Study: Hackers Can Guess All Your Visa Card Numbers in 6 Seconds

Advertising Disclosure: When you buy something by clicking links on our site, we may earn a small commission, but it never affects the products or services we recommend.

wk1003mike /

A new study has given us another reason to review credit card bills and bank statements closely.

Hackers can correctly guess every number on your debit or credit card — including the expiration date and security code — in as few as six seconds, according to researchers at Newcastle University in England.

While Visa has disputed the findings, the researchers say your risk is highest this time of year because many shoppers buy gifts online.

The vulnerabilities that enable hackers to correctly guess card numbers are particular to Visa cards, according to the study. The researchers conducted experiments involving MasterCard and Visa. They found MasterCard was not vulnerable in the same way.

Their findings were recently published in the journal IEEE Security & Privacy.

The Institute of Electrical and Electronics Engineers, or IEEE, is a nonprofit organization that describes itself as “the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.”

The study found that hackers use a technique known as a “distributed guessing attack” to successfully guess your card numbers. This method involves using multiple websites that accept debit or credit card payments to make guesses.

Two weaknesses make this attack possible, according to lead study author Mohammed Aamir Ali, a doctoral student in Newcastle University’s School of Computing Science:

  1. Currently, the online payment system does not detect when multiple invalid payment requests — resulting from a hacker’s unsuccessful guesses — are distributed across different websites. This allows a hacker to make unlimited guesses for each of the three card data fields: card number, expiration date and security code.
  2. Different websites ask for different card data fields to validate online purchases. For example, some ask for all three fields, while others ask only for the card number and expiration date.

Ali says it’s the combination of these two weaknesses that makes it “frighteningly easy for attackers to generate all the card details one field at a time.”

Putting that another way, he concludes:

“So even starting with no details at all other than the first six digits — which tell you the bank and card type and so are the same for every card from a single provider — a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”

Fortunately, the researchers note, simple steps like monitoring statements and balances regularly can help consumers guard against distributed guessing attacks.

Visa notes other safeguards in a statement provided to Money Talks News on Thursday:

“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world. …

Visa also offers enhanced security using Verified by Visa (based on the 3DSecure standard) which offers improved security for e-commerce transactions. … Where a merchant chooses not to use Verified by Visa for a card not present transaction, they will assume the risk for fraud. …”

To learn about how Verified by Visa works, visit Visa’s consumer webpage on the topic. To learn about other safeguards Visa provides for cardholders, visit its “Security + support” page.

For more tips, check out “7 Ways to Guard Your Wallet — and Identity — When Shopping Online.”

What’s your reaction to this news? Share your thoughts below or on Facebook.

Get smarter with your money!

Want the best money-news and tips to help you make more and spend less? Then sign up for the free Money Talks Newsletter to receive daily updates of personal finance news and advice, delivered straight to your inbox. Sign up for our free newsletter today.