First let me say that I am NOT looking for a way to guess a useable credit card number. I understand that it might not be possible to discuss this without enabling a crime, and so I will notify a mod for their review. However, I think that an intelligent discussion re: statistics and/or number theory (?) could be had without violating any rules.
I work at a delivery restaurant that takes orders and CC payments over the phone. If the number is entered correctly it takes a couple seconds to verify if the card is declined or not. However, if I mishear/mistype one digit, it immediately tells me that it’s not a valid card number. Many people have gotten “wrong number” phone calls, but this doesn’t seem (?although, how could I know?) to happen with CC#'s.
How does the computer know without checking with the CC company? Is it because the sum of all the digits doesn’t equal some pre-established number? Or some other type of mathematical checksum method?
BTW, we do need the expiration date, but not the 3-digit number on the back or the zip code.
The CC companies don’t want people to randomly guess a valid CC number that doesn’t belong to them. They also don’t want a typing mistake to charge the wrong person’s card.
16 digits would give you (I think) 10 quadrillion combinations. Since the first digit is wasted to ID the type of card (eg. Visa card #’s all start with a 4), we’re down to 1 quadrillion.
My hypotheses:
1.) You could sacrifice, say, 3 digits, and still have 1 trillion valid CC numbers. This would mean that any random number you tried would only have a 1 in 1000 chance of being valid. Simply eliminating a bunch* of numbers to make it less likely to guess a valid card number seems kind of crude.
2.) One digit could be a type of control digit, that makes sure that the sum off all the digits is a number that ends in a 5. For example, if all of the other digits added together came to 32, that one control digit would have to be a 3. That way 1 mistyped digit couldn’t accidentally charge some random person’s CC. This would allow our computer to instantly know that the card # was not valid without contacting the CC company.
Now that I think more about this, this wouldn’t work if 2 digits were transposed, which is as likely to happen as any other mistake. So what works for RAID wouldn’t work for CC companies.
3.) Two of the digits are tied to the expiration month (they needn’t be identical). This has some or all of the problems as #2
4.) Some combination of the above
5.) Every other digit is a control digit. This would leave only 100,000,000 possible CC numbers, but would prevent a single mistyped digit or 2 transposed digits from matching somebody else’s CC#.
6.) Some methods that I’m not thinking of.
So, can we discuss this in vague enough terms as to not enable CC fraud?
My brain might be getting mushy, but I think that if you use just 1 digit as some type of control digit, you’re eliminating 90% of your possible combinations? 2 digits would eliminate 99%, and 3 would eliminate 99.9?
It isn’t the sum but it is algorithmic namely the Luhn algorithm. There are other algorithms which perform a similar function. You can look into checksum algorithms or error correction algorithms if you’d like to know more about it in general.
It’s this. There are certain numbers allowable in the first 4 places that identify the provider, plus other checksums for the remaining digits. These are commonly known and used in pretty much any software that performs credit card checks, so if anything, it’s a way to prevent crime, not enable it. You can Google “credit card number validation code” if you want more details
There’s a certain amount of information about credit card numbering systems that can be easily googled. Posting that kind of stuff here is perfectly fine. As long as we don’t have any “how to scam the credit card companies” type posts, I don’t see a problem.
Credit card numbers have to pass what is known as the Luhn algorithm in order to be valid. Any credit card that doesn’t pass this check will immediately fail.
More info here:
The first few digits of the credit card number indicate the issuing bank. The remaining numbers are your account number and a check digit so that it will pass the Luhn check.
More info here:
ETA: I somehow missed BeepKillBeep’s post which already mentioned the Luhn check.
Let’s not forget that the credit card number is only one piece of the puzzle. For the credit card clearing house we use, you must also match it to the correct expiration date, street address and zip code. Interestingly, the CSC security code is considered “optional,” but I have notice that if you have the correct CSC, you can screw up the street address and still get an approval.
The credit card clearing houses are also looking at you as a customer. If you’re getting lots of charge-backs and declined cards or look the least bit fishy, they drop you.
My concern was that someone could use this knowledge to pick some random numbers and use the algorithm to generate a random, valid CC#; then order a bunch of stuff online and try using these “valid” numbers in hopes that they match an active account.
If which digit is the checksum digit is different for each provider, then this adds a huge layer of support, since this means that you would have a 1 in 12 chance of guessing the correct digit (assuming that first 4 digits ID the provider). However, I don’t think that this is possible.
As I said before, while many gas stations require me to input my zip code (the odds of a criminal guessing correctly ranges, in my estimation, somewhere from 50% to .001%, depending on the situation) [The high end is if the criminal has your card number and knows approximately where you live. The low end is if the criminal is randomly guessing 5 digits, which is actually the case in my hypothetical of a mathematically inclined gambling-with-numbers criminal.], my restaurant requires neither the zip code nor the 3 digit code (which would cut your odds of guessing correctly by 1,000).
I suppose the answer is that, even if someone were to use this method of CC fraud to pay for dozens of dollars worth of food, we have their address and phone number on file.
