Fraudsters can guess credit card numbers in as little as six seconds per attempt thanks to security gaps in Visa's network, academics say.
The brute force attacks allow criminals to bombard Visa with card payment requests across multiple sites with each attempt narrowing the possible combinations until a valid card number and expiry date are determined.
Visa, unlike rival Mastercard, does not detect the flood of requests as unusual, the researchers say.
The attacks, handy for criminals with only partial breach records oof personal information, work against the Alexa Top 400 online merchant sites accroding to findings in the paper Does The Online Card Payment Landscape Unwittingly Facilitate Fraud? [PDF] written by Newcastle University's Mohammed Aamir Ali, Dr Leonardus Arief, Dr Martin Emms, and professor Aad van Moorsel.
"We investigated the Alexa top-400 online merchants’ payment sites, and realised that the current landscape facilitates a distributed guessing attack," the authors say.
"This attack subverts the payment functionality from its intended purpose of validating card details, into helping the attackers to generate all security data fields required to make online transactions.
"... different websites present different sets of fields to identify the cardholder … [this disparity] inadvertently creates conditions for a scalable distributed guessing attack."
Attacks exploit the differences in authorisation proofs under which some sites accept expiry dates while others require criteria like street addresses.
Some 78 per cent (303 sites) of the affected merchants did nothing when the team disclosed the attack. It is unknown why no action was taken.
A handful of sites quickly updated their sites to use more secure mechanisms, while a few implemented updates that made their checkouts even less secure.
Critically, the attacks rely on card-not-present fraud, in which merchants do not require the three-digit CVV number found on on cards' rear faces to authorise a transaction.
Fraud of this sort is increasingly uncommon in countries with advanced anti-fraud technology, with Australia's established chip-and-PIN and advanced payment systems making it one of the tougher targets.
Those seeking credit cards to abuse illegaly would probably be better off buying batches of cheap plastic from established fraud sites like Rescator.cm which serve as the monetisation mechanism for large scale breaches.
The researchers say all merchants should use standard payment authorisation fields to knock out the ability for the attacks to scale. ®