A group of experts from Newcastle University have discovered how the method works has cost the bank 2.5 billion pounds Tesco last month. Failures in the Visa card payment system allow you to discover the credit / debit card number, expiry date and security code, and do it in record time: six seconds.
The criminals who carried out this robbery took advantage of a “terrifyingly simple” method to reveal that information: the so – called Distributed Guessing Attack allowed to take advantage of the fact that the Visa system does not detect that the cyber criminals made multiple attempts to get the card data and to combine all the failed attempts they were achieving the desired information.
Visa throws balls out
As he explained Mohammed Ali, one of the investigators, explaining how these failed attempts were added to the fact that each online shopping website asks for various data to validate these purchases. All this information ends up being useful to complete the puzzle and to obtain the information of the credit cards.
“The unlimited number of attempts,” noted Ali, “combined with variations in data fields terrifyingly make payments simple for attackers achieve generate all card details field by field”. Each field generated from the card can be used in succession to generate the next field, and that cycle is repeated until all that information is achieved.
You may also like to read another article on YellowTube: If you cover your webcam for privacy you may want to do the same with your microphone
The study revealed that even if we have only the first six digits of the card (which only reveal the bank and type of card) “a hacker can get the three essential pieces of information to make an online purchase in just six seconds”.
Visa does not seem to have recognized the validity of the study, and its officials said that “the investigation does not take into account the multiple layers of fraud prevention that exist in payment systems, each of which must be validated in order to make a transaction in the real world” and pointed to merchants and card issuers can take various measures to prevent brute force attacks like these.