Full Disclosure mailing list archives

Re: Hackers View Visa/MasterCard Accounts

From: "Kevin Spett" <kspett () spidynamics com>
Date: Tue, 18 Feb 2003 16:01:37 -0500

Even with the checksum digits, the keyspace for all possible credit card
numbers is huge and largely unused.  Also, if you get declined, you don't
know whether it's a problem with the card number or the expiration date.
There's no way to brute force issued card numbers independent of expiration
dates, which would speed up the process greatly.  So let's say that you're
assuming that the expiration date is within three years.  If you've got an
unissued card number, you have to make all 36 attempts with it.

Also, CNN has revised their story.  The new number is 5.6 million credit
card numbers.


Kevin.

----- Original Message -----
From: "Jason Coombs" <jasonc () science org>
To: "Richard M. Smith" <rms () computerbytesman com>;
<full-disclosure () lists netsys com>
Sent: Tuesday, February 18, 2003 1:00 PM
Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts

AVS gives the merchant a clue as to whether or not there is high risk

posed

by a particular alleged-customer.

Merchants are free to ignore AVS, and many don't even bother to use it.

Anyway, it doesn't impact the "declined" or "authorized" result given to a
shopper at an e-commerce site that implements real-time processing.

Jason Coombs
jasonc () science org

-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com]On Behalf Of Richard M.
Smith
Sent: Tuesday, February 18, 2003 5:30 AM
To: full-disclosure () lists netsys com
Subject: RE: [Full-disclosure] Hackers View Visa/MasterCard Accounts


Wouldn't the AVS system used by the credit card companies catch this
kind of hack?  The AVS system does a rudimentary check to make sure that
the billing address given on a order is correct one for the credit card.

Richard


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

GLSA: nethack Daniel Ahlberg (Feb 18)
- Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
  - RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
    - Re: Hackers View Visa/MasterCard Accounts KF (Feb 18)
    - Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
    - Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
    - RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
    - RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)
  - Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)