This tool can crack credit card numbers in just 6 seconds

Bradley Wint
Dec 12, 2016 10:23pm AST
Photo: stevepb/Pixabay

If you didn’t know by now, credit card numbers are actually based on a mathematical equation. Many websites can validate a credit card number using the The Luhn or mod 10 algorithm.

Researchers have come up with a program that uses this formula to generate hundreds of permutations along with bank location details, expiry dates, and CVV numbers. The numbers are then plugged into various e-commerce websites to validate the authenticity of the card numbers.

The program could then be used to guess CVV numbers, expiry dates, ZIP codes, and even street locations, which could then be used to make illegal purchases.

Fundamentally, much of the problem with card payment stems from the fact that the identity of the payer needs to be established in the ‘card-not-present’ mode. This is inherently problematic since it is at odds with the original use of cards (where the card and cardholder are present at the moment of purchase). It also implies that, for instance, Chip-and-PIN is not available to establish the identity of the payer. This is exacerbated by the fact that the Internet facilitates distribution of guesses for data fields over many merchant sites.

Luckily for Mastercard holders, this brute force method MAY not be effective as the credit card would be instantly frozen if unsuccessfully queried more than 100 times. Unfortunately VISA card holders do not enjoy this privilege and stand a higher chance of being found out.

Unfortunately, the issue does not seem easily correctable as the researchers suggest that online payment gateways be standardized and centralized to mitigate the risk of card brute force attempts.

Get your daily tech burst in your inbox!

To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.

Here is the program in action.

Stay in the know

Subscribe to the Try Modern Tech Daily Digest for the latest tech news stories, deals, and how-to's in your inbox!

Founder/Executive Editor
PGP Fingerprint: EF2C 9B80 085C C837 3DA3 995D A864 F801 147F E619 | PGP Key
More From Technology

Half of U.S. population’s data exposed in huge Equifax data breach

By - Sep 8, 2017 12:39am AST
Equifax, a US-based credit reporting agency, has confirmed that sensitive consumer data belonging to over 143 million customers was compromised earlier this year. According to the official press release, hackers… Continue Reading closes under legal pressure

By - Sep 6, 2017 11:42pm AST
Popular stream ripping site, will finally close its doors after being slammed with a legal complaints by 15 of the top global record labels. The site which allows you… Continue Reading

The next iPhone to be announced September 12th; starting at $999

By - Aug 29, 2017 6:08pm AST
Multiple sources, including the Wall Street Journal are confirming that Apple will announce its next iPhone lineup on September 12th. By line up, we mean three new iPhone models; the… Continue Reading