Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.

Because...

It's easier for the credit card companies to just write it off as some fraud and not actually go out and do anything. Realistically most of their early warning systems probably limit their losses to under $1,000 to each card (i.e. the amount of money that someone can charge and get away with before the company discovers the card has been compromised). So figure if even ten people a day get their cards stolen by this method, that's 300 a month, or $300,000 in costs. They probably feel keeping the staff and the equipment to do this costs more than what they'll lose. That and they can always write off their fraud charges on their taxes ad bed debts.

According to a 2002 report Visa's commissions alone were over $455 million. If that entire $300,000/month fee was all on Visa, the 3.6 million a year is a drop in the bucket to them, less than 1% of their commission. Trust me, if it cost them less to setup the system than the money that's lost, it would be done.

Re:Because...

Maybe the card companies are still turning a profit, but estimated losses are around 49 billion, that's twice M$'s annual revenue. It's worth going after.

Re:Because...

You have to keep in mine CC companies loose nothing in CC fraud they actually make money. Here is how the charge back process works.

Person reports the fraud to CC company
CC company issue charge back notice to merchant gives them time to dispute etc.
CC company takes the amount of the charge (not what they gave the merchant after fees) + $35 bucks charge back fee from the merchant
Refunds all or most of the charges to the CC holder, issues a new card etc.
If they find the merchant the cards got stolen from they fine them and change them to reissue cards, Fines alone can be 500k, and I have heard of 5 figure fines for a handful of stolen cards. They have some good software that correlates stolen cards and what merchants have ever seen the cards.

So no visa etc does not loose anything they shifted that liability to the merchant for accepting the fraudulent charges.

Which is pretty fucked up

Because if you go read the visa-merchant agreement you see that Visa does not allow merchants to make showing ID a condition sale, i.e. merchants are SOL when it comes to stopping fraud. I guess that's the golden rule for you, along the "he who has the gold makes the rules" line.

because the credit card companies don't care

I am a merchant that deals with internet and in person sales of my products. I'm also a computer engineer and have cursorary knowledge of security.

The credit card companies have no security. They don't care either. It's not them that will foot the bill. As a consumer it is great that you can only get stuck for $50 of fradulent charges. But as a merchant you loose your merchandise and the fraudulent payment. You can receive authorization from the credit card company saying the transaction is good, but they can and do still take the money away from you.

I've had about a dozen cases of obviously fraudulent orders. The first few I would call the credit card company, report the suspicious card, etc. They did nothing. On one I found out the real owner of the card, called them, and they hadn't even been contacted by the credit card company. I had all of the details that the police would have needed to get the scammer and the credit card company wouldn't even take that information.

Now I just delete any order that looks unusual.

Re:because the credit card companies don't care

The credit card companies don't care because they get their money either way.

If someone places a fraudulent order and the merchant ships the the product(s) even if they receive authorization from the credit card company, the credit card company will debit the merchant for the entire order, including the transaction fees.

Not only did the credit card company not lose any money on the bad transaction, they will also charge the merchant a fee for the fraudulent order. So the merchant is out the cost of the goods that were shipped, plus shipping, plus a fee.

The credit card company makes money on the fraudulent transaction.

Retailers

This has very little to do with the credit card companies and a lot to do with the merchants that process credit cards. The current standard is PCI-DSS (Payment Card Industry - Data Security Standards)discussed here http://it.slashdot.org/article.pl?sid=07/03/31/064 5227&from=rss [slashdot.org]. My job is working to upgrade software that is not compliant with these standards, so I know the credit card companies are doing something. The problem rests with merchants that are largely clueless about the necessary security precautions that need to be taken when working with computers. They want to be in business, process credit cards, have a website, a network, and they want to pay their nephew $5/hr to set everything up. The bottom line is, that having data compromised from your business, when you haven't met these standards, will leave you liable for the loss, possibly incuring fees of up to $500,000 and potentially losing your priviledge of processing credit cards permanantly. Bottom line is the vast majority of business owners are not adequately computer literate and they are too cheap to pay an expert to deal with their network properly.

