A group of tech researchers have developed software which can hack a credit card in about 6 seconds. If you’ve purchased anything online or have had to give your credit card number over the phone, then you know that having just the credit card number isn’t enough. For additional validation, you also need the expiration date, the CVV, and the ZIP code. Now all 3 points of validation can be unlocked with a few keystrokes and the click of a mouse.
The program is essentially a form of brute force attack, similar to what is used in DDoS attacks. The hacker can enter a credit card number, then mass query e-commerce sites tens of thousands of times until the correct combination is discovered. Further, with a little tweaking, the data found by the program can be correlated with issuing banks and ATM skimmers to determine where the cards have been used and pinpoint the owner’s home address.
MasterCards are not susceptible to this type of attack as their system automatically shuts down credit cards after 100 attempts. Other brands, such as Visa, do not have this safeguard in place.
Luckily the researchers are not malicious with this new program. Instead, what they’ve done is discover a fairly large security flaw in our payment technology. To thwart these types of attacks, they recommend either centralization or standardization. With centralization, payment gateways would need the ability to view all payment attempts associated with its network, shutting down the brute force attempt. The standardization approach would require all merchants to offer the same payment interface.
In addition to this discovery, the developers have reason to believe that these types of attacks are already happening in the real world. If you haven’t checked your credit card statement in a while, now may be a great time to ensure you don’t have any unrecognized charges or login attempts.