If you’ve punched in credit card details while shopping online, you’ve probably wondered how secure those digits are. According to Newcastle University, the answer is: not very. Its researchers have discovered that thieves are using web bots to guess Visa credit and debit card info thanks to a flaw in the company’s payment system. The biggest challenge is obtaining valid 16-digit card numbers, usually by buying them or using an algorithm to generate valid examples. After that, the bots find expiration dates and CVVs (that three-digit number on the back) by spreading guesses across hundreds of shopping sites, plugging numbers into fields until they hit the jackpot. While that sounds like a painstaking process, the bots can figure things out in 6 seconds.
The flaw comes through the lack of checks for this kind of behavior. While it’s bad enough that online stores often allow dozens of incorrect guesses (sometimes an unlimited amount), Visa doesn’t appear to have a system in place to check for this kind of suspicious activity. Mastercard, in contrast, would realize something was wrong in “less than 10 attempts” and shut down the potential crime, no matter where the payment processing was taking place.
We’ve asked Visa for its response. However, this isn’t just a theoretical exercise. On top of existing observations, it’s believed that this technique was used in a recent attack on UK retailer Tesco that racked up £2.5 million ($3.2 million) in fraud. As for the solution? Visa would ideally implement a Mastercard-like check for odd behavior, but the most immediate fix may come from the stores themselves. Some of the websites used for these guesses are reducing the opportunities to guess info, making these attacks more difficult. Until there’s a more permanent solution in place, though, you’ll want to keep a close eye on your Visa card statements for any unusual charges.