Credit card numbers guessed in 'seconds'

Credit card numbers guessed in 'seconds'

Smart cyber thieves who query lots of websites at once can guess credit card numbers in a few seconds, suggests research.

Security experts from the University of Newcastle found loopholes on websites that helped thieves seeking card data.

The attacks works against some of the most popular retailers on the web, said the team.

Vulnerable sites have been told about their findings and some have now put in place defences against the attack.

The research, led by PhD student Mohammed Aamir Ali at the University of Newcastle, created a credit card querying system that simultaneously submitted payment requests to different sites at the same time.


Starting with just the first six digits of a card, the system guessed the remaining details and tried the combinations on many sites at the same time.

By trying different combinations of a card's number, expiry date and security code this system could quickly find out all the information needed to replicate a card, said the researchers in a paper describing their work.

Because different sites ask for different parts of the credentials required to verify a purchase it was possible to compile the fragmented details that sites share to build up all the security information for a card.

"This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions," they wrote.

This approach could help thieves who have some knowledge of victims gained from information in the massive troves of data released by breaches at web firms.

Credit card numbers guessed in 'seconds'

Few sites noticed that multiple queries were being run across lots of sites, found the team.

"It is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system," they said.

A sample attack showed that if an attacker ran many queries at once they could compile the correct information about a card in approximately six seconds.

There is no evidence that cyber thieves are using such a distributed attack, said the researchers, but their work showed it was "practical" and therefore a "credible" threat.

The team shared its findings with 36 of the sites against which they ran their distributed card number-guessing system. The disclosure led to eight sites changing their security systems to thwart the attacks. Many now limit the number of times card details can be checked.

However, said the researchers, the other 28 sites made no changes despite the disclosure.

"We do not know the reason behind this and further research will be needed to find the explanation," wrote the team.



Add Comment

all comments

  Other news

more
Burning boats

Burning boats..

26-Jul, 23:41

Outside Libyan waters, it has deployed military vessels to disrupt the...

Man arrested after live cobras found inside potato chip cans

Man arrested after live cobras found inside potato chip cans..

26-Jul, 15:20

A California man was arrested after a package addressed to him was found...

California independence 1 step closer as AG paves way for potential 2018 Ďreferendumí

California independence 1 step closer as AG paves way for potential 2018 Ďreferendumí..

26-Jul, 07:10

A new California independence campaign has got the go ahead to collect...

Ohio puts child killer to death with controversial lethal injection drug

Ohio puts child killer to death with controversial lethal injection drug..

26-Jul, 16:30

Ohio carried out its first execution in more than three years as child...

Trump's 'deportation force' begins to take shape

Trump's 'deportation force' begins to take shape..

14-Apr, 12:48

President Trump's campaign promise for more aggressive immigration...

New EPA head's emails indicate close ties to oil and gas producers

New EPA head's emails indicate close ties to oil and gas producers..

22-Feb, 18:02

More than 7,000 pages of emails from Environmental Protection Agency head...

Prince William, Princess Kate face off in rowing competition

Prince William, Princess Kate face off in rowing competition..

20-Jul, 16:11

Prince William won bragging rights today in Heidelberg, Germany, as his...

Stabbed London Bridge officer tells of fighting attackers

Stabbed London Bridge officer tells of fighting attackers..

28-Jun, 17:24

A British Transport Police officer who fought off three extremists in...