Full Disclosure mailing list archives
RE: Hackers View Visa/MasterCard Accounts
From: "Bernie, CTA" <cta () hcsin net>
Date: Tue, 18 Feb 2003 17:31:31 -0500
On 18 Feb 2003, at 11:08, Jason Coombs wrote:
lucky for cc fraudsters, issuers opt to create cards in batches where all of the neighboring card numbers share the same expiration date (month/year).
<<< Taking into account that the batches are done sequentially, LUHN checksums could be easily discovered through a bit of simple Mod 10 arithmetic, and that there is better than a 50% probability of predicting the expiration date, I would say that the thief could be more successful at exploiting newly generated credit card numbers, and just use those stolen as seeds. Now assuming that a thief has successfully generated such numbers, what would be the best method of attack? How about a few coins ($0.50) here and there, times 5 million plus cards per month? How many credit card customers or issuing banks will pay any attention to such inconsequential charges? Especially if the statement notes such a charge something like "account maintenance fee"? I fear that the real payload has yet to be calculated.
-----Original Message----- From: Kevin Spett [mailto:kspett () spidynamics com] Sent: Tuesday, February 18, 2003 11:02 AM To: jasonc () science org; Richard M. Smith; full-disclosure () lists netsys com Subject: Re: [Full-disclosure] Hackers View Visa/MasterCard Accounts Even with the checksum digits, the keyspace for all possible credit card numbers is huge and largely unused. Also, if you get declined, you don't know whether it's a problem with the card number or the expiration date. There's no way to brute force issued card numbers independent of expiration dates, which would speed up the process greatly. So let's say that you're assuming that the expiration date is within three years. If you've got an unissued card number, you have to make all 36 attempts with it. Also, CNN has revised their story. The new number is 5.6 million credit card numbers. Kevin. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
- **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- GLSA: nethack Daniel Ahlberg (Feb 18)
- Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts KF (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- Re: Hackers View Visa/MasterCard Accounts Kevin Spett (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 19)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- Hackers View Visa/MasterCard Accounts Jason Coombs (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Richard M. Smith (Feb 18)
- RE: Hackers View Visa/MasterCard Accounts Bernie, CTA (Feb 18)