Visa said the research did not take into account other layers of security such as its Verified by Visa system.
According to the research, which has been published in the journal IEEE Security Privacy, fraudsters use a so-called Distributed Guessing Attack to get around security features put in place to stop online fraud.
Mohammed Ali, a PhD student at the university’s school of computing science and lead author, said: “The current online payment system does not detect multiple invalid payment requests from different websites.
“This allows unlimited guesses on each card data field, using up to the allowed number of attempts – typically 10 or 20 guesses – on each website.
“Also, different websites ask for different variations in the card data fields to validate an online purchase. This means it’s quite easy to build up the information and piece it together like a jigsaw.
“The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time.”
The team said MasterCard’s security network detected similar attacks after less than 10 attempts.
A spokesman for Visa said: “The research does not take into account the multiple layers of fraud prevention that exist within the payments system, each of which must be met in order to make a transaction possible in the real world.
“Visa is committed to keeping fraud at low levels and works closely with card issuers and acquirers to make it very difficult to obtain and use cardholder data illegally.”
It said it also had its own Verified by Visa system which offered improved security for online transactions.
Investigators have warned consumers they face potentially fatal risks after 99% of fake Apple chargers failed a basic safety test.
Trading Standards, which commissioned the checks, said counterfeit electrical goods bought online were an “unknown entity”.
Of 400 counterfeit chargers, only three were found to have enough insulation to protect against electric shocks.
It comes as Apple has complained of a “flood” of fakes being sold on Amazon.
Apple revealed in October that it was suing a third-party vendor, which it said was putting customers “at risk” by selling power adapters masquerading as those sold by the Californian tech firm.
The Trading Standards tests were performed by safety specialists UL.
They applied a high voltage to the chargers, which were bought online from eight different countries, including the US, China and Australia, to test for sufficient insulation.
Leon Livermore, the chief executive of Chartered Trading Standards Institute, urged shoppers to buy electrical goods only from trusted suppliers.
“It might cost a few pounds more, but counterfeit and second-hand goods are an unknown entity that could cost you your home or even your life, or the life of a loved-one,” he said.
A separate operation found that of 3,019 electrical goods bought second hand, 15% were non-compliant.
Officers said the unsafe electrical items, which came from charity shops, antique dealers and second-hand shops, had failings such as counterfeit plugs and basic insulation.
How to spot a dangerous fake charger
Plug pins – Plug the charger into a socket, but don’t switch it on or connect to a device. If the charger does not fit easily, the pins may be the wrong size. There should be at least 9.5mm (0.3in) between the edge of the pins and the edge of the charger
Markings – Look for a manufacturers’ brand name or logo, model and batch number. Check for the “CE” safety mark, but be aware it can be easily forged
Warnings and instructions – User instructions should include conditions and limitations of use, how to operate the charger safely, basic electric safety guidance and details of safe disposal
Source: Trading Standards
Gillian Guy, chief executive of Citizens Advice, said: “Counterfeit electrical goods are likely to be poor quality and in the worst cases unsafe.
“Look out for tell-tale signs of counterfeiting such as mistakes in brand names or logos, and check plugs for safety marks – all genuine electrical items made in the EU should have a CE mark on them.”
Consumers were also urged not to overcharge appliances and to never cover devices when charging or use a charger with a cracked case or frayed cable.
There is no suggestion the company involved in the Apple case sold the chargers used in the Trading Standards tests.
The company said that no money had been taken from or added to the compromised accounts.
But it added that there had been other suspicious activity on fewer than 50 of them.
The Information Commissioner’s Office said it had launched an investigation into the matter.
“Camelot submitted a breach report to us last night which we have reviewed. We will be talking to Camelot today,” said a spokeswoman.
“The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.
“Organisations should be reminded that cybersecurity is a matter for the boardroom, not just the IT department.”
Camelot said it became aware of the problem on Sunday.
“We are currently taking all the necessary steps to fully understand what has happened, but we believe that the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details,” it said in a statement.
“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited.
“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”
A spokeswoman added that the accounts represented a small fraction of the draw’s 9.5 million registered online players.
Camelot is contacting the owners of the accounts thought to have been compromised and instructing them to change their passwords.
One security expert said there had been many recent attacks where logins stolen from one platform had been tested and used to breach another.
But he still had concerns about Camelot’s explanation.
“If there’s 26,500 accounts here and they are saying the credentials are correct but they didn’t come from us, they still let an attacker log in 26,500 times,” said Troy Hunt.
“That alone is something that illustrates a deficiency.”
Camelot has defended its systems.
“We do have extremely robust systems in place. However, cybercriminals are very persistent and, in this case, used multiple, different IP [internet protocol] addresses over a short period of time.
“As soon as we detected [a] significant increase in both attempted and failed log-ins, we were able to quickly take action to block them.”
