According to a research study conducted in Newcastle University, cyber criminals can guess a Visa credit card’s number, expiry date and CVV number (the three digit number present on the back of the card) in a matter of a few seconds. The research paper has been published in the journal IEEE Security & Privacy, and explains how cyber criminals and online fraud artists use a Distributed Guessing Attack to skirt online fraud prevention measures.
In a response to the study, VISA claimed that the research didn’t take into other layers of security like its Verified By VISA system — which, at least in India, makes it mandatory for users to enter a unique transaction PIN seperately SMSed to them on a registered mobile number as the final step in an online transaction.
Researchers found that fraud detection systems, while capable to certain extent, failed to take into account cyber criminals’ software-driven multiple invalid attempts on websites in order to get VISA credit or debit card data. What this means is that cyber criminals can try transacting at hundreds of websites simultaneously, without registering on the existing system’s security radar. Following that, by a process of elimination, the criminals can easily guess a credit or debit card’s number, expiry date and CVV code to carry out an unauthorised but successful online transaction.
It is widely believed that criminals exploited a similar technique for the Tesco Bank hack carried out in the UK earlier last month. In a statement, Mr T R Ramachandran, Group Country Manager, India & South Asia for VISA said:
The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world. Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.
He also went on to say that VISA provides issuers with the necessary data to make informed decisions on the risk of transactions. He spoke in particular detail about the Verified by Visa feature, saying that the two-factor authentication system provides an efficient barrier to hacking attempts. He continued:
It helps to prevent fraudulent transactions and gives all parties in the payment process greater peace of mind, especially when used in conjunction with all the other security features offered by Visa.
