Hackers
Need Just First 6 Numbers For `Frighteningly Easy' Swindle
It may take as little
as six seconds for hackers to guess your credit or debit card number, expiry
date and security code, say scientists who were able to circumvent the security
features meant to protect online payments from fraud.
Exposing the flaws
in the VISA payment system, researchers from Newcastle University in the UK
found that neither the network nor the banks were able to detect attackers
making multiple invalid attempts to get card data.
By automatically
and systematically generating different variations of the cards' security data
and firing it on multiple websites, hackers are, within seconds, able to get a
`hit' and verify all the necessary security data.
Investigators
believe this guessing attack method is likely to have been used in the recent
Tesco cyberattack, which the Newcastle team describes as “frighteningly easy if
you have a laptop and an internet connection“.
“This sort of
attack exploits two weaknesses that on their own are not too severe but when
used together, present a serious risk to the whole payment system,“ said
Mohammed Ali, a PhD student at Newcastle University .
“Firstly, the
current online payment system does not detect multiple invalid payment requests
from different websites,“ said Ali.
“This allows
unlimited guesses on each card data field, using up to the allowed number of
attempts -typically 10 or 20 guesses -on each website,“ he said.
“Secondly ,
different websites ask for different variations in the card data fields to
validate an online purchase. This means it's quite easy to build up the
information and piece it together like a jigsaw,“ Ali said.
“The unlimited
guesses, when combined with the variations in the payment data fields, make it
frighteningly easy for attackers to generate all the card details, one fi eld
at a time,“ he said.
“Each generated
card field can be used in succession to generate the next field and so on,“ Ali
said.
“If the hits are
spread across enough websites, then a positive response to each question can be
received within two seconds -just like any online payment,“ he said.
“So even starting
with no deta ils at all other than the first six digits -which tell you the
bank and card type and so are the same for every card from a single provider -a
hacker can obtain the three essential pieces of information to make an online
purchase within as little as six seconds,“ he said.
To obtain card
details, the attack uses online payment websites to guess the data and the
reply to the transaction will confirm whether or not the guess was right.
Source: Times of India-3rd-December-2016
http://epaperbeta.timesofindia.com/Article.aspx?eid=31804&articlexml=Your-card-can-be-hacked-in-6-sec-03122016019025
