Security researchers at Newcastle University in the United Kingdom have demonstrated the relative ease in which malicious individuals can harvest information from VISA credit and debit cards when used for online payments.
Very few of us actually think twice when opting to make a payment for goods or services online, but it seems that the trust we place in that payment mechanism could be misplaced, especially when using a VISA issued card to transact.
The most terrifying thing here is not that the data can actually be hijacked and accessed by someone with the necessary skills, but the quickness in which that data can be stolen as well as the level of information that can be accessed by a would-be attacker. The UK-based team behind the discovery have found that information such as the debit or credit card number, expiry date, and security code can be accessed in as little as six seconds via a security vulnerability in the company’s online payment system.
One of the biggest issues in the current VISA system, as discovered by the team, is that the system doesn’t automatically limit the number of failed attempts that are allowed before an automatic failsafe kicks in and locks down the account from further unsuccessful attempts.
This essentially means that brute force style attacks are fair game, and entirely unprotected against in the current implementation. This limitation allows computer systems to be set up to try and force payment without fear of being locked out. Mastercard on the other hand imposes a limit of 10 failed attempts before security kicks in.
The second flaw in the system means that it’s actually possible to put in place a Distributed Guessing Attack that allows an overall picture of a credit or debit card to be obtained by making multiple unobstructed attempts at guessing certain information pertaining to the card, such as the CVV number and expiry date of the card. Unfortunately for users there doesn’t appear to be any recommended methods of protection other than vigilance. VSIA on the other hand could do with an internal review of their current system, and at a minimum make changes to ensure that accounts are locked out after a number of failed attempts.
(Source: Newcastle University [YouTube])