Masses believe that Tesco Bank fraudsters may have used an unsophisticated type of cyber attack exploiting “flaws” in the Visa card payment system to steal £2.5m.
Newcastle University research department found that working out the card number, expiry date and security code of any Visa bank card takes a criminal just a few seconds using just guesswork, or rather a “distributed guessing attack” method. As a result, hackers are able to circumvent all the security features designed to protect online payments from fraud, and exploit vulnerabilities at the payment system accounting for 500m+ cards in circulation in Europe alone, along with hundreds of the most popular retail websites in the world. Now some of the site operators took action and changed their online security settings to prevent fraud.
As for the payment system itself, Visa claimed that the study failed to take into account the multiple layers of fraud prevention existing within the payments system, which must be met to make a transaction possible.
The researchers point out that this form of hacking does not work on MasterCards, because its systems were able to detect the attacks. Besides, the minority of online retailers using so-called 3D Secure technology for extra protection were also safe from this type of attack. The study was carried out following Tesco Bank suffering an unprecedented attack on its online accounts, in result of which 9,000 customers were affected and £2.5m was stolen.
The researchers believe that criminals used merchants’ payment websites to “guess” people’s card details. This can be done using software that automatically generates variations of a card’s security data and fires these off to thousands of websites at the same time. The reply to the transaction will show whether the guess was right. The problem is that Visa’s network did not detect multiple invalid payment requests on the same card, so hackers could make “unlimited guesses” and verify all the necessary security data within seconds.
The researchers tried their own website “bot” and automated scripts to carry out an experimental distributed guessing attack against their own bank cards.
The experts believe that the guessing attack method was likely to have been used in the Tesco attack, in result of which the bank refunded each customer account in full and assured that no customer data was lost or stolen.