The research, published in the journal “IEEE Security and Privacy”, said that the “distributed guessing attack” circumvents all the security features put in place to protect online payments from fraud.
Neither the network, nor the banks are able to detect attackers making multiple, invalid attempts to get payment card data.
The current online payment system does not detect multiple invalid payment requests from different websites.
This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website, explained Mohammed Ali, a PhD student in Newcastle University.
“Different websites ask for different variations in the card data fields to validate an online purchase.
“This means it’s quite easy to build up the information and piece it together like a jigsaw,” Ali added.
The combination of these two factors — unlimited guesses and variation in the payment data fields — makes it easy for attackers to hack all the card details.
Each generated card field can be used in succession to generate the next field and so on.
“If the hits are spread across enough websites then a positive response to each question can be received within two seconds – just like any online payment,” Ali warned.
The researchers explained that even starting with no details at all other than the first six digits — which tell you the bank and card type — a hacker can obtain essential pieces of information.
These are — card number, expiry date and security code — to make an online purchase within as little as six seconds.
Researchers believe this ‘guessing attack’ method could have been used in the recent Tesco cyber attack where the hackers defrauded customers of 2.5 million pounds.
The risk is higher at this time of the year as many people are making online purchases ahead of Christmas.
However, researchers found that unlike Visa cards, MasterCard’s centralised network was able to detect the guessing attack after less than 10 attempts – even when those payments were distributed across multiple networks.
The researchers suggested that to minimise the chances of hacking, card-holders should use just one card for online payments and keep the spending limit on that account as low as possible.
“If it’s a bank card then keep ready funds to a minimum and transfer over money as you need it,” said Martin Emms, co-author of the research.