Credit card is the main way of online payment, and its security must be guaranteed. Recently, however, some researchers found that as long as you have a VISA credit card number, you can crack the validity period and check code of the credit card within 6 seconds, and then steal its identity.

The guessing process is dispersed for 6 seconds to crack the validity period and security code.

Generally speaking, shopping websites will limit the number of credit card numbers, expiration dates and check codes (CVV) to avoid being cracked. However, there are a large number of online stores, so as long as the cracked programs are split into various websites at the same time, things will be easy.

Researchers at NewcastleUniversity found that they can get the correct credit card expiration date and check code within 6 seconds through "DistributedGuessingAttack". According to research, credit cards are generally valid for up to five years, so you only need to try 60 times; Three-digit parity check code is a bit difficult, so you need to try 1000 times. Therefore, even if the website limits the input times, it can be quickly cracked as long as the process is split into multiple websites.

This study studied 389 frequently visited websites, and found that only 47 websites used 3-DSecure authentication, which successfully stopped the attack, but 29 1 websites simply verified the validity period and check code, of which 238 websites allowed more than 6 attempts, greatly reducing the difficulty of cracking; There are 26 websites that only need to verify the validity period, or even do not need to check the code.

MasterCard, another credit card issuer, will not be affected by the "distributed guessing attack" because of its centralized payment network, and the authentication that fails within 10 times will detect anomalies.

Visa response: The study did not consider other anti-fraud measures.

VISA later responded to the relevant research, saying that they welcomed the efforts of the industry and academia to analyze and solve the loopholes in the payment system, but the payment system itself has multiple anti-fraud measures, and transactions must be completed through these measures, which was not taken into account in their research.

VISA said that they are committed to cooperating with card issuers to prevent others from illegally obtaining cardholder information; If a consumer's credit card is stolen, it will also be protected and will not bear the responsibility of the consumer.

VISA also pointed out that they have provided a more secure VerifiedbyVISA based on 3DSecure. If the merchant chooses not to use it, it will bear the risk of fraud, so it is necessary to adopt 3-DSecure authentication.