lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <010001c2d790$ef197280$8600000a@spidynamics.com>
From: kspett at spidynamics.com (Kevin Spett)
Subject: Hackers View Visa/MasterCard Accounts

Even with the checksum digits, the keyspace for all possible credit card
numbers is huge and largely unused.  Also, if you get declined, you don't
know whether it's a problem with the card number or the expiration date.
There's no way to brute force issued card numbers independent of expiration
dates, which would speed up the process greatly.  So let's say that you're
assuming that the expiration date is within three years.  If you've got an
unissued card number, you have to make all 36 attempts with it.

Also, CNN has revised their story.  The new number is 5.6 million credit
card numbers.


Kevin.

----- Original Message -----
From: "Jason Coombs" <jasonc@...ence.org>
To: "Richard M. Smith" <rms@...puterbytesman.com>;
<full-disclosure@...ts.netsys.com>
Sent: Tuesday, February 18, 2003 1:00 PM
Subject: RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts


> AVS gives the merchant a clue as to whether or not there is high risk
posed
> by a particular alleged-customer.
>
> Merchants are free to ignore AVS, and many don't even bother to use it.
>
> Anyway, it doesn't impact the "declined" or "authorized" result given to a
> shopper at an e-commerce site that implements real-time processing.
>
> Jason Coombs
> jasonc@...ence.org
>
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com]On Behalf Of Richard M.
> Smith
> Sent: Tuesday, February 18, 2003 5:30 AM
> To: full-disclosure@...ts.netsys.com
> Subject: RE: [Full-Disclosure] Hackers View Visa/MasterCard Accounts
>
>
> Wouldn't the AVS system used by the credit card companies catch this
> kind of hack?  The AVS system does a rudimentary check to make sure that
> the billing address given on a order is correct one for the credit card.
>
> Richard
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