Gone in six seconds

21 December 2016

How cyber thieves can piece together credit card details – and how to stay safer online while bagging those festive bargains


Research has revealed that cyber thieves who query lots of websites at once can potentially guess credit card numbers in just a few seconds.

Security experts from the University of Newcastle found loopholes on websites that helped thieves seeking card data.

Vulnerable sites, including some of the most popular retailers online, have been told about their findings, with some putting defences in place against the possible attack.

The research created a credit card querying system that simultaneously submitted payment requests to different sites at the same time.  By trying different combinations of a card's number, expiry date and security code, the system could quickly find out all the information needed to replicate a card.

Because different sites ask for different parts of the credentials required to verify a purchase, it was possible to compile the fragmented details that sites share to build up all the security information for a card.

This approach could help thieves who have some knowledge of victims gained from information in the massive troves of data released by breaches at web firms.

A sample attack showed that if an attacker ran many queries at once they could compile the correct information about a card in approximately six seconds.

There is no evidence that cyber thieves are using such a distributed attack but the research demonstrates that it is “practical" and therefore a "credible" threat.

The team shared its findings with 36 of the sites against which they ran their distributed card number-guessing system. The disclosure led to eight sites changing their security systems to thwart the attacks. Many now limit the number of times card details can be checked. But 28 sites made no changes despite the disclosure. http://www.bbc.co.uk/news/technology-38207974


Here are Amethyst’s top tips for smart shopping and bagging bargains:

  • Always have internet security (antivirus) software and apps switched on and updated (including those new phone and tablet gifts)

  • Don't open attachments or click on links in festive (or any other) emails you're not expecting, as they could be scams. And be careful with ecards as they can be fraudulent too

  • Secure Wi-Fi is vital for your privacy. At home, check your router security settings. Out and about, never use free Wi-Fi hotspots when what you're doing is private

  • Passwords that are easy to guess, that you use for more than one account or that you share with others, are a no-no

    Always check payment pages are secure, and log out when you've finished shopping online

  • When making a purchase from an auction website, use insured payment methods like PayPal and never do a bank transfer to people you don't know

  • Ensure that the website address begins ‘https’ at the payment stage which indicates a secure payment, you should also see a padlock symbol appear at the top or bottom of the page

  • Never enter your card PIN online

  • Keep your security software and firewalls up to date. Regularly update your internet browser when a new patch-security update is released

  • Be wary of low prices for branded goods as the items for sale may not exist or be counterfeit.  If it is too good to be true, it usually is!



Contact us for more information

<< Back to Latest News items