Credit card numbers guessed in 'seconds'

Credit card numbers guessed in 'seconds'

Smart cyber thieves who query lots of websites at once can guess credit card numbers in a few seconds, suggests research.

Security experts from the University of Newcastle found loopholes on websites that helped thieves seeking card data.

The attacks works against some of the most popular retailers on the web, said the team.

Vulnerable sites have been told about their findings and some have now put in place defences against the attack.

The research, led by PhD student Mohammed Aamir Ali at the University of Newcastle, created a credit card querying system that simultaneously submitted payment requests to different sites at the same time.


Starting with just the first six digits of a card, the system guessed the remaining details and tried the combinations on many sites at the same time.

By trying different combinations of a card's number, expiry date and security code this system could quickly find out all the information needed to replicate a card, said the researchers in a paper describing their work.

Because different sites ask for different parts of the credentials required to verify a purchase it was possible to compile the fragmented details that sites share to build up all the security information for a card.

"This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions," they wrote.

This approach could help thieves who have some knowledge of victims gained from information in the massive troves of data released by breaches at web firms.

Credit card numbers guessed in 'seconds'

Few sites noticed that multiple queries were being run across lots of sites, found the team.

"It is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system," they said.

A sample attack showed that if an attacker ran many queries at once they could compile the correct information about a card in approximately six seconds.

There is no evidence that cyber thieves are using such a distributed attack, said the researchers, but their work showed it was "practical" and therefore a "credible" threat.

The team shared its findings with 36 of the sites against which they ran their distributed card number-guessing system. The disclosure led to eight sites changing their security systems to thwart the attacks. Many now limit the number of times card details can be checked.

However, said the researchers, the other 28 sites made no changes despite the disclosure.

"We do not know the reason behind this and further research will be needed to find the explanation," wrote the team.



Add Comment

all comments

  Other news

more
Carmarthenshire mum-to-be gets armed escort to hospital

Carmarthenshire mum-to-be gets armed escort to hospital..

29-May, 12:00

Armed officers who spotted a speeding car in west Wales discovered a...

US lawmakers seek to reverse Trump’s $110bn arms deal with Saudi Arabia

US lawmakers seek to reverse Trump’s $110bn arms deal with Saudi Arabia..

29-May, 07:48

Top Republicans and Democrats in Congress have called for the...

Emmerdale's Lucy Pargeter introduces twin baby daughters Missy Mabel and Betsey Maggie and reveals terrifying moment at birth when babies 'weren't breathing'

Emmerdale's Lucy Pargeter introduces twin baby daughters Missy Mabel and Betsey Maggie and..

29-May, 11:24

In an exclusive shoot and interview with OK! Magazine, Lucy Pargeter...

Improving wheat yields by increasing grain size, weight

Improving wheat yields by increasing grain size, weight..

29-May, 11:48

Larger, heavier wheat kernels -- that's how associate professor Wanlong...

Former Hillary Clinton aide writing memoir

Former Hillary Clinton aide writing memoir..

19-Apr, 18:16

A former Hillary Clinton aide and speechwriter is writing a book about...

Marathon Oil and Community Health skid; MoneyGram soars

Marathon Oil and Community Health skid; MoneyGram soars..

14-Mar, 17:18

Stocks that moved substantially or traded heavily on Tuesday: MoneyGram...

Seoul: North Korea fires ballistic missile off east coast

Seoul: North Korea fires ballistic missile off east coast..

04-Apr, 19:24

South Korea says North Korea has fired a ballistic missile into the...

O'Reilly apologizes for jest about Maxine Waters' hair

O'Reilly apologizes for jest about Maxine Waters' hair..

29-Mar, 09:40

Fox News personality Bill O'Reilly apologized Tuesday for saying he had a...