Hacker News new | past | comments | ask | show | jobs | submit login

There are well-specified rules for coming up with valid credit card account numbers, and at most, say, 60 valid expiration dates (12 months × 5 years into the future).

Once an attacker has a valid credit card number and expiration date, there are only 10⁴ = 10,000 four-digit security codes possible, which the attacker tries with parallel requests to hundreds of websites. Each website gives the attacker at least a few tries to enter valid credit card information.

Worst case, it takes only 10,000 parallel requests to guess the correct security code. Worst case.

I don't know whether to cringe or laugh at this.




You generally don't even need to get the right expiration date. As long as the date you supply is in the future it will usually work.

The security code also can sometimes be skipped. This varies from region to region, but in the US the credit card companies do not actually require a security code match for card not present transactions. The merchant can supply the code, and if so, the credit card processing system will report back on whether or not it matched, but it is up to the merchant to decide whether or not that should disallow completing the transaction.

Similar for customer address, by the way. The merchant can supply it and ask whether it matches, but whether or not a mismatch disallows the purchase is up to the merchant.


I think it also varies by processor, but I'm not sure on that one. One particular jerk merchant accepted my order for a few hundred dollars worth of car parts, then told me that he would only ship to my billing address. When I told him no and explained that my mail gets frequently stolen at that address, which is why I wanted my order shipped to the other address, he refused to cancel my order, and told me I'd need to call my bank to add the other address before he could ship my stuff.

At this point, he had not charged my card. I told him that if he did charge my card, I would file a chargeback. He charged it, I charged back, waited 2 months, and got a letter saying the chargeback was finalized and my refund was no longer "pending". Idiot cost himself probably 6% of the transaction both running it and paying for processing the refund, plus got a bad mark with his merchant account. He did all of this because he thought my transaction was fraud since the billing and shipping address didn't match (yet he refused to cancel it and charged it anyway).

Gas stations also verify billing zip.


Matching CVV depends on the underlying bank.


1) Pick a bank that gives expiration dates within 3 years. 60 => 36 combinations

2) Security codes are always 3 digits. I don't know why you think 4? 9999 => 999 combinations.


To your second point, AMEX uses 4 digit CVV's[1].

However, it's easy to tell the difference between an AMEX and a VISA/MC from the card number alone.

1. https://www.cvvnumber.com/


For AMEX, there's still a 3 digit CSC code on the back which you will need from time to time.

The 4 digit code on the front is their CID, asked for by most merchants.


Citation needed. I have an AMEX in my wallet and it does not have any codes on the back, nor have I ever been asked for one.


I just checked. I have three AMEX cards (Platinum, Blue Cash Preferred, Green) in my wallet. All three have both four-digit numbers on the front as well as three-digit numbers on the back.

I don't recall ever being asked for the three-digit code on the back (like I am with most VISA/MasterCard credit cards). It's always the four-digit one on the front.


The Apple Store (as in, the actual brick and mortar establishment) started using the 3-digit code on the back of my American Express card at some point instead of the 4-digit one at the front (but they are so far the only company I have personally run into which does that).


It does - there is a 3 digit number on the back in the signature strip. The Amex website will ask you for it if you attempt to change your phone number, amongst other similar high-risk transactions.


Not on mine there isn't. This may be a US-only thing?

Some discussion, which doesn't shed a whole lot of light though: https://insideflyer.com/forums/threads/what-is-the-3-digit-c...


At least most Spanish credit cards use the 3-digits code on the back of the credit card. And it's almost always asked for (but not in amazon iirc).


All of my UK Amex cards have it.


I have been asked the 3 digit code when booking an airline ticket on a non-US site. During payment it passed through a amex safekey site which I think is kind of like 3d secure

http://security.stackexchange.com/a/136296


Old comment, sorry, but I think AMEX codes are on the front of the card.


there are only 10⁴ = 10,000 four-digit security codes possible

Yeah, that's not a big number, even manually, much less for a hacker.

I went to school for two months and the TV in my dorm room had been locked down to a few channels by some parental security crap, presumably by a previous occupant. With nothing better to do, I manually went through codes until I found the right one and unlocked it to open up more channels for myself.

It was only intimidating when I was entering random guesses at first. As soon as I decided to just methodically go through all possible combinations, it only took me something like two or three days of doing this when I wasn't in class and was watching TV anyway.

I am so glad I never tried to use BS like that with my own kids.


> Yeah, that's not a big number, even manually, much less for a hacker.

