How Hackers Guess Your Credit Card Details
Protect your personal information from falling in to the wrong hands.
Most of us have experienced that sinking feeling triggered by finding bogus transactions on our bank statement when one of our cards is fraudulently used.
You may have blamed yourself for not taking care of your card, or for using it on a dodgy website. But it may not have been your fault.
In order for a hacker to use a card, they can steal details. And in some cases, they can simply guess the numbers.
How Guessing Software Works
All cards from the same provider have a long card number that starts with the same six numbers. This is the only information a hacker needs.
Using an automated tool, they hacker can hit multiple websites with random combinations of card numbers, CVV numbers, post codes, and dates. They don’t need to program these in. Special software does it for them.
The software can detect when the card is verified on one of the sites, so it knows that it’s guessed correctly.
Researchers at the University of Newcastle discovered the technique in 2016. They published their findings in December 2017 and alerted Visa and Mastercard. Mastercard closed the loophole in response, but Visa did not.
Hacking in Action
By hammering hundreds of websites with fake details at the same time, the software can eventually hit on a combination that’s valid without triggering an alert.
For example, if a website only allows five attempts to use a card, repeating the process on 200 different sites gives you 1,000 guesses.
That’s enough to try every possible CVV from 000 to 999.
Different websites use different parts of the card number, date, CVV, or postcode to check that it’s valid. So if you use the right combination of sites to carry out these random checks, you can paste together details for a card that works.
What’s more, this can be done using software in less than six seconds.
Security experts believe that this method was used to steal money from at least 20,000 Tesco Bank customers in November 2016 using their debit cards. (Some reports claim that the number of accounts breached was double that.)
How to Keep Your Card Number Safe
In general, it’s far more likely that your card details would be stolen, rather than automatically generated, so it’s important to take the usual precautions:
Avoid swiping your card or handing it over a counter where it could be swiped without you seeing
If the card machine looks unusual or feels loose, pay in cash if you can
Sign your cards when you receive them and store them securely if you don’t intend to use them for a while
Never save card details in a web browser unless you’ve set a strong master password.
If you’re concerned about card security, look into bank accounts that offer disposable ‘virtual’ card details. You can use them once and then generate new details to reduce the risk of fraud.