Other recent attacks targeted at the UK public include:
Deliveroo – users of the takeaway food app said their accounts had been billed for food they had not ordered. The firm said the hacks had been carried out using passwords stolen from elsewhere
Sony PlayStation Network – hundreds of gamers complained about being locked out of their online accounts. Many said that once Sony had restored their access, they had found that funds were missing. The firm suggested the users might have had their credential stolen by a phishing campaign
Tesco Bank – a total of £2.5m was stolen from about 9,000 of the bank’s online accounts. The firm has said it was a “systematic, sophisticated attack” but has not provided further detail
The University of Surrey’s Prof Alan Woodward says these rules should be observed when setting an online password:
Don’t choose one obviously associated with you
Hackers can find out a lot about you from social media so if they are targeting you specifically and you choose, say, your pet’s name you’re in trouble.
Choose words that don’t appear in a dictionary
Hackers can precalculate the encrypted forms of whole dictionaries and easily reverse engineer your password.
Use a mixture of unusual characters
You can use a word or phrase that you can easily remember but where characters are substituted, eg, Myd0gha2B1g3ars!
You can make this even stronger by adding in some random characters, eg Myd0g*ha2B1g$3ars!, if you can remember them. But don’t be tempted to make the phrase simpler and shorter in order to help you recall it.
Have different passwords for different sites and systems
If hackers compromise one system you do not want them having the key to unlock all your other accounts. As we all have so many accounts, you should consider using a password manager. This has the added advantage that it will suggest strong passwords.
They include various police, military, government and NHS departments as well as the Food Standards Agency, the Gambling Commission, the Financial Conduct Authority and the Health and Safety Executive.
The required data covers only the domain name of each site visited – www.facebook.com or www.bbc.com, for example – not the individual pages within them.
“So long right to privacy, hello 1984,” wrote Mr Yiu.
‘Mistakes will happen’
The chairman of the Internet Service Providers’ Association (Ispa), told the BBC last week that he was concerned such a database would eventually be hacked.
“You can try every conceivable thing in the entire world to [protect it], but somebody will still outsmart you,” he said.
“Mistakes will happen. It’s a question of when. Hopefully it’s in tens or maybe a hundred years. But it might be next week.”
“The bill provides a clear and transparent basis for powers already in use by the security and intelligence services, but there need to be further safeguards,” said Harriet Harman, chairing the committee.
Online marketplace Amazon has placed a limit on the number of reviews shoppers can leave on the site.
In a bid to put a stop to false feedback, people can now write only five reviews a week of items not bought via the online store.
The change applies to most products and is part of efforts to clamp down on people selling positive comments.
The change is Amazon’s latest step in its battle to ensure users trust its listings.
Earlier this year, Amazon began suing sellers for buying fake reviews and then imposed tougher restrictions on companies that offered free products in return for customers’ ratings.
Users can still review as many items as they like if the goods are purchased via the website.
“The change makes a lot of sense. There has been a massive clampdown on fake, bogus and heavily influenced reviews recently,” said Patrick O’Brien, retail analyst at Verdict Retail.
In October, Amazon announced the end of ”incentivised reviews”.
While direct compensation for reviews had never been allowed, there was an exception – reviewers could until last month post a review in exchange for a “free or discounted product as long as they disclosed that fact”, according to Amazon’s website.
Now, that has changed. Such reviews can appear on the site only via Amazon’s own program, Vine.
It wants Openreach to become a distinct company with its own board, with non-executives and a chairperson not affiliated with BT. It also wants Openreach to have control over its branding and budget allocation.
Openreach would also have a duty to treat all of its customers equally, the regulator said.
On Monday, BT had appointed Mike McTighe – who was on the board of Ofcom between 2007 and 2015 – as the first chairman of Openreach.
BT said in a statement: “We put forward proposals in July that we believe are fair and sustainable, and that meet Ofcom’s objectives without disproportionate costs.
“We are implementing these proposals, and have just appointed Mike McTighe to be the first chairman of Openreach. We are in discussions with Ofcom on two outstanding issues, the reporting line of the Openreach chief executive and the form of legal incorporation.
“We will continue to work with Ofcom to reach a voluntary settlement that is good for customers, shareholders, employees, pensioners and investment in the UK’s digital future.”
Analysis: Dominic O’Connell, Today programme business presenter
BT’s rivals, including Sky and Talk Talk, had complained bitterly about the service they received from Openreach, saying it charged too much for the use of broadband lines and was unresponsive to their demands. They wanted a full break-up of BT, with Openreach being turned into a separate company.
Ofcom has come some of the way, with Openreach now to become a legally separate entity, with its own independent board. But crucially it will still be owned by BT. Telecoms experts say the devil will be in the detail – how much control will BT be able to exert over Openreach under the new structure?
Sky and Talk Talk will be watching for any signs of too much influence – but if BT has no say at all over Openreach, it may in the end decide to break itself up anyway.
BT shares wobbled in early trading, losing 1.5% at first before recovering to trade higher by 0.5%.
