We all know what happens during winter holidays – people begin to use their cards and banks become very busy due to the increased amount of transactions conducted due to winter holidays. This is also the perfect opportunity for cyber-criminals to strike and steal funds. News broke out exactly of such method which allows very simply to guess the credit card’s crucial credentials in less than a minute.
The method, which was discovered by very clever individuals at Newcastle University was discovered as a result of two types of weaknesses in how online transactions were conducted via the Visa system. The weaknesses are useless at first hand, but when they are combined with a special tool, your credit card’s information can be exposed faster than you can say “The little red riding hood took a stroll down memory lane.”
One of the weaknesses allowing this nightmare scenario to happen is to take advantage of online payment system’s lack of detection of several invalid payments conducted on several websites. Most sites give permission to make multiple unsuccessful attempts for online payment with a card.
The other vulnerability discovered by the researchers is the lack of repeated checks during payment, which may result in variable information being input.
When input in a special Toolkit type of software which uses a guessing technique to factorize information, the last 4 digits of a given card are all it takes to steal its:
- CVV code.
- Postal code.
- Full card number.
- Date of expiration.
This toolkit, also known as “CCS2015 Toolkit”(Source: PCmag.com) has the ability to connect to multiple website systems for online transactions and perform removal of elements of unknown information via the trial and error bruteforcing method and this is done until it guesses all of the details of the card targeted.
To be able to recognize an expiry date In this pool of information, the toolkit requires less than 100 attempts for Visa cards. When it comes to discovering the security code (CVV) the attempts go in the sub-1000 number. When multiple payments are performed using one card, it is very difficult for a card to be concealed for a lot of time.
This breach of security on consumer level is primarily because of the online payment systems themselves. Since these payment systems are not closely related to the banks, they cannot monitor them and are not responsible for them as well. This results in the attacker not only being able to obtain this information very swiftly, but also being able to create a duplicate credit card with a chip, using such information. This allows for the hacker to take all of the money from your card by only knowing the last 4 digits of it’s 16-digit Visa number.
And since the root of the issue is mathematical, at the moment there is no update or patch that can fix this issue, simply because the software calculates numbers. The only approach is to fix all of the online payment systems that validate users. Everyone using visa cards are advised to not show their cards to absolutely anyone external and to pay in cash on public places instead of using credit cards. It is also advisable to constantly monitor suspicious activity on their cards, if possible via an SMS notification. Paying for something online should be done by another card, such as MasterCard which does not report these vulnerabilities.