Using nothing more than guesswork, hackers can figure out all of the details on your credit card in just six seconds.

This includes the card number, expiration date, and the security code for any Visa credit or debit card.

Hackers can automatically generate variations of the security data and try them on multiple websites until they get a 'hit,' and experts warn such an attack is 'frighteningly easy' to carry out.

In a new study, published to the journal IEEE Security & Privacy, researchers investigated an attack known as the Distributed Guessing Attack, which is thought to be responsible for the recent Tesco cyberattack, used to defraud customers of millions of dollars last month.

This can get past all of the security features that are set up in order to block online fraud, and according to the team from Newcastle University, it is 'frighteningly easy if you have a laptop and an internet connection.'

In a Distributed Guessing Attack, hackers make many attempts using automatically and systematically generated variations of security data across multiple websites.

Once they get a 'hit,' which can happen within seconds, they can then verify the data.

According to the team, the study revealed a major flaw within the Visa payment system: neither the network nor the banks were able to detect the attackers, despite multiple invalid attempts.

And with the holiday shopping season underway, they say the risk is at its highest.

'This sort of attack exploits two weaknesses that on their own are not too severe but when used together, present a serious risk to the whole payment system,' says lead author Mohammed Ali, a PhD student in Newcastle University's School of Computing Science.

As the current payment system does not detect the attempts from the different websites, the hackers are able to carry out unlimited guesses for each data field, the Ali explains.

Each site allows a given number of attempts, typically 10 or 20, and hackers can use these up until they get the right combination.

Along with this, different websites ask for different variations on the data fields to validate online purchases, meaning 'it's quite easy to build up the information and piece it together like a jigsaw,' Ali explained.

'The unlimited guesses, when combined with the variations in the payment data fields make it frighteningly easy for attackers to generate all the card details one field at a time,' the researcher says.

'Each generated card field can be used in succession to generate the next field and so on. 

'If the hits are spread across enough websites then a positive response to each question can be received within two seconds - just like any online payment.

'So even starting with no details at all other than the first six digits - which tell you the bank and card type and so are the same for every card from a single provider - a hacker can obtain the three essential pieces of information to make an online purchases within as little as six seconds.'

While online payments require the customer to provide that only the cardholder would know, the researchers say it is simple to carry out ‘jigsaw' identification unless all merchants ask for the same information.

And, there's no sure way to prevent these types of attacks.

‘Sadly there's no magic bullet,' says Dr Martin Emms, co-author on the paper.

‘But we can all take simple steps to minimize the impact if we do find ourselves of a hack.

For example, use just one card for online payments and keep the spending limit on that account as low as possible.

‘If it's a bank card then keep ready funds to a minimum and transfer over money as you need it.

‘And be vigilant, check your statements and balance regularly and watch out for odd payments.

‘However the only sure way of not being hacked is to keep your money in the mattress and that's not something I'd recommend.'