For many people, shopping online takes the hassle out of going to the store. There's no traffic, no crowds, no lines--you can sit at home in your pajamas and shop in comfort.
However, as more people shop online and credit card technology improves, credit card thieves are increasingly moving to hacking into online systems to steal card information and identities. A group of researchers from Newcastle University in the UK recently published a paper in "IEEE Security & Privacy" magazine that the way online credit card payments are handled may actually help fraudsters be successful with their attacks.
The researchers focused on online fraud in the UK, as it's the single largest type of credit card fraud in that country, compromising 45 percent of the total credit and debit card fraud in the country. A double-digit increase in the amount of online shopping has also contributed to a higher rate of online fraud.
The researchers looked at the security solutions on hundreds of the top online retailers and found that hackers can guess your information in as little as six seconds, due to the way the payment landscape is set up.
When you buy something online, the retailer asks for some specific payment information, like your name, credit card number, the type of card, expiration date, and CVV number. This information is needed because the retailer doesn't get to see your physical card and can't check to see if you are who you really say you are.
In order to process your payment, the merchant sends that information through a chain of entities in order to approve your payment and process your order.
First, the merchant sends the payment information to a payment gateway. This is a service that authorizes and processes the merchant's request. Next, the payment gateway requests authorization from the payment network, such as Visa or MasterCard. Then the network asks the bank that issues your credit card whether or not you have a large enough balance to cover the payment.
Once the card issuing bank authorizes that payment, the information goes back through this chain of networks and gateways and finally confirms the payment with the merchant, who then says your payment's been approved and your order will be on its way.
The researchers found it's easy for hackers to guess at credit card numbers because they can use the merchant's payment page to guess at your information. The site will tell them if they're correct or not, and even if the merchant limits the number of times you're allowed to try your credit card number--say, allowing for typos--online merchants don't work together, so it's easy for a hacker to try a card number at one site and then move on to other sites until they guess correctly.
The other problem that the researchers found is that different online retailers ask for information--some just as for your card number and expiration date; others ask for the that information, plus a CVV; and others ask for the address on top of that information.
Hackers are able to guess some of this information pretty easily once they've gotten a credit card number. To get the right expiration date, it takes a maximum of 60 guesses. A CVV can be figured out within 1,000 tries, which can easily be done with bots and software. However, when merchants ask for card number, expiration date and CVV, it takes upwards of 60,000 attempts, which makes it a lot more onerous for the hacker.
Once hackers know they've gotten a match on a card, they're able to not only buy goods with your information, but they can also transfer money to other countries, which can have more of an impact if banks can't detect the fraud and reverse payments in time.
The researchers noted that Visa cards were much easier to guess than MasterCards because Visa's network doesn't limit the number of times someone can guess card information. With the right tools, a hacker can figure out a Visa number in as little as six seconds by bombarding Visa with payment requests on hundreds of sites at the same time.
With their findings, the research team approached dozens of retailers with their findings, but few made appropriate adjustments in order to actually limit the number of card attempts within a certain time period.
How this affects American consumers is yet to be seen, but with the shift to EMV, more online fraud will occur. It's probably good advice to avoid buying from websites that don't require much in the way of payment information.