NEWCASTLE, England—Think online holiday shopping is pretty safe thanks to the CVV code on the back of a credit card? A new report reveals that crooks can crack Visa cardholders’ CVV code in seconds.
The trick, described in a new academic paper from Newcastle University, may have been responsible for the hack of thousands of Tesco customers in the U.K., reported Fortune.
It also shows how online payments remain a weak spot as more crooks turn to e-commerce fraud due to the migration to EMV.
Fortune explained that the Visa vulnerability described in the paper works like this: The hackers use bots to submit credit card information to hundreds of retailers at once in order to guess the missing security code information. Since the code is only three numbers, it takes a maximum of 1,000 guesses to crack it. The paper suggests the attack can be carried out in just six seconds.
“These experiments have also shown that it is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system. Combining that knowledge with the fact that an online payment request typically gets authorized within two seconds makes the attack viable and scalable in real time. As an illustration, with the website bot configured cleverly to run on 30 sites, an attacker can obtain the correct information within four seconds,” reported Fortune, quoting from the academic paper.
Fortune said that the researchers say the trick works because Visa does not detect multiple attempts to use a card across its network. The researchers aid this is different than MasterCard, which will detect the guessing attack after fewer than 10 attempts, even when the guesses are spread across multiple websites.
Online retailers are also part of the problem since many of them allow someone to submit the same credit card details over and over again, Fortune noted.