Hackers are brute-force guessing payment card numbers, and there’s nothing you can do about it
Criminals have several ways of getting their hands on credit and debit card information, but one attack method is particularly alarming as victims are virtually defenseless. Even if you do everything by the book and adhere to all safety precautions, there’s still a chance that someone could outright guess your account details using brute force.
NordVPN recently partnered with independent cybersecurity researchers to analyze a database of nearly 4.5 million payment cards for sale on the dark web.
The VPN service provider found that the majority of cards – 1,561,739, to be exact – were from the US. In this region, Visa cards were the most common, followed by Mastercard and American Express. Worse yet, the average cost to buy the details of a US-based card was just $5.81.
Globally, debit cards were more common on the dark web than credit cards in the data the researchers surveyed. According to NordVPN, this is because hacked debit cards tend to have fewer protections in place to protect victims compared to credit cards.
Arguably even more alarming is how hackers are obtaining card details. Database breaches are still a viable route, but hackers are now able to brute force – or guess – payment card details. NordVPN notes that most systems limit the number of guesses that can be made in a short period of time, but adds that savvy hackers can get around this.
Most major payment cards have 16 digits, which may seem pretty secure length-wise. What you may not know is that there are standards for account numbers, and several digits on your card are identifiers that aren’t unique to your individual account. This means hackers have even fewer numbers they need to guess to find a “winning” combination.
Unfortunately, there’s not a whole lot consumers can do to protect themselves from a brute-force attack like this short of abstaining from card use entirely. NordVPN says your best line of defense is to remain vigilant and check your monthly statement for suspicious activity.