Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa’s network, academics say.
The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined.
Visa, unlike rival Mastercard, does not detect the flood of requests as unusual, the researchers say.
The attacks, handy for criminals with only partial breach records oof personal information, work against the Alexa Top 400 online merchant sites accroding to findings in the paper Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? [PDF] written by Newcastle University’s Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel.