60 attempts at Visa before being thrown out, frankly should not be abused, in any case be warned, the CVV code and the expiry date are no longer a concern for hackers.

Tests carried out on several e-commerce sites

At the end of a study, researchers from the University of Newcastle announced that on certain e-commerce sites, Visa cards used for online transactions are very vulnerable to brute force attacks. In their report, researchers claim that hackers are able to hack a Visa card in just 6 seconds.

According to the report, the tests that allowed the experts to come to this conclusion were carried out on several e-commerce sites. For the purposes of the study, the researchers chose the top 400 e-commerce sites listed by Alexa. Of these, they selected 389 for their study.

As a reminder, Alexa is a company based in San Francisco and very well known in the field of providing statistics relating to web traffic.

The researchers recalled that to make an online payment via a bank card, you must enter at least three basic pieces of information, in this case the card number, the expiry date and the visual cryptogram or CVV code which consists of three digits. The visual cryptogram is on the back of the card.

To highlight the flaws related to online payments by Visa cards, the researchers created an algorithm that allows them to make brute force attacks in order to bypass the security measures that are supposed to protect online purchases. They claim that the expiry date of a Visa card as well as its visual cryptogram can be obtained from the number of said card.

Their modus operandi is to connect to the various e-commerce sites previously selected, and to generate, thanks to their algorithm, the various information necessary to make an online purchase. According to the report, it takes at most 60 attempts to find the expiration date of a card, which is usually limited to five (5) years.

The information generated is then entered one by one into the purchase payment interface of the site concerned until a favorable result is obtained, that is to say the effectiveness of a payment.

In the report, Mohammed Ali, the initiator of the study and a PhD student at Newcastle University's School of Computing, argues that his team exploited shortcomings that, taken individually, do not pose a danger. However, if they are exploited simultaneously, this poses a real threat to the entire payment system. These shortcomings result from the fact that Visa cards allow multiple unsuccessful attempts from different sites.

For Ali, a hacker has the opportunity to obtain all the essential information from a Visa card to make an online payment. For this, he only needs the first six digits of the card number, because these provide information on the bank concerned and the type of card used.

Mohammed Ali also specifies that the brute force attack method can only be used in the Visa network. He claims MasterCard's centralized network was able to detect the attack after less than ten (10) failed tests. In addition, Ali points out that several sites ask for confirmation by SMS before validating a transaction, this thus constitutes a weak point of the method (brute force attack) that they used.

source: Develop.com

Further information :