As any savvy consumer should know by now, there are invariably risks associated with using your debit or credit card to make purchases online. However, despite all the online hazards, it is virtually impossible to avoid online purchases. Whether it’s logging into your online banking, paying via PayPal or direct card purchases, resistance of card payments is futile. Well, that is unless you plan to hide your money in a mattress and go shopping the old-fashioned way!
How High Is the Online Card Payment Risk Really?
A recently released study from the University of Newcastle has shed some light on just how high that risk is. The study found that the online payment system used by the major credit card company Visa could be compromised in as little as six seconds, and lead to millions of vulnerable consumers’ credit card numbers and personal financial information being compromised. And if that is not alarming enough, the real shock comes from just how easy the method this kind of malicious attack is. Rather than the highly sophisticated procedure it is assumed to be it is merely what is known as a “brute force attack”, wherein all a hacker needs is an internet connection and some determination.
As The Guardian reported on the stunning simplicity of the attack method, “criminals use software that automatically generates different variations of a card’s security data – for example, the card number, expiry date and three-digit security code known as the CVV – and fires these off to hundreds or even thousands of websites around the world at the same time. The reply to the transaction will confirm whether or not the guess was right.” Because the hackers spread these guesses over many websites, it doesn’t look suspicious to the card companies, as they don’t see a disproportionate amount of “hits” – only the guesses that happen to be correct. In other words, it was “possible” to run multiple bots at the same time on hundreds of payment sites “without triggering any alarms in the payment system.”
The report also noted that it’s highly likely that the method had been used in the massive attack on major UK supermarket chain Tesco last month, where Tesco bank customers were defrauded of £2.5 million by having their card details compromised.
How to Minimize the Risk?
The report points to something about where accountability lies when it comes to keeping our card numbers and financial information safe from hackers with ill intentions. There are seemingly countless articles telling consumers how they should be safe online and minimize their risk. These often include tactics like only using one card to make purchases online (so you avoid spreading risks across your accounts), not entering your card details for non-trusted retailers, and setting up alerts with your bank and credit card companies for suspicious activity. But what about card issuers and merchants? This study shows that there’s still a lot of work to be done on their end to address vulnerabilities in their systems. We assume that, because these companies are so big and powerful, they have taken it upon themselves to protect our financial interests, but clearly not enough is being done.
According to the report, large issuers like Mastercard and Visa need to be more proactive in making sure merchants use extra layers of protection, such as the “Verified by Visa” mechanism that is used online. Currently only 47 of the internet’s 400 largest retail sites employ the technology, which would in theory thwart this kind of brute force attack.
Ultimately, consumers cannot afford to be complacent when it comes to their safety online. Limiting your exposure to these kinds of attacks shouldn’t necessarily be the consumer’s job, but the revelations from reports like these highlight that it very much is.