The countdown to year’s end almost inevitably means an increase in online purchases. On the heels of Black Friday and Cyber Monday, a full-blown consumerist race kicks off the goes until January. This 2016 will continue to show consumers turning more and more to e-commerce for their gift giving needs.

However, the convenience of paying by credit card online comes hand in hand with a real risk to our wallets. A recent study by investigators at the University of Newcastle revealed that the existence of a multitude of online payment systems, with their corresponding security measures, isn’t enough to guarantee consumer protection.  It’s more like the opposite — often, as a result of so much variety, we end up with a chaotic jumble that generates major vulnerabilities.

After analyzing several different payment methods, researchers discovered a new type of attack that allows cybercriminals to hack a credit card in only six seconds.

This kind of attack, which takes advantage of a couple of vulnerabilities with Visa cards, is already being used. In fact, it is believed to be the system used to steal money from 20,000 accounts of Tesco’s clients.

Actually, the attack is not very complex. It uses sheer brute force. Specifically, it exploits two oversights in online payment platforms. On the one hand, these platforms do not detect multiple erroneous payment requests when coming from different websites. On the other hand, they allow up to twenty erroneous payments for each credit card on each page. And as if that wasn’t enough, the payment system doesn’t refresh to request different information from the buyer after each failed attempt.

Thus, the attacker needs only a credit card number to start randomly guessing the CVV (Card Verification Value) and expiration date until it arrives at the right combination through brute force. Investigators tested this kind of attack on the 400 most popular e-commerce websites. They demonstrated that if we trust a credit card’s security as the sole safety measure, theft becomes a real possibility.

Platforms which use the Verified by Visa system or even payments with Mastercard actually escape these vulnerabilities. This shows that online credit card security by itself may, paradoxically, pose a serious risk.

via:  pandasecurity