Cyber criminals can correctly guess credit card numbers in a matter of seconds, by simply submitting a large amount of payments simultaneously.
University of Newcastle security experts found serious deficiencies in the websites of many online retailers that made the task considerably easier for the thieves.
The researchers have informed the owners of the at-risk websites, leading to a number of them adjusting and adapting their systems and security requirements.
PhD student Mohammed Aamir Ali led the study, and he produced a system to query credit cards. It worked by submitting payment requests to multiple sites at once.
The system was able to take all of the individual details that each site was asking for in order to verify purchases, and piece them together to fully replicate the card, essentially giving the researchers free reign over the card and its accounts.
In their research paper, they said: “This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions.”
The vast majority of the sites used in the research did not notice that the card was being used on multiple sites at once, making the system much more effective.
The researchers said: “It is possible to run multiple bots at the same time on hundreds of payment sites without triggering any alarms in the payment system.”
In an example attack, it took just six seconds for the desired information to be collated, when running lots of queries at the same time.
The team shared its findings with 36 of the sites used in the research, and in response eight sites altered their security systems. However, the other 28 sites made no changes despite the evident risks.