RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts
From: Bernie, CTA (cta@hcsin.net)
Date: 02/18/03
- Previous message: Richard M. Smith: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- In reply to: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Next in thread: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Reply: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Bernie, CTA" <cta@hcsin.net> To: <full-disclosure@lists.netsys.com>, "Jason Coombs" <jasonc@science.org> Date: Tue, 18 Feb 2003 17:31:31 -0500
On 18 Feb 2003, at 11:08, Jason Coombs wrote:
> lucky for cc fraudsters, issuers opt to create cards in batches
> where all of the neighboring card numbers share the same
> expiration date (month/year).
<<<
Taking into account that the batches are done sequentially,
LUHN checksums could be easily discovered through a bit of
simple Mod 10 arithmetic, and that there is better than a 50%
probability of predicting the expiration date, I would say that the
thief could be more successful at exploiting newly generated
credit card numbers, and just use those stolen as seeds.
Now assuming that a thief has successfully generated such
numbers, what would be the best method of attack? How about
a few coins ($0.50) here and there, times 5 million plus cards
per month? How many credit card customers or issuing banks
will pay any attention to such inconsequential charges?
Especially if the statement notes such a charge something like
"account maintenance fee"?
I fear that the real payload has yet to be calculated.
>
> -----Original Message-----
> From: Kevin Spett [mailto:kspett@spidynamics.com]
> Sent: Tuesday, February 18, 2003 11:02 AM
> To: jasonc@science.org; Richard M. Smith;
> full-disclosure@lists.netsys.com
> Subject: Re: [Full-Disclosure] Hackers View Visa/MasterCard
> Accounts
>
>
> Even with the checksum digits, the keyspace for all possible
> credit card numbers is huge and largely unused. Also, if you get
> declined, you don't know whether it's a problem with the card
> number or the expiration date. There's no way to brute force
> issued card numbers independent of expiration dates, which would
> speed up the process greatly. So let's say that you're assuming
> that the expiration date is within three years. If you've got an
> unissued card number, you have to make all 36 attempts with it.
>
> Also, CNN has revised their story. The new number is 5.6 million
> credit card numbers.
>
>
> Kevin.
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
-
****************************************************
Bernie
Chief Technology Architect
Chief Security Officer
cta@hcsin.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go
// to avoid the pure labor of honest thinking."
// Honest thought, the real business capital.
// Observe> Think> Plan> Think> Do> Think>
*******************************************************
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
- Next message: Mandrake Linux Security Team: "[Full-Disclosure] MDKSA-2003:017 - Updated pam packages fix root authorization handling in pam_xauth module"
- Previous message: Richard M. Smith: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- In reply to: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Next in thread: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Reply: Jason Coombs: "RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
