Ron Benvenisti: I Can Get Your Credit Card Info In Less Than Six Seconds

PCI-DSSBut don’t worry about me, I don’t do that, unless the credit card company pays me to test it out. LOL. It’s true, you really need to protect yourself from the new tools hackers are using with a tremendous amount of success and no protection from the card companies, VISA in particular. But before I get to that, let me tell you that I have a couple of credit cards but I just use just one of them for online purchases. I get texts for every time the card is used above $10 dollars. It’s a nuisance to get a text every time I buy something for more than ten bucks with that card but there’s a good reason why I do it. In fact, there are over a billion reasons why I do it. And I get more than a million more reasons every day. I also keep the spending limit on that card low just in case. I also have a debit card and in the account, that’s associated with I keep it to a minimum and just move money from another account into it when necessary. Why? Because millions of cards get hacked and hijacked every day. This way I limit my damages and get notified of every purchase instantaneously. These are two of the best things you can do to protect yourself against credit card theft. You can do this with any credit or debit card.

How about that Cyber criminals can figure out the card numbers, expiration dates and even the security codes of any Visa credit or debit card in six seconds. All they need is a little help from a tiny, simple computer program. A study, was done at the University of Newcastle and was published in the IEEE Security & Privacy journal that shows how what has been come to be known as a ‘Distributed Guessing Attack’ circumvents every single security feature the credit card company uses to protect online users in just a couple of seconds. Faster than it takes for me to get the warning test from the same company!

Basically, different variations of a card’s security data is automatically generated and plugged into hundreds of websites until the hackers get a match for each piece of information necessary for a successful purchase. The network nor the banks can detect the barrage of invalid attempts. Mohammed Ali, the lead author of the paper, says, “The current online payment system does not detect multiple invalid payment requests from different websites. This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.” Unbelievable, but true.

Even if the website asks for different variations of card info, like zip code or address, it works against the credit card holder because its “quite easy to build up the information and piece it together like a jigsaw.” “The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,” Ali explained.

All you can do about it is what I do: I just use just one card only for online purchases. I get texts for every time the card is used above $10 dollars. I keep the spending limit on that card low just in case. On my bank debit card and in the checking account it’s tied to I keep a minimum balance and just move the money I need from a savings account into it when I’m going to use the card. By doing this, even if they guess my card info they won’t get much, I get notified and shut it down. It’ll take you a bit more than six seconds to set that up. But it sure beats losing your money in six seconds. If you don’t have this set up, go online now to your bank and credit card company and do it. Especially if you have VISA cards, they’re the easiest to guess.

Ron Benvenisti
Business IT Risk Analyst
Integris Security LLC

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 15,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.


  1. Thank you for informative article, I just have a question :
    if you set up spending limits on the CC with alerts above $10, why the need to bring in a debit card with a minimum $ in that account and then be busy moving $ from saving into checking? Unless you cannot get or don’t want to get a credit card, just don’t use debit card for online purchases. Also, although it’s not a good feeling and definitely a headache, (it had happened to me in the past) to be a victim of CC fraud but ultimately you are not responsible for fraudulent purchases on your CC.

    Thank you very much.

  2. Agree with your point. But you seem a bit over the top with this stuff.
    $10 limit for alerts? Thats called paranoia.

    Also, if you ever have fraudulent charges on your cc, the credit company covers it.

    No need to make yourself crazy.

  3. An important point: If you sign up for alerts and don’t report a fraud right away, you may be held responsible. Whereas if you’re not signed up for the alerts the credit card company is responsible.

  4. My apologies. I don’t think I was clear enough.
    I have two credit cards and one debit card. I use one credit card only for online purchases. I set the limit on that card with the bank, online, to exactly what I need for the online purchases. I use the debit card for everyday purchases or use cash. I transfer just enough money to cover the day.The other credit card is used strictly for emergencies like car repairs or other in-store purchases like a last minute Shabbos bottle of wine. So I use 3 cards in total. It is a bit of a hassle but I set it all up online and it takes less than 5 minutes, and the banks set the limits and make the transfers instantaneously. My only risk if for the online card. True, the credit card companies will cover fraudulent charges, after an investigation. A small amount will not be as bad as a larger amount pending an investigation. In any case, by doing this I only have one card to worry about, the online one, and since I use a local bank’s credit card, if something does happen, I can just go into the bank and get a new one right away. Sorry, if I wasn’t clear. Yes, it is a hassle but just a couple of minutes of time. If I get hit, it’s just a few minutes to get a new card. All in all it saves me a bigger hassle of having many cards to worry about and thus being a bigger “attack surface and having my new card stolen from my mailbox.

Comments are closed.