That's according to new data published in IEEE Security and Privacy, which studies 400 top-rated sites (i.e., iTunes, Google, PayPal, Amazon). Researchers from Newcastle University and the University of Kent, England, used an automated bot to cycle through payment data fields on each site, testing the ability to accurately guess relevant credit card information.
The experiment found two major security problems with current online payment systems. Many websites allow users unlimited attempts at entering the correct information. More nuanced is a lack of uniformity among the information required to make online purchases that allow hackers to use a "systematic guessing" approach in order to obtain credit card numbers, expiration dates, card verification values (CVV2), and postal addresses.
How it works.
The bare minimum of information a merchant may require is a credit card number and expiration date. Merchants can also ask for the CVV2 number (those three digits printed on the back of credit cards), and the next level of security is to ask for both the CVV2 and cardholder's address.
A would-be hacker might start with a website that asks only for the card number and expiration date. Starting with a card number, which might appear on criminal lists after a breach, one can try unlimited times (on multiple sites) to determine the expiration date. Since banks generally issue cards that are valid for 60 months, that data point is easily guessed after that many attempts.
Once the expiration date is determined, a hacker can move on to a site that also asks for the CVV2. Researchers point out that it takes less than 1,000 attempts to guess a 3-digit CVV2. Often only the zip code is verified at payment, and with unlimited attempts available, a bot can cycle through possible numbers until the purchase is approved.
What you should do to avoid vulnerability.
Researchers suggest that merchants adopt a uniform method for obtaining payment information. Since this is less likely without regulatory intervention, the report provides some alternatives for individual merchants.
Before releasing the study, researchers notified 36 of the largest, most vulnerable sites, as well as credit card company Visa (which allows unlimited attempts in contrast with MasterCard's fraud detection, which kicks in after 10 tries). As a result, eight of those websites changed how they collected payment information. Simply adding address verification does not reduce the vulnerability, and in fact just adds to the ability of bots to use systematic guessing. A better solution is for websites to limit the number of allowed attempts. Some sites instituted a maximum of 100 attempts every 24 hours and some implemented a limit of five attempts per IP address in a 24-hour period.
Another method is to use 3-D secure technologies, such as American Express SafeKey, MasterCard SecureCode, or Verified by Visa, which monitor consumer activity and perform checks like IP address and additional password requirements "if the frequency or value of the transactions appears to be unusual," researchers noted in the study. However, these plugins may slow down user experience, which many merchants view as a drawback.