A research study led by students from the University of Newcastle and published in IEEE Security & Privacy 2017 journal identified a new method used by hackers to steal credit and debit card data. The “Distributed Guessing Attack” consists of generating multiple variations of cards security data automatically – card number, expiry date and CVV code – and trying to use them on various online payment websites. Hackers are able to find a valid card number in about 6 seconds. Thereafter, it takes them at most 60 attempts to find the expiry date and 100 for the 3-digit secret code.
According to the study, the Visa network is the only one affected as the current system cannot detect multiple invalid payment requests if they are made on different websites simultaneously. As a consequence, hackers can make unlimited guesses until they find the right combination. Conversely, MasterCard uses a centralised network that detects the attack after less than 10 wrong attempts.
Investigators estimate that the attack against British bank Tesco that occurred last November might have been carried out using this fraudulent guessing method. About 9,000 customers have had their current bank accounts plundered, for a total value of £2.5 million.
To read the full report, please click here or download the report below.