According to scientists, hackers just need six seconds to get your credit/debit card number, expiry date, and security code to create havoc in your life. The researchers from UK's Newcastle University came to this conclusion after successfully bypassing all the security features that were designed to protect online payments from various types of fraudulent acts. 


The study that exposed various security flaws of VISA payment system discovered that networks, as well as banks, were not capable of detecting attackers who make multiple, invalid attempts to get data related to card payment. 




Hackers can automatically and systematically generate different variations the credit/debit cards security data and then post the same on multiple websites. Soon, within seconds the hacker gets a 'hit', and all the necessary security data gets verified. 


According to this team, the attackers of the recent Tesco Bank cyber attack used guessing attack method and described it as "frighteningly easy if you have a laptop and an internet connection."


Mohammed Ali, a PhD student at Newcastle University, said, "This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,"


First is the one in which payment system fails to detect multiple invalid payment requests from different websites, and second, various different websites asks for different payment card related data while making online purchase, such bit and pieces of data can do no harm on its own but if one puts the pieces together which hackers are good at, then there can be serious security threat. 


"The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time," he said.


"Each generated card field can be used in succession to generate the next field and so on," Ali said.


"If the hits are spread across enough websites then a positive response to each question can be received within two seconds - just like any online payment," he said.


"So even starting with no details at all other than the first six digits - which tell you the bank and card type and so are the same for every card from a single provider - a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds," clarified Ali. 


For obtaining the card details, the hacker uses online payment websites for guessing data, and by replying to the transaction it gets confirmed whether the guess is right or wrong. 


The present online payment method fails in detecting multiple invalid payment requests made from the same card in different websites and therefore, hackers can make unlimited attempts. 


This research got published recently in an academic journal IEEE Security and Privacy.