Skip to main content

Researchers identify ‘brute force’ method of stealing credit card information

A hand on a laptop in a dark surrounding.
We all know it’s important to be vigilant while shopping online, so that our information isn’t captured for illicit purposes. However, the user’s due diligence is worthless if the retail platform itself has a security flaw — and new research suggests there might be a glaring issue with the way online stores take payment information.

A group of researchers from Newcastle University in the United Kingdom has published a paper that suggests online criminals can use online payment systems from a variety of different sites to figure out a target’s banking information by “brute force.” The researchers suggest that this methodology may have been used to facilitate last month’s attack on Tesco Bank customers.

Typically, a website will only allow a user 10 or 20 guesses at any individual field on a payment form, which is enough to prevent attackers from guessing a 16-digit account number. However, different retailers use different systems, meaning that a criminal could cross-reference data from several sites to find out that information, without ever exceeding the number of guesses that would prompt detection.

MasterCard is apparently immune to this kind of attack, because the company detects guesses even when they’re carried out across different websites, according a to a report from security expert Bruce Schneier. However, Visa does not implement the same system.

It’s thought that criminals only need the first six digits of a card number to facilitate this kind of attack — which is worrying, given that those numbers only refer to the bank and card type. With this information in hand, the card’s full number, its expiration date, and its CCV code can apparently be learned in as little as six seconds, giving the culprit everything needed to make fraudulent online purchases.

Editors' Recommendations

Brad Jones
Brad is an English-born writer currently splitting his time between Edinburgh and Pennsylvania. You can find him on Twitter…
Microsoft Research proposes method for exchanging secure data within the cloud
microsoft research by Robert Scoble via Flickr

John Roach of Microsoft Research reports that the company has found a way to enable secure data exchange in the cloud, providing users with full control over how much information is passed along to other parties. It’s based on secure multiparty computation, where every entity involved gets a result without having to expose their actual encrypted data to the other parties.

In an example provided by Roach, imagine a group of employees who each want to know their pay rank. Everyone chips in their yearly salary number to one trusted employee who in turn creates a list for each worker, showing their position amongst the coworkers without revealing actual numbers and names.

Read more
Samsung Pay flaw could allow hackers to intercept and decode credit card info
samsung pay update masterpass galaxy s7 edge

Mobile payments may be the future. Indeed, researchers at eMarketer predict contactless payments, or transactions completed with "tap-to-pay" tech like Android Pay or Apple Pay, could grow 210 percent this year to $27.05 billion -- but that doesn't mean they're secure. Case in point: a recently discovered bug in Samsung Pay, Korean company's eponymous proprietary payments platform, theoretically allows hackers to intercept and decode credit card info.

At the Black Hat Security conference in Las Vegas last week, security analyst Salvador Mendoza demonstrated a flaw in Samsung Pay's tokenization process, the string of numbers and letters the platform randomly generates to obfuscate payment details, that could allow a hacker to "guess" at a purchaser's credit card number. Tokens could be predicted, he explained: After a specific credit or debit card is added to Samsung Pay and associated with a specific token, future tokens inexplicably become "weaker" and easier to guess.

Read more
Data breach at Acer’s US website exposes names, mailing addresses, and credit cards
Acer Chromebook 14 CB3-431-C5FM

Computer manufacturer Acer has suffered a data breach at its U.S. e-commerce site, Acer.com, that could possibly affect anyone that purchased from the site over the last year or so.

According to a letter sent by Acer to the California Attorney General’s office, the hack happened over a year ago. Customers who accessed the site between May 12, 2015 and April 28, 2016 may have had their data compromised. This includes names, mailing addresses, credit card numbers, expiry dates, and even the card's CCV security codes.

Read more