Newcastle University published a report outlining how researchers were able to guess a Visa payment card number, the expiration date and the CVV code for credit and debit cards. As Finextra reported:
“By automatically and systematically generating different variations of the cards security data and firing it at multiple websites, within seconds hackers are able to get a ‘hit’ and verify all the necessary security data, they say.”
This is a particular concern for Visa, according to this report, based upon the way that transaction decline types are aggregated behind the scenes:
To obtain card details, the attack uses online payment websites to guess the data and the reply to the transaction will confirm whether or not the guess was right.
Because the current online system does not detect multiple invalid payment requests on the same card from different websites, unlimited guesses can be made by distributing the guesses over many websites.
However, the team found it was only the Visa network that was vulnerable.
Although the article suggests that this type of technique may have been used in the recent Tesco cyber attached, it is not known for certain. It is also good timing that Visa announced its purchase of on-line fraud solution provider, CardinalCommerce. That announcement can be found here.
Overview by Sarah Grotta, Director, Debit Advisory Service at Mercator Advisory Group
Read the full story here