Visa card info can be guessed, stolen in six seconds

By JC Torres/Dec. 6, 2016 4:30 am EST

It has never been easier to buy stuff online, be they digital goods or ordering for physical ones. But, like many conveniences, that may have come at a price that no one will be willing to pay. According to security researchers from Newcastle University in the UK, that price is security. They have demonstrated that it only takes six seconds to get a Visa credit or debit card's number, expiry date, and security code, all thanks to a lax security implementation in its online payment system.

To be clear, this rather frightening tale is only applicable to holders of Visa cards, both credit and debit. MasterCard has proved to be a tougher nut to crack, though only for now. However, it isn't completely bulletproof either.

The exact problem that the researchers have found stem from two oversights in Visa's implementation. The first, which should be the gatekeeper, is that Visa doesn't limit how many failed attempts are made before it locks down the account from further access. This means that computer programs can try to brute force guessing a card's credentials without fear of being locked out. MasterCard, in contrast, limits it to 10 attempts, no matter what website or e-shop is used.

The second error allows for what is termed a Distributed Guessing Attack. In a nutshell, different online merchants sometimes ask for different card data fields, revolving around card number, expiry date, CVV, and credit card security code. This means that, when taking into account the infinite times a computer program can guess a combination of those fields, hackers can piece together correct guesses from different websites to form a complete and valid credit card picture.

You might think that all this is complicated but, for a computer, all it takes is 6 seconds. Hackers don't even need to have the credit card number, as they can also brute force guessing a valid one. Guessing expiry dates only takes 60 attempts, which can take place in a split second, because credit cards usually only issue cards valid for 60 months. And the three-digit CVV only takes less than 1,000 attempts. All of these can be tried numerous times without repercussions from Visa.

Sadly, the researchers say there is no silver bullet to this problem other than due vigilance on the user's part. On Visa's side, however, it would do well for the organization to put a hard limit on failed attempts, just to make it harder, though not impossible, to pilfer credit card data.

SOURCE: Newcastle University (PDF)