Honeypots mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Honeytokens and detection

From: Brian Hatch <honeypots () ifokr org>
Date: Thu, 3 Apr 2003 16:05:54 -0800



What would be even better is if the IRS or some credit
card companies could post or distribute such honeytoken 
numbers, so we within the security community are certain
we are not implanting valid numbers.


You can easily create bogus credit card numbers, since they
use a check digit to be sure that it's valid.  The first
relevant page I found via google describes the check
digit algorithms, and proper format (prefix/length) of
the numbers for various credit card companies, so generating
a number that looked good should be pretty easy.

However the easiest is probably to just take a hundred
credit card numbers that you already have stored, and add 1
to one of the middle digits at random.  It's guarenteed to
break the check digit algorithm, but other than that it looks
fine, with no need to actually generate them.



--
Brian Hatch                  "In five minutes we're
   Systems and                going to take a nap."
   Security Engineer          -- Bri
http://www.ifokr.org/bri/    "No! Ten Minutes!"
                              -- Reegen, age 21 months.
Every message PGP signed

Attachment: _bin
Description:

Previous By Date Next
Previous By Thread Next

Current thread: