Photo: stevepb/Pixabay

This tool can crack credit card numbers in just 6 seconds

By // Founder/Executive Editor - Dec 12, 2016 10:23pm AST
Photo: stevepb/Pixabay

If you didn’t know by now, credit card numbers are actually based on a mathematical equation. Many websites can validate a credit card number using the The Luhn or mod 10 algorithm.

Researchers have come up with a program that uses this formula to generate hundreds of permutations along with bank location details, expiry dates, and CVV numbers. The numbers are then plugged into various e-commerce websites to validate the authenticity of the card numbers.

The program could then be used to guess CVV numbers, expiry dates, ZIP codes, and even street locations, which could then be used to make illegal purchases.

Fundamentally, much of the problem with card payment stems from the fact that the identity of the payer needs to be established in the ‘card-not-present’ mode. This is inherently problematic since it is at odds with the original use of cards (where the card and cardholder are present at the moment of purchase). It also implies that, for instance, Chip-and-PIN is not available to establish the identity of the payer. This is exacerbated by the fact that the Internet facilitates distribution of guesses for data fields over many merchant sites.

Luckily for Mastercard holders, this brute force method MAY not be effective as the credit card would be instantly frozen if unsuccessfully queried more than 100 times. Unfortunately VISA card holders do not enjoy this privilege and stand a higher chance of being found out.

Unfortunately, the issue does not seem easily correctable as the researchers suggest that online payment gateways be standardized and centralized to mitigate the risk of card brute force attempts.

To prevent the attack, either standardisation or centralisation can be pursued (some card payment networks already provide this). Standardisation would imply that all merchants need to offer the same payment interface, that is, the same number of fields. Then the attack does not scale anymore. Centralisation can be achieved by payment gateways or card payment networks possessing a full view over all payment attempts associated with its network. Neither standardisation nor centralisation naturally fit the flexibility and freedom of choice one associates with the Internet or successful commercial activity, but they will provide the required protection. It is up to the various stakeholders to determine the case for and timing of such solutions.

Here is the program in action.

About the author_
Bradley Wint
Bradley Wint
Founder/Executive Editor
Read more

Asphalt could speed up lithium battery charging by 20 times

Science/Space - Lithium ion batteries suck. They barely keep a decent bit of charge, and even with rapid charging technology, it still…

By - Oct 24, 2017 10:36pm AST

Pixel 2 XL devices suffering from screen burn-in problem

Technology - Google is once again having a bit of bad luck with their flagship phones, this time with several reported cases…

By - Oct 23, 2017 10:13pm AST

This is what happens when you don’t get back to your cruise ship on time

Travel - Most cruise ships dock at various ports, allowing its passengers to roam around the city for a few hours before…

By - Oct 23, 2017 9:37pm AST

Watch as sand acts like liquid when air is pumped into it

Science/Space - Liquid sand? Ehhh maybe not. However, thanks to a process called fluizidation, something as simple as pumping a constant flow…

By - Sep 24, 2017 2:28am AST

iPhone 8 Plus takes the top spot for best camera

Technology - Apple has once again taken the crown for best mobile camera, according to benchmark experts DxOMark. With the iPhone 7…

By - Sep 24, 2017 2:10am AST