Dido Harding, the chief executive of TalkTalk, told the BBC that “consumers and businesses across the country are completely fed-up that their broadband doesn’t work”.
“In the sense that it is a small step in the right direction it is a good thing, but I think it’s important to remember it is only a small step… because… Ofcom’s proposal is for quite complex corporate governance, and even this complicated legal separation is one that BT Group has been fiercely resisting,” she said.
Despite the appointment, the BBC understands that Ofcom is still concerned that – against its wishes – Openreach chief executive Clive Selley will continue to report directly to BT Group chief executive Gavin Patterson.
Ofcom is also concerned that Openreach will not end up in control of its own assets and cash, and that it may not be able to consult confidentially with customers such as Sky and TalkTalk.
The BBC understands that BT is concerned that transferring Openreach assets and cash will incur costs that would take away from investment in broadband infrastructure.
Kester Mann, an analyst at CCS Insight, said: “Today’s news shows that Ofcom remains hugely concerned over BT’s ability to satisfy its competition concerns.
“It again highlights clear flaws in the existing Openreach model and a worry that UK broadband deployment could be restricted without serious change.”
He said BT’s rivals could criticise Ofcom for not pushing for structural separation, but they should see Ofcom’s efforts to engage with the European Commission as “a partial victory”.
The news of the deal comes just hours after Chancellor Philip Hammond promised £400m to help Britain’s successful digital start-ups avoid being snapped up by larger rivals.
“I am taking a first step to tackle the long-standing problem of our fastest growing technology firms being snapped up by bigger companies, rather than growing to scale,” Mr Hammond said in his Autumn Statement.
You might also like
Watchdog cans Heinz beans advert
White House kudos for Ellen DeGeneres over gay rights
Texas diner gives waiter $750 to visit family
Ctrip was founded in 1999 and is one of China’s best-known travel businesses.
The deal would “strengthen long-term growth drivers for both companies,” said James Jianzhang Liang, co-founder and executive chairman of Ctrip.
“Skyscanner will complement our positioning at a global scale and Ctrip will leverage our experience, technology and booking capabilities to Skyscanner’s,” he added.
Skyscanner was set up in 2003, and co-founder and chief executive Gareth Williams said the deal took his firm closer to its goal “of making travel search as simple as possible for travellers around the world”.
BBC’s Dougal Shaw on meeting an unassuming boss
You have to go through a slick PR machine to get time with Gareth Williams. But once you reach him, it’s like having a chat with a friendly, unassuming bloke down the pub.
Which is how his company was founded. Gareth Williams thrashed out the original idea for Skyscanner with two university friends in a pub back in 2001.
A passionate skier, he was frustrated by the time it took to sort through potential flights.
Lean in and listen carefully. Every softly-spoken word is measured, well-considered and laser-like to-the-point.
I met him this summer for a recording of CEO Secrets, our entrepreneurship series.
Interestingly, the Skyscanner team is very keen to play down the label of being a “unicorn company”, a young company valued at more than $1bn, even though that’s an elite club that you’d think would be nice to join.
Forget that, they told me. They were more keen to talk about their actual revenues from customers, their rate of growth and their next generation work with automated bots.
Perhaps that’s what sealed the deal with Ctrip.
“Ctrip and Skyscanner share a common view – that organising travel has a long way to go to being solved. To do so requires powerful technology and a traveller-first approach,” Mr Williams said.
The sale comes about a year after Skyscanner announced a fresh round of investment to help it expand. Its backers include investment firm Sequoia as well as the Malaysian government’s strategic investment fund, Yahoo Japan and fund manager Artemis.
Its biggest investor, Scottish Equity Partners, welcomed the sale and said it was “particularly pleased” that Skyscanner would continue to be headquartered in Edinburgh and to operate independently.
Shanghai-based Ctrip became China’s biggest internet travel service after merging with a similar business, Qunar, last year. That deal gave Chinese internet giant Baidu, which controlled Qunar, a 25% stake in Ctrip.
Analysis: Dominic O’Connell, Today business presenter
Two days after Theresa May promised the CBI a more interventionist industrial policy, one which might stop important British companies being sold to foreign rivals, along comes a deal to expose the shortcomings of such a promise.
Skyscanner, the Edinburgh-based technology company, has been sold to a Chinese rival for £1.4bn. Skyscanner sells travel online, but it is much more than just another travel website; its technology frequently sees it cited as one of Britain’s top technology companies, and it is one of the UK’s few “unicorns” – youngish tech companies with valuations north of $1bn.
When pundits try and come up with candidates to be the “British Google”, Skyscanner is a name that frequently comes up.
It is hard to see, however, what Theresa May could have done – even once her new industrial policy is in place – to stop the sale.
Like most British tech companies, Skyscanner has a small army of investors, ranging from traditional private-equity investors to technology specialists like Sequoia Capital.
It would be hard to argue that there is some national interest in interfering to keep it in British hands, and to do so would interfere with the basic rights of investors to sell their property.