Study: Hackers Can Guess All Your Visa Card Numbers in 6 Seconds

Study: Hackers Can Guess All Your Visa Card Numbers in 6 Seconds
Photo by wk1003mike /

A new study has given us another reason to review credit card bills and bank statements closely.

Hackers can correctly guess every number on your debit or credit card — including the expiration date and security code — in as few as six seconds, according to researchers at Newcastle University in England.

While Visa has disputed the findings, the researchers say your risk is highest this time of year because many shoppers buy gifts online.

The vulnerabilities that enable hackers to correctly guess card numbers are particular to Visa cards, according to the study. The researchers conducted experiments involving MasterCard and Visa. They found MasterCard was not vulnerable in the same way.

Their findings were recently published in the journal IEEE Security & Privacy.

The Institute of Electrical and Electronics Engineers, or IEEE, is a nonprofit organization that describes itself as “the world’s largest technical professional organization dedicated to advancing technology for the benefit of humanity.”

The study found that hackers use a technique known as a “distributed guessing attack” to successfully guess your card numbers. This method involves using multiple websites that accept debit or credit card payments to make guesses.

Two weaknesses make this attack possible, according to lead study author Mohammed Aamir Ali, a doctoral student in Newcastle University’s School of Computing Science:

  1. Currently, the online payment system does not detect when multiple invalid payment requests — resulting from a hacker’s unsuccessful guesses — are distributed across different websites. This allows a hacker to make unlimited guesses for each of the three card data fields: card number, expiration date and security code.
  2. Different websites ask for different card data fields to validate online purchases. For example, some ask for all three fields, while others ask only for the card number and expiration date.

Ali says it’s the combination of these two weaknesses that makes it “frighteningly easy for attackers to generate all the card details one field at a time.”

Putting that another way, he concludes:

“So even starting with no details at all other than the first six digits — which tell you the bank and card type and so are the same for every card from a single provider — a hacker can obtain the three essential pieces of information to make an online purchase within as little as six seconds.”

Fortunately, the researchers note, simple steps like monitoring statements and balances regularly can help consumers guard against distributed guessing attacks.

Visa notes other safeguards in a statement provided to Money Talks News on Thursday:

“The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world. …

Visa also offers enhanced security using Verified by Visa (based on the 3DSecure standard) which offers improved security for e-commerce transactions. … Where a merchant chooses not to use Verified by Visa for a card not present transaction, they will assume the risk for fraud. …”

To learn about how Verified by Visa works, visit Visa’s consumer webpage on the topic. To learn about other safeguards Visa provides for cardholders, visit its “Security + support” page.

For more tips, check out “7 Ways to Guard Your Wallet — and Identity — When Shopping Online.”

What’s your reaction to this news? Share your thoughts below or on Facebook.

Popular Articles

Don’t Want to Owe Taxes After You Die? Avoid These 17 States
Don’t Want to Owe Taxes After You Die? Avoid These 17 States

In one state, the tax man is especially tough on the estates of those who shake off this mortal coil.

10 Habits Happy People Use to Make Life Better
10 Habits Happy People Use to Make Life Better

If you want to walk through life with a smile on your face, try these habits on for size.

6 Ways to Score ‘Senior’ Discounts on Car Rentals After Turning 50
6 Ways to Score ‘Senior’ Discounts on Car Rentals After Turning 50

Are you 50 or older? Here’s how to save up to 43% at a dozen car and truck rental companies — either with or without an AARP membership.

View this page without ads

Help us produce more money-saving articles and videos by subscribing to a membership.

Get Started