RE: Hackers View Visa/MasterCard Accounts

["Bernie, CTA" <cta () hcsin net>]

On 18 Feb 2003, at 11:08, Jason Coombs wrote:

> lucky for cc fraudsters, issuers opt to create cards in batches
> where all of the neighboring card numbers share the same
> expiration date (month/year).
<<<
Taking into account that the batches are done sequentially, 
LUHN checksums could be easily discovered through a bit of 
simple Mod 10 arithmetic, and that there is better than a 50% 
probability of predicting the expiration date, I would say that the 
thief could be more successful at exploiting newly generated 
credit card numbers, and just use those stolen as seeds. 

Now assuming that a thief has successfully generated such 
numbers, what would be the best method of attack? How about 
a few coins ($0.50) here and there, times 5 million plus cards 
per month?  How many credit card customers or issuing banks 
will pay any attention to such inconsequential charges? 
Especially if the statement notes such a charge something like 
"account maintenance fee"?

I fear that the real payload has yet to be calculated.



> -----Original Message-----
> From: Kevin Spett [mailto:kspett () spidynamics com]
> Sent: Tuesday, February 18, 2003 11:02 AM
> To: jasonc () science org; Richard M. Smith;
> full-disclosure () lists netsys com
> Subject: Re: [Full-disclosure] Hackers View Visa/MasterCard
> Accounts
>
>
> Even with the checksum digits, the keyspace for all possible
> credit card numbers is huge and largely unused.  Also, if you get
> declined, you don't know whether it's a problem with the card
> number or the expiration date. There's no way to brute force
> issued card numbers independent of expiration dates, which would
> speed up the process greatly.  So let's say that you're assuming
> that the expiration date is within three years.  If you've got an
> unissued card number, you have to make all 36 attempts with it.
>
> Also, CNN has revised their story.  The new number is 5.6 million
> credit card numbers.
>
>
> Kevin.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta () hcsin net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html