Researchers use ‘guessing attack’ to hack credit card in 6 seconds

So much of our digital lives are locked up behind passwords and security questions, and still that’s not always enough to keep villains out. So, what hope do we have to keep credit cards secure? Everything you need to steal them is emblazoned on the surface. Even if you only have part of the information,
researchers from Newcastle University have worked out a way that a credit card can be stolen in as little as six seconds simply by guessing wrong really, really fast, according to PCMag.
For most online transactions, all you need in order to verify a card are the account number, expiration date, and CVV. It is not uncommon for one or more of these numbers to be leaked as part of a data breach. Some payment processors might not require all three pieces of information, but you need all of them for maximum fraudulent activity. It turns out that the way payment processors track transactions across websites (or rather, how they don’t) makes it fairly easy to figure out missing bits of information by process of elimination.
Most websites rightly block cards after you make 20 failed attempts to use it. However, card companies don’t actually track usage across multiple websites. That means you can spread the trials out across many sites without running up against the limit on incorrect guesses. The researchers used Visa’s payment platform for the demo, which is more vulnerable than others.

The Newcastle University researchers used a database of thousands of website payment systems. They created a program called CCS2015 Toolkit to automate the process of reaching out to all those different sites with partial card details. To use the (obviously unreleased) tool, you input what you know about the card, and click a button to find the missing information. CCS2015 just runs through all the possible numbers until it gets a hit. In the example above, it takes only a few seconds to figure out the CVV number of a card when the account number and expiration date are already known. When the program gets the card accepted, it reports back with the number that worked.
Given the number of possible combinations, it would take 60 or fewer attempts to get the expiration date and 1,000 or less to get the CVV. The team has expressed concern that the payment platform and banks don’t have any system in place to detect this sort of inhumanly rapid usage. There’s no way a person would be attempting dozens of transactions per second on their credit card. The team also notes that Visa cards are the primary target of this attack. MasterCard, for example, locks a card after 10 failed attempts in a short period of time. There’s nothing you can really do to protect yourself from this one. It’s up to Visa and payment processors to work it out.