We all know it’s important to be vigilant while shopping online, so that our information isn’t captured for illicit purposes. However, the user’s due diligence is worthless if the retail platform itself has a security flaw — and new research suggests there might be a glaring issue with the way online stores take payment information.
A group of researchers from Newcastle University in the United Kingdom has published a paper that suggests online criminals can use online payment systems from a variety of different sites to figure out a target’s banking information by “brute force.” The researchers suggest that this methodology may have been used to facilitate last month’s attack on Tesco Bank customers.
Typically, a website will only allow a user 10 or 20 guesses at any individual field on a payment form, which is enough to prevent attackers from guessing a 16-digit account number. However, different retailers use different systems, meaning that a criminal could cross-reference data from several sites to find out that information, without ever exceeding the number of guesses that would prompt detection.
MasterCard is apparently immune to this kind of attack, because the company detects guesses even when they’re carried out across different websites, according a to a report from security expert Bruce Schneier. However, Visa does not implement the same system.
It’s thought that criminals only need the first six digits of a card number to facilitate this kind of attack — which is worrying, given that those numbers only refer to the bank and card type. With this information in hand, the card’s full number, its expiration date, and its CCV code can apparently be learned in as little as six seconds, giving the culprit everything needed to make fraudulent online purchases.