It’s the work of like two seconds to find several sites that will let you generate valid credit card numbers, I guess for testing purposes. I’ve used them in the long ago with a website I no longer even remember that required that you set up an account with a CC for a free trial. In less sophisticated days, I guess they only validated that the card was plausible, and didn’t make any attempt to verify with the banks until the free trial expired.
The odds of a random card number generator matching a real account number are just super low, I guess.
They’d have a much better chance of hitting the Powerball or, indeed, getting rich using any other scam.
You yourself, in the OP, noticed there are a huge number of possible credit card numbers. The credit card companies don’t imagine they’ll each have quadrillions of customers at any point in the future. What they imagine is people trying the scam you described, and being utterly foiled by the fact the vast, vast majority of mathematically valid credit card numbers are unused, have never been used, and probably will never be used.
The fact the credit card number is only one piece of information just makes your concern even less likely. Doing anything even approximating successful credit card fraud just by chance is so unlikely we can treat it as being impossible.
I don’t know if you have experience keying in credit card numbers or not, but I key in a ton of them. IME, the address/zip code don’t have to match (and the machine will tell me the results of that). One of my terminals asks for the CVV code, the other one doesn’t*. Now, as for the expiration date…that’s tricky. 90% of the credit cards I key in are well known, long time, repeat customers that I do business with at least once a week for years at a stretch. If go to key in the card and I see that it’s expired, I make a mental note to call them about that or ask them the next time I talk to them, but in the mean time, I’ve found that nine times out of ten, if I just push the year out 5 or 10 years but leave the month the same, the card goes through. If the month is wrong, it usually declines. Now if I don’t have an expiration date, sometimes I’ll just take a stab at it. Either I guess right an odd about of the time (probably the case) or some cards will go through even if the month is wrong as well.
*A while back I asked my credit card processor if they charge me more/less when it comes to CVV (entered, not entered, incorrect). He said, so far as he knows, the fee remains the same (it’s a card not present transaction). The only time that piece of information comes into play is if the card holder initiates a chargeback. In that case, having entered the correct CVV (and address info) is more item in my favor. So, since, as I mentioned earlier, the majority of these keyed in cards are customers I’m quite sure aren’t going to be charging anything back, it’s not something I’m worried about. Even if one would, hopefully, the address verification and long history would help my case.
ETA, and it always drives me nuts when I have to call someone back to get the card number from them again and they’re telling me it shouldn’t have declined or ‘hold on I’ll get a different one…’ and I’m trying to explain to them ‘no no no, I’m sure I just wrote it down wrong, my machine wouldn’t even let me run the card’.
One of the web security tools I work with examines HTTP server responses and masks out credit card numbers. This is to prevent data leakage when a request containing a SQL injection dumps a database that includes full credit card information into a response.
I had a customer that was having a problem with a web-based GIS system. Eventually I got a failed response dump and a good response dump, and fired up a diff tool.
Deep in a massive chunk of javascript for the GIS system was a very long constant. Once you stripped out the decimal, it was longer than 16 digits, and one of the 16 digit substrings was a Luhn number.
Which the security system promptly converted to something else, causing the browser to barf and the response (and thus the website) to fail.
Easy enough to fix (by disabling that feature for certain URIs), but I did wonder about the 16+ significant digits in the code.
In the US all Visa cards start with a “4”. The next 14 digits are 3-5 digits identifying the issuer and 9-11 identifying the card. The 16th is a check digit per the Luhn algorithm. MasterCard is the same except the first digit is a “5”. Discover is IIRC “6”. All this is widespread public knowledge.
So if I can look at any real Visa card and see the first 4 are, e.g. “4123”, I can go ahead and generate the remaining 11 digits sequentially or randomly and add the correct Luhn digit to make 16 digits. In that way I just created 100,000,000,000 = 100 billion completely valid Visa card numbers belonging to whichever bank is “4123”.
That’s the easy part. The problem is even big banks only have a few dozen million cards out. Discover is the smallest of the big 3 and has 61 million card holders according to an undated wiki cite. 61 million / 100 billion is very roughly 1/1000 or 0.1%.
So for every 1000 fake-but-apparently valid card numbers you generate 999 of them will be inactive; either never issued or already cancelled.
Then you have to solve the problem of the CVV or matching address or zip code. CVVs are a bit more secretive, but if we assume they’re simply 3 digit numbers with
any 3 digits being correct, there are 1000 possible CVVs.
So now given a single bank-valid Luhn-valid Visa card number you have a roughly 1 in 1 million shot of getting A) an actually-valid card at that bank and B) getting the CVV right.
It’s far easier and cheaper to just buy a few thousand known-good numbers off the dark web from some data thieves than it is to try 1 million purchases to have one succeed.
Punch line:
When I was a kid in the 1960s there were booklets published by Visa every couple weeks listing all the bad cards. Any 16 digit number not in the book was assumed by the merchant to be good. With the result that you’d get your merchandise and walk, then a week later they’d get the bad news that the number was bogus.
Clearly that system would not work today. Hence the advent of instant online verification of valid number and remaining credit limit. Plus supplementing the mere 1/1000 safety of the CC number itself with the additional details of address, zip code, and/or CVV to keep the odds in the houses’, not the crooks’, favor.