It Takes Six Seconds To Guess A Visa Payment Card’s Information

Criminals have come up with some very creative ways to obtain credit card information over the past few years. Most of their attack vectors hinge on using social engineering, brute forcing, or malware. But a new hack against the Visa network can “guess” complete card details in six seconds or less–a disturbing development, although it may not be the most practical solution.

A Scary New Way of Obtaining Credit Card Information

By using this particular hack, criminals can obtain not only the card number but also the expiry date and CVV code of any Visa payment card in circulation. This attack goes by the name of “Distributed Guess Attack”, which is thoroughly explained in a research paper. It is very likely that this attack vector was abused during the recent Tesco bank hack, although that has not been officially confirmed.

The payment card ecosystem as we know it comes with many flaws, some of which are more obvious than others. Different online merchants can request data sets when processing a payment request. In most cases, this requires the card number, expiry date, and CVV value.  Others may ask for more details, such as an address.

It is possible, however, for an assailant to submit multiple invalid payment requests for the same card in quick succession. Contrary to what people believe, this type of behavior is not detected and will not “flag” the card for improper behavior. In fact, this allows hackers to complete an indefinite amount of guesses as to which card number or expiration date is being used.




Combining these two factors leads to an unlikely scenario in which a criminal can extract full card information by automatically generating and verifying different card information combinations. It takes all but six seconds to fully compile card information, even when different information is taken from different websites or retailers.

Interestingly enough, this method of attack will only affect Visa cards, whereas MasterCard is unaffected. In fact, MasterCard designed tools to detect such erratic behavior. It is quite strange to find out that Visa does not have such a feature, despite their dominant market position. Then again, large companies seldom operate with the consumer’s interest at heart.

Granted, pulling off such an attack requires a bit of coding. A bot that can automate these guesses will make quick work of possible combinations for individual cards, resulting in the average time of six seconds to crack the details.  In fact, once a criminal knows the card number, it is only a matter of guessing the expiration date. Most cards are only valid for five years, limiting the range somewhat.

If you liked this article, follow us on Twitter @themerklenews and make sure to subscribe to our newsletter to receive the latest bitcoin, cryptocurrency, and technology news.

Leave a Reply