A group of researchers from Newcastle University in the United Kingdom has published a paper that suggests online criminals can use online payment systems from a variety of different sites to figure out a target’s banking information by “brute force.” The researchers suggest that this methodology may have been used to facilitate last month’s attack on Tesco Bank customers.
Typically, a website will only allow a user 10 or 20 guesses at any individual field on a payment form, which is enough to prevent attackers from guessing a 16-digit account number. However, different retailers use different systems, meaning that a criminal could cross-reference data from several sites to find out that information, without ever exceeding the number of guesses that would prompt detection.
MasterCard is apparently immune to this kind of attack, because the company detects guesses even when they’re carried out across different websites, according a to a report from security expert Bruce Schneier. However, Visa does not implement the same system.
It’s thought that criminals only need the first six digits of a card number to facilitate this kind of attack — which is worrying, given that those numbers only refer to the bank and card type. With this information in hand, the card’s full number, its expiration date, and its CCV code can apparently be learned in as little as six seconds, giving the culprit everything needed to make fraudulent online purchases.
Editors' Recommendations
- This dangerous new Mac malware steals your credit card info
- Over 1M credit cards just leaked to criminals on the dark web
- Windows 11 now stops brute force cyberattacks right in their tracks
