Researchers were able to use this technique work out card number, expiry date and security code of any Visa credit or debit card.
Researchers were able to use this technique work out card number, expiry date and security code of any Visa credit or debit card.

A research team from Newcastle University in the UK discovered a method to hack credit cards, including dates and security codes, in as little as six seconds.

The method uses a “Distributed Guessing Attack” in which online payment websites are used to guess the data and the reply to the transaction will confirm whether or not the data was correct, according to a 2 December press release.

Researchers were able to use this technique work out card numbers, expiry dates and security codes of any Visa credit or debit card because current online payment system don't detect multiple invalid payment requests from different websites. Subsequently, the researchers were able to try an unlimited amount of guesses on each card data field, using up to the allowed number of attempts - between 10 and 20 guesses - on each website.

It's possible that attackers used this method in recent the recent Tesco cyber-attacks which exposed data of 9,000 accounts and resulted in the theft of £2.5 million ($3.1 million).

“This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,” Newcastle University's School of Computing Science PhD student Mohammed Ali said in the release.

Ali went on to say that the attack allows for criminals to gather the card information one field at a time and that unless all merchants ask for the same information then it's easy for an attacker to piece the information together like a jigsaw.

The attack highlights the trend of crowd fraud which synchronises and brings together many different people, devices, internet connections and tools to leverage the economy of scale in cyber-crime, High-Tech Bridge CEO Ilia Kolochenko told SC Media via emailed comments.

“As a result, a well-organised cyber-crime crowd can breach systems much more rapidly than a single attacker or small cyber-crime group. We will probably see this trend to raise in the near future,” Kolochenko said. “Speaking about this particular case, I doubt this approach will reliably work for Visa. Advanced fraud-prevention systems, 3D secure and many other security mechanisms exist to prevent such attacks.”