There are well-specified rules for coming up with valid credit card account numbers, and at most, say, 60 valid expiration dates (12 months × 5 years into the future).
Once an attacker has a valid credit card number and expiration date, there are only 10⁴ = 10,000 four-digit security codes possible, which the attacker tries with parallel requests to hundreds of websites. Each website gives the attacker at least a few tries to enter valid credit card information.
Worst case, it takes only 10,000 parallel requests to guess the correct security code. Worst case.
You generally don't even need to get the right expiration date. As long as the date you supply is in the future it will usually work.
The security code also can sometimes be skipped. This varies from region to region, but in the US the credit card companies do not actually require a security code match for card not present transactions. The merchant can supply the code, and if so, the credit card processing system will report back on whether or not it matched, but it is up to the merchant to decide whether or not that should disallow completing the transaction.
Similar for customer address, by the way. The merchant can supply it and ask whether it matches, but whether or not a mismatch disallows the purchase is up to the merchant.
I think it also varies by processor, but I'm not sure on that one. One particular jerk merchant accepted my order for a few hundred dollars worth of car parts, then told me that he would only ship to my billing address. When I told him no and explained that my mail gets frequently stolen at that address, which is why I wanted my order shipped to the other address, he refused to cancel my order, and told me I'd need to call my bank to add the other address before he could ship my stuff.
At this point, he had not charged my card. I told him that if he did charge my card, I would file a chargeback. He charged it, I charged back, waited 2 months, and got a letter saying the chargeback was finalized and my refund was no longer "pending". Idiot cost himself probably 6% of the transaction both running it and paying for processing the refund, plus got a bad mark with his merchant account. He did all of this because he thought my transaction was fraud since the billing and shipping address didn't match (yet he refused to cancel it and charged it anyway).
I just checked. I have three AMEX cards (Platinum, Blue Cash Preferred, Green) in my wallet. All three have both four-digit numbers on the front as well as three-digit numbers on the back.
I don't recall ever being asked for the three-digit code on the back (like I am with most VISA/MasterCard credit cards). It's always the four-digit one on the front.
The Apple Store (as in, the actual brick and mortar establishment) started using the 3-digit code on the back of my American Express card at some point instead of the 4-digit one at the front (but they are so far the only company I have personally run into which does that).
It does - there is a 3 digit number on the back in the signature strip. The Amex website will ask you for it if you attempt to change your phone number, amongst other similar high-risk transactions.
I have been asked the 3 digit code when booking an airline ticket on a non-US site. During payment it passed through a amex safekey site which I think is kind of like 3d secure
there are only 10⁴ = 10,000 four-digit security codes possible
Yeah, that's not a big number, even manually, much less for a hacker.
I went to school for two months and the TV in my dorm room had been locked down to a few channels by some parental security crap, presumably by a previous occupant. With nothing better to do, I manually went through codes until I found the right one and unlocked it to open up more channels for myself.
It was only intimidating when I was entering random guesses at first. As soon as I decided to just methodically go through all possible combinations, it only took me something like two or three days of doing this when I wasn't in class and was watching TV anyway.
I am so glad I never tried to use BS like that with my own kids.
I am not a hacker, but other remarks here have cast light on how hackers do that. Those remarks fit with what I know about fraud from when I processed insurance claims for a living.
For any valid card number yes. I'd bet that almost all don't have three numbers all the same and that there are probably more rules/conventions that would reduce the search space.
> I'd bet that almost all don't have three numbers all the same and that there are probably more rules/conventions that would reduce the search space.
You're correct that almost all don't have three identical digits, but that's just because there's only 10 of them -
000, 111, 222, 333, 444, 555, 666, 777, 888, 999
10/1000 = 1%
I doubt they would make up rules for determining the cvv, as it would only improve security until bad actors could determine the rules - then it would hinder security as there would be less entropy in the selection space.
A coworker of mine thought the same. Parsed the string into an int - we saw a bunch of cards get declined by our gateway processing company. They definitely can have leading zeroes.
I'm sure it may seem so for someone who's really never dealt with fraud, but it's definitely not as easy as just signing up to amazon and making an order.
If you tried to use UK cards gained from doing this, I assure you, not a single one of your orders would ever ship.
You'd just be wasting your time getting all your drop addresses (or purse customer addresses) blacklisted.
Not really, purse.io does not facilitate fraud more than Amazon itself does. Purse.io just connects people who are willing to buy bitcoin using Amazon gift cards for a premium, and those that would like to purchase products on Amazon using bitcoin.
It's an out and out money laundering service. It exists for no other reason, there are no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value. It is straight up money laundering and it's frankly incredible that it's lasted as long as it has.
> no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value.
Absolute statements like this are so hard to back up.
For instance, if you live in Cuba, Iran, Syria, North Korea, or Syria, Amazon.com gift cards are worthless.
I know I received some AmericanEagle gift cards as a promotion recently, and unloaded them for less than face value just because I had absolutely no need/want to use them.
> there are no legitimate circumstances where someone would want or need to sell amazon gift cards at less than their face value
Many credit card rewards programs offer Amazon gift cards as a redemption option. The points:value ratio on these is generally significantly better than the ratio on cash rebates, even when you consider the hit taken on sites like purse.
e.g. 10,000 points might be redeemable for $100 in Amazon GC, but only $50 in cash, so even if you get the GC and sell them for $85, you still do better than if you had straight redeemed it for USD.
You can potentially issue an old-style mag-stripe credit card knock-off, and pay with it in an offline store. IDK if it's worth the effort: the card should look reasonable physically, too.
No, there's an analogue of the CVV2, the CVV1, which is only present on the magnetic stripe. The information you'd get from an online transaction is not enough to print a working magstripe.
Yep, ever have a merchant enter your CC number on the keypad IRL? That's what's happening. The fees for these types of transactions are typically higher as your processor is assuming more risk, so they prefer to only do them when they need to. See https://www.mastercard.us/content/dam/mccom/en-us/documents/... if you're really curious about how this stuff works in the MasterCard case. Visa is similar AFAIK.
Once an attacker has a valid credit card number and expiration date, there are only 10⁴ = 10,000 four-digit security codes possible, which the attacker tries with parallel requests to hundreds of websites. Each website gives the attacker at least a few tries to enter valid credit card information.
Worst case, it takes only 10,000 parallel requests to guess the correct security code. Worst case.
I don't know whether to cringe or laugh at this.