Distributed Guessing Attack- A Six Seconds Attack to Hack VISA Payment System without Card Details

A new method has been discovered by a team of security researchers at Newcastle University the United Kingdom, to hack VISA Credit and Debit cards in just six seconds. The name of the attack is Distributed Guessing Attack. It works same as brute force attack and dictionary attack. This attack is nothing more than a successful guess. Security researchers showed that attackers can submit fake card details on online payment websites and they can analyze its reply to the transaction to check that whether the data is correct or not. The most shocking fact about this attack is, it can bypass all the security methods very easily, which have been used by online payment systems to protect card details from hackers.

Where is the Flaw?

The security flaw exists in VISA payment systems. A Ph.D. student of Newcastle University Mohammed Ali (Lead Security researcher of this project) wrote about two major security flaws which are allowing this attack:

VISA Payment System is Allowing Unlimited Guesses: This flaw allowing attackers to apply unlimited guesses to make a transaction successful. According to security researchers, both the banks and networks are unable to detect these unlimited invalid attempts. Hackers can use this method to collect all that information, which is helpful to make successful transactions. Further, they can use these details to transfer funds from the accounts of VISA customers and to make unauthorized purchases without stealing any type of card details.

"In simple words, hackers can generate new card details by bypassing security features of VISA payment systems. All the different variations generated by the hackers could allow them to make unauthorized purchases on all that e-commerce websites, which are accepting VISA cards."

Websites Are Asking For Different Variations: Multiple websites, which are using online payment services are asking users to fill multiple variations of VISA credit or debit card. So, hackers can build up an information packet and to perform the attack, they can piece it together like a jigsaw. VISA payment system is not detecting invalid attempts from multiple websites, therefore hackers can try the same attacking technique for unlimited times to get legitimate sounding card details.

Here is the Proof of Concept Video, Which Has Been Released By Researchers: https://goo.gl/8Gw0HR

How to Create Card Number, Expiry Date, and CVV?

Card Numbers: At the starting, attackers can use some legitimate cards to make guesses but without these cards, it is also easy to generate new card numbers. There are various tools, which are using the basic permutation and combination method to generate possible numbers. When you enter the card number in the given input box of payment gateways, it automatically shows the card type of a legitimate card. From there, hackers can notice that the generated card number will work on not. Hackers could also buy the breached Card Details from dark web to make it an easy process.

Expiry Date: Most of the banks issue all the credit and debit cards for 60 months. So there is need of 60 attempts to get a legit expiry date. Hackers could try this from 60 different websites.

CVV: It is that part of the information, which has been known by the cardholder only. To guess a legit 3 digits CVV, attackers can make 1000 attempts through various websites which are accepting VISA cards.

Mohammed Ali said that only VISA payment systems are vulnerable to this attacks. The payment systems of MasterCard are detecting invalid attempts and they are blocking IP address after 10 invalid attempts.

Hackers Behind Tesco Bank hack, Also Used This Technique

Security researchers believe that in the recent Tesco Bank Cyber Attack incident, hackers had used this Distributed Guessing Attack. More than £2.5m had been stolen by the hackers from Tesco Bank. No special equipment and hardware devices are required to perform this attack. A laptop and an internet connection are enough to perform Distributed Guessing Attack.

How to Protect a VISA Card?

Sorry to say but this attack does not require legit card details. Hackers are generating new card details which are working on the VISA payment systems. There is not any magic key which could protect your money. But you could use some security methods to reduce the risk of money loss:

Use a separate credit or debit card for online purchases. Minimize the cash limits for this cards.

Don’t be lazy and check your credit or debit card statements at regular times. If you notice any suspicious and unauthorized transaction, told to your bank about it.

Such type of attack is more dangerous in this Christmas season when everyone is busy in doing shopping and nobody cares about his credit card or bank statements.

Source: http://www.ncl.ac.uk/

Similar Articles: