It turns out credit card numbers aren’t safe when shopping online. A group of researchers were able to find credit card information, including expiration dates and CVV codes, all by querying eCommerce websites.
According to a report by TechCrunch, the researchers — Mohammed Aamir Ali, Budi Arief, Martin Emms and Aad van Moorsel — outlined how they were able to do this in IEEE Security & Privacy. The hack involved guessing and testing hundreds of potential expiration dates and CVV numbers on a slew of different websites. The researchers weren’t able to hack Mastercards with this technique, but Visa wasn’t so secure.
According to the TechCrunch report, the researchers think the tool can be used to figure out zip codes and address data. What’s more, hackers can use location data with issuing banks or use skimmers to determine where the credit cards are being used. If a website doesn’t require a zip code, cracking the credit card information is extremely easy, noted the report.
“To prevent the attack, either standardization or centralization can be pursued (some card payment networks already provide this). Standardization would imply that all merchants need to offer the same payment interface — that is, the same number of fields. Then, the attack does not scale anymore,” wrote the researchers, according to TechCrunch. “Centralization can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardization nor centralization naturally fit the flexibility and freedom of choice one associates with the internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.”