NordVPN Warns of “Brute Force” Credit Card Theft

Advertiser Disclosure Editorial Disclosure

Last updated on May 2nd, 2022

NordVPN is offering a warning for consumers to remain vigilant due to heightened cybersecurity risks because of the war in Ukraine. The security giant is shining a light on a sudden, crude, and dangerous type of credit card theft, known as a brute force attack.

Brute Forcing: A Worryingly Effective Credit Card Fraud Technique

Hacking a credit or debit card can take as few as six seconds, according to cybersecurity experts at NordVPN. The sheer speed of “brute force” attacks is one of the major reasons why the details of over four million payment cards have appeared on the dark web, they claim.

A study released by NordVPN analyzing approximately four million payment cards from 140 countries found that the most common method to hack a payment card is known as “brute forcing.” This form of cyberattack is incredibly quick and can be executed in a matter of seconds

“The only way such a huge number of payment cards could appear on the dark web is through brute forcing. That means that criminals basically try to guess the card number and CVV. The first six to eight digits are the card issuer’s ID numbers. That leaves hackers with seven to nine numbers to guess because the 16th digit is a checksum and is used only to determine whether any mistakes were made when entering the number. Using a computer, an attack like this can take only six seconds,” said Marijus Briedis, NordVPN’s chief technology officer.

How Do Brute Force Attacks on Credit Cards Work?

In a brute-force attack, a hacker uses a rapid trial-and-error approach to guess the correct password, PIN, or payment card number. It doesn’t require a lot of brainpower or complex algorithms – it’s merely a guessing game. However, the attack does require some resources – time, computing power, and a special type of software used by criminals.

“To guess the nine digits that are needed to have a full card number, a computer has to go through 1 billion combinations. And it will only take one minute for a typical computer, which can try around 25 billion combinations per hour. However, a criminal may need only seven digits to make a correct guess depending on the card issuer. In this case, six seconds would be enough,” added Briedis.

Most card issuers limit the number of guesses you can make in a short time to prevent these kinds of attacks. Still, criminals find ways to get around the limitations. Mastercard, for example, has a centralized authentication system. So a criminal can only try around ten times with one number before Mastercard’s centralized system detects that. A criminal can try 30 to 40 times with the Visa security system, perhaps even more. And if they pick the right time of day, when it’s really busy, they can try many more times because it has a decentralized, federated system.

This observation correlates with the fact that more than a half (2,524,142 instances) of all the discovered payment cards were Visa, followed by Mastercard (1,602,248 instances), and American Express (215,971 instances).

How to Protect Yourself from Brute Force Attacks

There is little users can do to protect themselves from this threat, short of abstaining from card use entirely. The most important thing is to stay vigilant.

“Review your monthly statement for suspicious activity and respond quickly and seriously to any notifications from your bank that your card may have been used in an unauthorized manner. Another recommendation is to have a separate bank account for different purposes and only keep small amounts of money in the one your payment cards are connected to. Some banks also offer temporary virtual cards you can use if you don’t feel safe while shopping online,” Briedis suggests.

Other options to protect your online payments include using a third-party payments platform, like PayPal. Services like PayPal offer an additional layer of protection when making payments online, keeping your credit card, debit card, or even prepaid card details away from cyber-thieves. The PayPal service is also accepted in over 200 countries worldwide and at millions of U.S. retailers – online and in-store.

Related Article: Half of Americans Store Financial Information Online

Featured image by TheDigitalArtist/PixaBay
About: Cory
Cory Santos

Cory is BestCards.com's "Jack of all trades" and resident credit expert, covering all facets of the credit card space. Cory holds academic degrees in both the U.S. and U.K. In addition to credit cards, Cory finds that jogging, cats, and memes are essential parts of a balanced day.

Advertiser Disclosure

BestCards is an independent, Florida-based credit card comparison platform. Many of the card offers that appear on this site are from companies from which BestCards receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear). BestCards does not include all card companies or all card offers available in the marketplace.

Get the Best Credit Card Content in Your Inbox

Sign up for our newsletter to receive the latest credit card articles and news so you can stay on top of your financial wellbeing.