Valid Credit Card Numbers With Cvv And Expiration Date

[In Libman]

Whats the chance of guessing valid credit card data that could be used to make a payment online? To me, it looks like it's not extremely hard to guess, but I'm not able to calculate the probability. I mean, it's not like it was designed to be as strong as 128-bit keys, which you know you can't really crack. So I wonder if any attacks are possible because of this lower entropy, and if not, why.

Ok, there are 16 digits. That alone would provide a bit more than 50 bits of entropy, if all the digits were random. But they are not: some are fixed and define the card issuer, and there should also be some redundancy for a checksum. Also, there are a lot of valid numbers, because a lot of people have credit/debit/prepaid cards today, I guess millions of people. You just need to guess one valid code. Ok, sometimes you have to provide other data for payment as well, for example the expiration date or the CVV. Yet those don't provide a lot of entropy. There might also be additional checks (like the owner's name or address), but I'm not sure those are always enforced.

I'm not saying it's easy to buy something with a specific person's credit card in a specific online store. I'm just wondering if it's not that hard, given a large botnet, to try to guess any valid credit card data by testing it (or even actually making a purchase) on random e-commerce websites.

Guessing a valid credit card number is feasible. Choose a known BIN (first six), generate 9 random digits, and then append the appropriate checkdigit. That's only 1,000,000,000 combinations - high, but listing every single one is certainly doable even on a personal computer.

Checking whether your guess is actually valid is harder. Almost every single website will ask for your expiration date and most will also ask for your CVV. Assuming that the card in question will expire within the next four years (standard lifetime of a card), that's still 12*4 possible valid expiration dates. And the CVV is another three digits you would need to guess. All told, that's 10^9*(12*4)*10^3=48,000,000,000,000 combinations - much less feasible.

Additionally, you would need to spread your guesses around - throwing them all at a single merchant's website will likely get them shut down by their payment processor for permitting exactly this kind of attack.

According to the U.S. Department of Homeland Security, the cost of credit card fraud may be as high as $500 million a year. Consumer pay for the fraud through higher finance charges, annual fees and increased costs for law enforcement investigations and prosecutions. To protect yourself against credit card fraud, consider the following:

Guard your credit card number

Do not give your credit card number out over the phone or online unless you initiated the contact or you have verified the website you are on belongs to the company with which you believe you are dealing. Memorize your PIN number and do not keep it with your credit card.

Merchants cannot require you to show your credit card for identification when paying

by check

It is a violation of Florida law to require a consumer to produce a credit card number or expiration date before payment by check. However, a consumer can be required to show that they have a valid credit card. The merchant can note the type of card (Visa, Master Card, etc.) and the name of the issuing bank, but nothing else.

Safety tips when using your credit card

Destroy carbons and voided receipts immediately. Check your bill against receipts that have been kept in a secure place. If you are not using a credit card, destroy it immediately. When on a trip, carry the name of the issuer, account number and the toll-free number of the issuer in a secure place. Report stolen and lost cards immediately. Note the date, time and person to whom you reported that your card was lost or stolen.

Reporting losses and fraud

If you lose your credit cards or if you realize they've been stolen, immediately call the issuer(s). Many companies have toll-free numbers and 24-hour service to deal with such emergencies. By law, once you report the loss or theft, you have no further responsibility for unauthorized charges. In any event, your maximum liability under federal law is $50 per card. If you suspect fraud, you may be asked to sign a statement under oath that you did not make the purchase(s) in question.

The card issuer is basically redundant since from the number you can get the issuer. So basically, with two basic pieces of information (credit card number and expiry date) anyone can pull money from my account.

Booking.com doesn't take a deposit or any payment from you; what you're filling in is a reservation form. The card details are used as a form of payment identity in case (a) you don't turn up and they need proof you intended to stay, or (b) you stay and run off without paying when checking out. They hotel still requires a present card for payment, or the CVV to do a card-not-present transaction, or cash if you choose to pay that way instead.

The bigger question of "is this secure" is more complicated. The simplest way to think about it is that there are a number of security controls in place to help prevent fraud, at various stages in the process (website, payment processor, bank), but even if these all fail the bank is insured against fraud, so you will get your money back if you use an appropriate card type. In general, credit cards offer superior and faster fraud protection in comparison to debit/bank cards.

Merchants can request a payment with only the credit card number and the expiry date, which are very visibly written on the front of the card. Most but not all merchants also require a number written on the back of the card, generically called CVV (the formal name depends on the credit card vendor). In principle, merchants have to apply certain rules known as PCI DSS to all credit card data, and aren't allowed to store the CVV (only to pass it to the bank), but PCI DSS compliance only requires that the merchant declares themselves as compliant, so violations of the requirements are common.

Yes, this does mean that once somebody has your card details, they can make an online payment in your stead. The burden is on you to verify your credit card statements and cancel any fraudulent payment. Depending on your bank, on the credit card type and your country, the details of how to cancel a fraudulent payment and what happens if this caused overspending or an overdraft vary.

To be clear, this is a risk whether you have every used your card for online payments or not. The risk is inherent in having a card. There are fraudsters who make up card numbers and try to charge them; this isn't very easy to set up because most of their payments will end up being rejected because the made-up data is invalid and the bank will eventually block the source of evidently-fraudulent requests, but it's doable. Having a valid number and expiry date greatly increases the profitability/risk ratio.

To give an idea of the profitability of this kind of fraud, from what I remember of credit card spam, a credit card number with expiry date sells for around $1 and a valid CVV raises the price to something like $5. Note that I've never checked whether the advertised data was genuine.

The trick with credit cards is to remember the credit part of the system. You're not actually paying at the point of sale, you're creating two credit relationships where you owe the issuer money and they owe it to the merchant. Effectively two 'IOU' pieces of paper, and about as secure.

The next thing is that you don't necessarily have to pay if they can't establish that it was actually you that did the transaction. If you successfully repudiate it, the merchant doesn't get paid for the transaction. If a merchant gets defrauded too often, they can be banned from the system.

So, various forms of payment system come with different proofs to the merchant about the card. In cardholder-present transactions you have the opportunity to look at the card and the customer when making the decision. It's harder to automate the fraud or carry it out from a safe distance. So these can be done with just card+expiry. Everything on the front of the card can be copied with one of those card imprint machines that use carbon paper and submitted by the merchant by post. The pre-internet system.

Cardholder-NOT-present transactions are the opposite. Fraud is easy to automate. So most online transactions ask for at least the CVV (three digits on the back of the card, not copied by imprint and not on the magnetic track). Most online retailers insist on an address which must match the cardholder address before posting out goods. People selling "cashlike" things (gift cards, game time cards) sometimes do phone verification too because they're very high fraud targets.

The hotel reservation case is funny because there's almost no fraud case possible. There's no point in making a reservation with a stolen card and then not showing up, it gets you nothing. If you do show up, it turns into cardholder-present, and many hotels take a copy of your ID.

Credit card "security" is not what we understand as "security" on this site, that is features that make unauthorized use computationally infeasible. Remember that original credit card was simply imprinted. There was hardly any security at all. Business security is another thing entirely. If the risk is high (as in credit card fraud) you can either put your money into bringing the risk down - or you can pay money to insure your risk. From your point (the customer) it's quite safe and very convenient - you just call your bank, tell them "I didn't authorize that" and they give you your money back.

There is also thief's point of view: the card number is useless if you have no way of getting value out of it. Booking a hotel with stolen card basically announces the world where and when you are. Ordering goods requires a delivery address - again the next person who knocks to thief's door may wear blue instead UPS's brown uniform.

3a8082e126