The process is almost simplistic to a fault: Hackers can spread guesses for a credit card’s CVC code over a number of different sites, which quite alarmingly, isn’t enough to signal a breach of credit card security in some instances. Banks aren’t able to detect multiple attempts at inputting credit card information, so the attackers are free to send invalid payment requests as many as 10 to 20 times without registering a sign of fraudulent activity.
Or to put it in especially grim terms, hackers can automatically generate different variations of card security data, and then toss them into a given website, sometimes accurately generating a card number or CVC in a matter of seconds. Authorities in England believe the Distributed Guessing Attack method might have been used in a widespread digital attack on the supermarket chain Tesco earlier this month, in which 20,000 bank accounts were looted.
The trick only works on Visa cards though, so Mastercard and Amex customers aren’t in quite as precarious a situation when they shop online. Mastercard has more stringent security measures in place, which can track multiple attempts at guessing credit card info.
So the next time you log onto Amazon to buy loved ones something for the holidays, you’ll have reason to sweat, and it likely won’t be over the possibility of a late shipment.