Researchers from Newcastle University have found that an unsophisticated type of cyberattack, which involved a large amount of ‘guesswork’, was used to launch a large-scale attack on Tesco Bank. The hack resulted in £2.5m of customers’ money being stolen.
The team who published the paper claimed that it could take a hacker as little as six seconds to guess a target’s card details. The technique involves generating different versions of a card’s security data and sending these off to multiple eCommerce sites. A transaction going through then indicates that one particular variation is valid and can be used for further transactions.
Mohammed Ali, lead author on the paper, explained: “Most hackers will have got hold of valid card numbers as a starting point, but even without that, it’s relatively easy to generate variations of card numbers and automatically send them out across numerous websites to validate them.”
Some websites had security systems which meant they were able to detect this sort of attack. However, of the 389 that the university team tested, 342 were open to this threat, which is called a ‘distributed guessing attack’.
Ali added: “The CVV is your last barrier and theoretically only the cardholder has that piece of information – it isn’t stored anywhere else. But guessing this three-digit number takes fewer than 1,000 attempts. Spread this out over 1,000 websites and one will come back verified within a couple of seconds. And there you have it: all the data you need to hack the account.”