crooks to mix and match the data to steal all the cardholder’s details.
Once in an account, they can order goods and have them delivered where they like. The researchers also set up a fake bank account in India and switched money from the cards.
The transaction, including emptying the bogus account, took just over 25 minutes and within that time, the cash was withdrawn and thwarted any effort by a bank to reverse the payment.
Adding security makes fraud easier
“We came to an important observation that the difference in security solutions of various websites introduces a practically exploitable vulnerability in the overall payment system,” says the report.
“An attacker can exploit these differences to build a distributed guessing attack which generates usable card payment details one field at a time.
“Each generated field can be used in succession to generate the next field by using a different merchant’s website. Moreover, if individual merchants were trying to improve their security by adding more payment fields to be verified on their site, they potentially inadvertently weaken the whole system by creating an opportunity to guess the value of another field.”
Web sites also help the bots by allowing users up to 50 guesses before locking them out.
Visa cards are the main target because the company does not have a security system that can detect a bot attack. MasterCard quickly identified an attack was in progress and prevented the bots from recovering any data.