In early November, Tesco Bank suspended all user transactions after 20,000 clients lost an estimated $700 per account. A study published in the academic journal IEEE Security & Privacy, led by Newcastle University’s Mohammed Ali, revealed that an attack called “Distributed Guessing Attack” could have been used in the breach of Tesco Bank accounts.
Essentially, the Distributed Guessing Attack (DGA) is a method which allows hackers and criminals to gain access to Visa credit card numbers as well as their security codes within six seconds by a process of elimination.
Ali, the author of the study, stated that the process of elimination with credit card networks like Visa is made possible as they permit an unlimited number of guesses for each card data field.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”
“Each generated card field can be used in succession to generate the next field and so on. If the hits are spread across enough websites then a positive response to each question can be received within two seconds – just like any online payment,” adds Ali.
Vulnerability of credit cards
The first six digits of any credit card give out vital information to hackers: the identity of the credit card network, bank information and card type. With these three pieces of information, hackers can then use the DGA method to spend funds.
While Visa criticized the research of Ali, it did not deny the possibility of running DGA attacks on their line of credit cards.
“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world,” Visa stated.
Financial service providers and credit card operators like Visa settles around $7 trillion in transactions per year, conducting over 100 bln transactions for their users. Considering the sheer size of the Visa network, it is concerning to discover that hackers can use simple methods such as the process of elimination to blindly guess credit card numbers and security codes to carry out transactions.
The Visa and Tesco Bank hacking attack demonstrated the importance of security once again, proving the necessity for trustless financial networks and systems.