| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: cta at hcsin.net (Bernie, CTA) Subject: Hackers View Visa/MasterCard Accounts On 18 Feb 2003, at 11:08, Jason Coombs wrote: > lucky for cc fraudsters, issuers opt to create cards in batches > where all of the neighboring card numbers share the same > expiration date (month/year). <<< Taking into account that the batches are done sequentially, LUHN checksums could be easily discovered through a bit of simple Mod 10 arithmetic, and that there is better than a 50% probability of predicting the expiration date, I would say that the thief could be more successful at exploiting newly generated credit card numbers, and just use those stolen as seeds. Now assuming that a thief has successfully generated such numbers, what would be the best method of attack? How about a few coins ($0.50) here and there, times 5 million plus cards per month? How many credit card customers or issuing banks will pay any attention to such inconsequential charges? Especially if the statement notes such a charge something like "account maintenance fee"? I fear that the real payload has yet to be calculated. > > -----Original Message----- > From: Kevin Spett [mailto:kspett@...dynamics.com] > Sent: Tuesday, February 18, 2003 11:02 AM > To: jasonc@...ence.org; Richard M. Smith; > full-disclosure@...ts.netsys.com > Subject: Re: [Full-Disclosure] Hackers View Visa/MasterCard > Accounts > > > Even with the checksum digits, the keyspace for all possible > credit card numbers is huge and largely unused. Also, if you get > declined, you don't know whether it's a problem with the card > number or the expiration date. There's no way to brute force > issued card numbers independent of expiration dates, which would > speed up the process greatly. So let's say that you're assuming > that the expiration date is within three years. If you've got an > unissued card number, you have to make all 36 attempts with it. > > Also, CNN has revised their story. The new number is 5.6 million > credit card numbers. > > > Kevin. > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html > - **************************************************** Bernie Chief Technology Architect Chief Security Officer cta@...in.net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> *******************************************************
Powered by blists - more mailing lists