Online payments remain a weak spot.
This story originally appeared on Fortune.com.
If you shop online, you know how retailers ask for extra credit card information such as a security code to reduce the risk of fraud. In the case of Visa, however, it turns out there’s a way for hackers to guess that card information in mere seconds.
The trick, described in a new academic paper, may have been responsible for the hack of thousands of Tesco customers in the U.K. It also shows how online payments remain a weak spot at a time when credit card companies are using chips and other features to tighten up security for in-store transactions.
The Visa vulnerability described in the paper works like this: The hackers use bots to submit credit card information to hundreds of retailers at once in order to guess the missing security code information. Since the code is only three numbers, it takes a maximum of 1,000 guesses to crack it. The paper suggests the attack can be carried out in just six seconds:
These experiments have also shown that it is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system. Combining that knowledge with the fact that an online payment request typically gets authorized within two seconds makes the attack viable and scalable in real time. As an illustration, with the website bot configured cleverly to run on 30 sites, an attacker can obtain the correct information within four seconds.
The trick works, according to the researchers, because Visa does not detect multiple attempts to use a card across its network. This is different than MasterCard, they say, which will detect the guessing attack after fewer than 10 attempts, even when the guesses are spread across multiple websites.
The best answer appears to be for Visa to adopt a similar approach to MasterCard and shut down a card when someone tries to guess card details multiple times in rapid succession.
Visa provided a detailed statement to the Independent, which was one of several U.K. outlets to report on the research, saying the paper “did not account for the multiple layers of fraud prevention that exist within the payments system.” However, it did not address whether it would adopt a system like the one used by MasterCard. Visa did not immediately respond to an email from Fortune for more details.
To conduct the experiment, the researchers used their own credit cards. They also pointed out, however, that hackers who wished to conduct a “guessing attack” could easily purchase credit card numbers in online criminal forums.
There have been no confirmed cases of hackers carrying out the attack described in the paper, but some security experts believe it has indeed been used, including in a major security breach last month at Tesco.
Online retailers are also part of the problem since many of them allow someone to submit the same credit card details over and over again, the report suggests.
One solution to the “guessing attack” problem might be for retailers to require additional verification details such as a zip code and, indeed, many do so already. But as the paper notes, this information could also be guessed in the way described above—and meanwhile, many retailers are reluctant to create additional friction for the customer in the payment process.