Something that my friend mentioned sparked this question. He said that he saw some program somewhere where some identity thieves were able to discern the entire credit card number by just knowing the last 4 digits. I was skeptical of his claim because it would be almost a total crapshoot trying to guess one of the trillion combinations for the first twelve digits (not to mention the expiration date and the 3 digit security code on the back). Yeah IIRC each bank has a unique combination for the first 4 digits, but after that I will plead total ignorance.
So am I risking ID theft if I don’t burn/shred any receipt containing the last 4 digits, or is this something I really shouldn’t worry about?
(I originally said 9999, but I forgot to account for 0000)
Basically, there are only 10,000 combinations for the last 4 digits. In order to be able to figure out the full 16 digits from the last 4 digit, there can be only one number for each combination of the last 4 digits. For example, if you have:
1234-5678-9101-2434
4234-4234-2234-2434
Then if you were given just 2434, there would be no way to know if the full number is the first or second one. Thus since there are only 10,000 unique last 4 digit combinations, there could only be 10,000 unique full number combinations if you could determine the full CC number form the last 4 digits.
Credit card numbers aren’t just random blocks of 16 digits, though–there are some mathematical relationships that hold between them. So if a crook knows the last four digits and those relationships, that narrows their search space considerably.
this. also: IIRC most credit card numbers end with a CRC checksum digit, which means that the total of possible numbers would be 10 times lower; so about 999. And we know that’s not true.
edit: that’s not to mean that you can’t come up with a “valid” cc number; it just means that it’s not likely you can guess the right cc number for any given customer, given only the last 4 digits.
The checksum is on the whole string of digits. It doesn’t narrow down the number of possible 4 digits endings, just what can come before each of them. But, yes, there are only 10,000 possible last strings, so the claim is silly right off the bat.
Generally, if you know all of the digits of a credit card except for one, you can calculate the last one easily. But that’s not terribly useful for committing fraud…
I used to manage a billing and payment system for a large online merchant and worked closely with our merchant acquirer, so I learned a lot about credit cards. I agree that it is not practically possible to determine a credit card number from the last 4 digits. Actually, I sometimes did searches based on the last 4 digits and frequently got multiple hits, and we had only about 8-10 million card numbers in our database.
There is a check digit that is calculated by a simple series of calculations but you can’t go backwards–the check digit will not allow you to determine *any *of the digits even if you know the last 4. After all, it’s only one digit so for each check digit value there are roughly a gazillion possible credit card numbers.
On the other hand: A few years back, there was some sort of breech of security at Visa, and they had to issue a bunch of people (including me) new card numbers. The old, presumed-compromised, card, and the new, secure one differed only in their last four digits. So a determined crook could have gotten the first twelve digits from the stolen hard drive or whatever it was, and the last four from a discarded receipt or the like, and assembled my entire card number.
The fact that the first twelve digits all matched also suggests the possibility that there’s some further pattern, which a crook might conceivably be able to determine from additional information (date when the card was applied for, or the person’s name, or whatever).
Many (most? all?) credit card receipts show the last four digits of the card (the first 12 being represented by X’s) and have done so for years. If there were a way to use those digits profitably, you can be sure it would have been done long ago.
It’s worth bearing in mind that some of the stuff at the front end will be fixed. The first two identify the network (37 for Amex, 45 and 49 for Visa, 54 and probably at least one more for MC, and so on), and then the next few digits identify the bank, then there’s the account number, then some issue identifiers (to let them tell if this is your current card or the one you lost last year) and at the end there’s a check digit.
If they know e.g. that it’s an MBNA Visa card, and the last four digits, and the algorithm which checks the number is valid then it’s relatively easy to work out the possible ‘valid’ card numbers, at least one of which will be your card number. They only have to figure out half a dozen or so digits, and can discard 50% of the possibilities. Some info from wiki
Can they get the card number from the last digits? No.
Does it help them take an educated guess at what your number is? Yes.
Is it an easier way of getting cardnumbers than dumpster diving, restaurant skimming, phishing, hacking servers etc? No.
Never underestimate the stupidity of organizations. Take our local library system. They used to print a patron’s whole ID number of the slips put in the books for the on-hold shelves. (A lot of people do this at our branch. Mrs. FtG in particular.) So it made it trivial to walk by the on-hold shelves and pick up hundreds of valid patron IDs. (Which can be used to check out books with no intention of returning them or use the library computers and Do Bad Things on them.)
So they went to the last several digits on the slip. But the prefix is standardized, there’s a check digit, etc. So all one needs to guess is a single digit. And you can sit at a library computer and run thru those and have the system tell you when you hit a correct one.
As with several other security issues I have uncovered at the library, the staff is completely uninterested in helping me find someone that would actually care who I could report this to.
The last digit of a standard 16-digit credit card number is a check digit. The check digit is generated from adding the rest of the 15 numbers together and doing some simple math on the sum which reduces the sum down to a number 0 through 9, which becomes the last digit.
So according to my calculations if you know the last 4 digits you could rule out 90% of the 999,999,999,999 combinations that don’t add up properly. That’s still a hundred million card numbers. If you knew whether it was Visa, Mastercard, or Discover, then you would know the first digit was a 4, 5, or 6. That would narrow it to 10% of 99,999,999,999 combinations, so ten million possibilities.
That’s all the advantage I could see from the last 4 digits.
That may be true for that very specific scenario, but in general, if you have the last 4 digits but have no other information about the cardholder and the card, you can’t reconstruct the entire number.
I once heard someone say that with the “authorization number” on the credit card slip and the last 4 digits of your card, you could “look up” the transaction or credit card number.
Does anyone know if this is true?
J.
p.s., to slaphead: All visa cards do not start with 45 or 49. Mine starts with 44.
This is a common mistake. The position may matter in the few milliseconds it takes to first create the whole number, but from then on any digit can be treated as the checksum digit. E.g., given me all but the 7th digit and I can generate the whole number. Hence, the last digit is no more nor less significant than any other. So thinking of the last 4 digits, for example, as 3 “real digits” and a checksum digit would be pointless.
Also, the bank prefix is quite easily guessed in many situations. So while the number of possible valid matching numbers that go with the last 4 digits is a good size number, it is not nearly as large as doing simple 10^11 (16-4-1 not 12) calculations would lead you to believe.