Vulnerability

Major security flaw found in Visa Card Payment System that caused £2.5 million fraud

A team of academics from Newcastle University claims an unsophisticated type of cyber-attack that exploits “security flaws” in the Visa card payment system.

The team claimed this was the probable reason behind £2.5 million fraud to Tesco Bank customers last month.

Finding out the correct card number, expiry date and security code of any Visa credit or debit card could take a hacker “as less as 6 seconds” and a “guesswork”, the team claimed in an academic paper.

The academics team termed the method as “distributed guessing attack” which was able to bypass all the security features and exploit the vulnerabilities at Visa.

Visa, however, said the research did not take considered the multiple layers of fraud prevention that exist within the payments system of websites.

Is this security flaw a concern for Master Card users as well?

Mohammed Ali, the lead author of the research paper, said that this form of hacking did not work on MasterCards because its systems were able to detect the attacks.
The paper added that the online retailers (few in millions) that use “3D Secure technology” to provide extra protection such as the “Verified by Visa”, “Mastercard SecureCode” and “American Express SafeKey systems” are also “safe” from this type of attack.

The paper was published weeks after Tesco Bank suffered the theft of £2.5 million.

How is this security flaw being exploited by the hackers?

The team identified cyber criminals use software that automatically generates different sets of a card’s security data like the card number, expiry date, and three-digit CVV and fires these off to hundreds or even thousands of websites around the world at the same time. The reply to the transaction will confirm whether or not the guess was right.

Because Visa’s network did not detect multiple invalid payment requests on the same card from different websites, “unlimited guesses” could be made.

Mohammed Ali, a Ph.D. student and lead author on the paper, said: “It’s relatively easy to generate variations of card numbers and automatically send them out to numerous websites to validate them.”

He added: “The next step is the expiry date.  Guessing the date takes at most 60 attempts as banks typically issue cards with 60 months validity. The last barrier that is the CVV number, takes fewer than 1,000 attempts to guess the correct one.”

“Sending this out over 1,000 websites and one will come back verified within a couple of seconds. And now you have all the data you need to hack the account”, said Ali.

Ali said MasterCard’s network was able to identify a guessing attack after fewer than 10 attempts.

The team said this guessing attack method was likely to have been used in the Tesco cyber-attack and was “frighteningly easy if you have a laptop and an internet connection.”

The research has also been published in the academic journal IEEE Security & Privacy.

Visa said in a statement, it was “committed to keeping fraud at low levels, and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.”

About the author

Rumi