The Six-Second Hack That Hit Credit Cards Online
With the holiday shopping season in full swing, a lot of shoppers are looking at turning not to the stores, but rather to the web for shopping. I was no exception on that front.
A new report throws yet another Grinch into online shopping; it turns out that simple queries of e-commerce websites, a process taking about six seconds, revealed a lot of information shoppers would rather see kept quiet.
The collective of researchers detailed their attack plan: by guessing and testing a wide array of possible dates and three-digit CVV numbers on a variety of different websites, the—thankfully–strictly white-hat hackers managed to land credit card information and CVV codes with simple queries.
Those who used Mastercard as a card of choice were actually better off here; the hack didn’t work on those cards at all. Visa proved a different story.
Success with that tool, meanwhile, emboldened the white-hats to wonder if the tool could be used to gather other information like users’ ZIP codes or even addresses. With location data from issuing banks, meanwhile, it becomes further possible to figure out where the card is being used.
If there’s no ZIP code required, meanwhile, it becomes even easier to crack the credit card information involved.
Standardization or centralization, reports note, is the way to go, and some card networks are already using such systems. That may be part of why Mastercard seemed impregnable to this approach while Visa lagged.
Standardization requires merchants to offer the same payment interface, thus preventing the “no ZIP code” flaw, while centralization instead requires payment gateways or networks with a complete view of all attempts associated with the network.
The downside to such an approach is that neither method really works well with normal perceptions of flexibility and freedom of choice, but with breaches so prevalent and one potential new method afoot, it’s a point that needs to be considered.
Security is vital to the ongoing health of the entire online shopping and mobile payments market, so stepping up to provide the necessary protections will be necessary…and potentially regardless of merchant flexibility. It’s a terrible thing to consider, but without security, the whole concept falters.