But how many false attempts do you have to make before the suspicious activity is picked up? At one a day you probably aren't going to get it right.


I am not a hacker, but other remarks here have cast light on how hackers do that. Those remarks fit with what I know about fraud from when I processed insurance claims for a living.


In the UK they are 3 digits on the back, 3000 is a worse case.


Isn't that (almost) 1000? All numbers between 001 and 999?


It's 1000, 000 -> 999.


For any valid card number yes. I'd bet that almost all don't have three numbers all the same and that there are probably more rules/conventions that would reduce the search space.

http://m.wolframalpha.com/input/?i=count+of+permutations+of+...


> I'd bet that almost all don't have three numbers all the same and that there are probably more rules/conventions that would reduce the search space.

You're correct that almost all don't have three identical digits, but that's just because there's only 10 of them -

000, 111, 222, 333, 444, 555, 666, 777, 888, 999

10/1000 = 1%

I doubt they would make up rules for determining the cvv, as it would only improve security until bad actors could determine the rules - then it would hinder security as there would be less entropy in the selection space.


I think they can be same, but they always > 99 (at least I never saw a card with CVV starting with 0)


A coworker of mine thought the same. Parsed the string into an int - we saw a bunch of cards get declined by our gateway processing company. They definitely can have leading zeroes.


I have, it was a Visa.


I had a card one that was three of the same. Obviously an anecdote, though.


The data you'd gain from this is practically useless to anyone looking to commit fraud... so laugh at the article I guess?

Maybe you could abuse this to create a lot of netflix accounts, but you aren't really going to be able to buy anything with just the PAN/cvv/expiry.


https://purse.io/ is a website for committing fraud with stolen credit cards.

It's a website that specializes in letting criminals convert credit card details (PAN/cvv/expiry) into bitcoin while exposing them to minimal risk.

There are very real ways to commit such fraud.


Yeah, it's really not that easy.

I'm sure it may seem so for someone who's really never dealt with fraud, but it's definitely not as easy as just signing up to amazon and making an order.

If you tried to use UK cards gained from doing this, I assure you, not a single one of your orders would ever ship.

You'd just be wasting your time getting all your drop addresses (or purse customer addresses) blacklisted.


Not really, purse.io does not facilitate fraud more than Amazon itself does. Purse.io just connects people who are willing to buy bitcoin using Amazon gift cards for a premium, and those that would like to purchase products on Amazon using bitcoin.


It's an out and out money laundering service. It exists for no other reason, there are no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value. It is straight up money laundering and it's frankly incredible that it's lasted as long as it has.


> no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value.

Absolute statements like this are so hard to back up.

For instance, if you live in Cuba, Iran, Syria, North Korea, or Syria, Amazon.com gift cards are worthless.

I know I received some AmericanEagle gift cards as a promotion recently, and unloaded them for less than face value just because I had absolutely no need/want to use them.


> there are no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value

Many credit card rewards programs offer Amazon gift cards as a redemption option. The points:value ratio on these is generally significantly better than the ratio on cash rebates, even when you consider the hit taken on sites like purse.

e.g. 10,000 points might be redeemable for $100 in Amazon GC, but only $50 in cash, so even if you get the GC and sell them for $85, you still do better than if you had straight redeemed it for USD.


You can buy all kinds of valuables online, which you then resell. Gift cards are quite common.


You can potentially issue an old-style mag-stripe credit card knock-off, and pay with it in an offline store. IDK if it's worth the effort: the card should look reasonable physically, too.


No, there's an analogue of the CVV2, the CVV1, which is only present on the magnetic stripe. The information you'd get from an online transaction is not enough to print a working magstripe.


There are still offline processors that don't read magstripe and just take a copy of the card and a signature.


Yep, ever have a merchant enter your CC number on the keypad IRL? That's what's happening. The fees for these types of transactions are typically higher as your processor is assuming more risk, so they prefer to only do them when they need to. See https://www.mastercard.us/content/dam/mccom/en-us/documents/... if you're really curious about how this stuff works in the MasterCard case. Visa is similar AFAIK.


Not a repeatable form of fraud. You won't be able to make money abusing offline processing.

Why not just buy magnetic stripe dumps for a couple of $ each online? Significantly better risk/reward ratio.


Game gifts on online stores, such as Steam, are a common target.


Apple Store gift cards are another which are popular with scammers and fraudsters for whatever reason. I'm curious now what that reason is.


Yes, and you won't be able to use this data on such sites.

You'd be stopped by the very first line of defence, AVS checks.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: