A new tool can crack a credit card number in six seconds

In what amounts to a very clever brute force attack, a group of researchers has figured out how to find credit card information – including expiration dates and CVV numbers – by querying ecommerce sites. The process, which was outlined in IEEE Security & Privacy, involves guessing and testing hundreds of permutations of expiration dates and CVV numbers on hundreds of sites.

MasterCards aren’t susceptible to this attack because their system shuts down cards after 100 attempts. Visa cardholders aren’t so lucky.

The researchers, Mohammed Aamir Ali, Budi Arief, Martin Emms, and Aad van Moorsel, believe that their tool can also be used to guess ZIP codes and address data or hackers can simply correlate location data with issuing banks or use skimmers to figure out where different cards are used. If the commerce site doesn’t require a ZIP code, however, cracking the card is as simple as running a program.

To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.

The researchers believe that these attacks are already happening in the wild and that their solution – while distressing – isn’t unique, which makes it much scarier.