Edited for the time impaired

I'll save you 11,000 characters:

1) Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form.

2) You'll find lots of credit card numbers

3) Profit

4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.

Why? because it does not cost the CC companies....

Why are credit card numbers so easy to find? Or put another way, why is credit card fraud so easy?

Because it does not cost the credit card companies.

When fraud is reported, the credit card company charges back to the merchants. As such, the credit card company is out relatively little money (it is the merchants who get screwed).

Adding meaningful security to credit cards would cost the credit card companies money. It would also make people less likely to use their cards, costing the credit card companies more money.

Also, the credit card companies can use fraud to justify higher interest rates, annual fees, and as a marketing gimmick to sell their card over others.

So, to recap: fraud costs the card companies little, preventing fraud would cost them much.

Has this helped identify why credit card fraud is so easy?

Datum: A friend of mine was involved with a large e-commerce site. He detected an on-going fraud ring trying to buy large amounts of goods from the site with stolen cards. He reported it to the card companies - "Here are the cards. Here's where they are trying to send the goods. Do you want to nail these guys?"

The response: "Thanks, but no, it's not worth our time. Just don't send them anything."

CC Companies Don't Care -- Merchants Get Screwed

Credit card companies aren't doing anything because credit card companies don't care about fraud. They don't care, because it doesn't cost them any money.

When someone uses someone else's credit card fraudulently, it's not like the credit card company eats the loss. They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.

Of course, that cost just gets passed on to you, the customer, in the form of higher prices.

Ain't credit cards grand?

Credit Card companies do not care about security

I've said it before; I've worked in the banking industry, and it is widely known that requiring a PIN number for every transaction would reduce credit card fraud to almost zero. The infrastructure to require a PIN number is already in place, but credit card companies don't want to deal with the hassle, since they do not feel the pinch of the fraudulent charges.

Why do banks require PIN numbers on ATM and Debit transactions? I'll tell you why - they are directly liable for any funds that leave the bank fraudulently. This is not the case for credit card companies since they can charge-back the vendor and recover their funds.

-ted

Re:Important Missing Step

But how do you know that they haven't already done this?

At the top of TFA:

"I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised."

Re:How much is it a problem?

How can a normal fraudster use a credit card number to his personal gain?

Rent a flat/bedsit somewhere. Get someone to rent it for you for some cash. There's your address. Getting goods is trivial. The hard part is getting people to accept a card without the corroborating data, like chip-and-pin, signature, D.O.B etc etc.

Re:How much is it a problem?

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?

I recall reading that one guy had a bunch of credit card details, and of course came up against that very problem. His solution was to put up a pile of auctions on eBay for various big-ticket items. When those auctions ended and he got the funds, he used the credit cards to order the items and have them shipped to the winners' homes. By the time the people whose cards were used found out, the only information available was for the folks who won the auctions, and the seller was nowhere to be found.

Re:Not so clever?

Of the three credit card fraud cases, I have personally known about...

1) One was my card. The fraud was an internal job at Chase. Locked cards that I could not make charges were still getting new charges, dates were being moved around after I pointed this out, and replacement accounts were being used before cards were even being printed. Online access to view purchases the account that showed purchases before the post date on the replacement cards envelope was cut off. Chase simply refused to even discuss the possibility that the fraud was internal. After the third card in a row showed up with fraudulent activity, I simply made sure all accounts were canceled and put Chase on the list of businesses not to do business with.

2) Another was my wife's. Her estranged mother opened an account under her name, ran up the card, then filed bankruptcy. We found out about it from a credit report when we went to refinance our home. The card was opened before she turned 18, and over a year after she was no longer living at home. My wife offered to testify so they could prosecute. Their response was that since they had removed her name from the account, they would no longer discuss the account with her.

3) A friend had charges made on his card. The items were purchased mail order, so there was an address to track the person down with. The local police said that they would not deal with it because you had to contact the police where the card was used. The police where the purchase was made said that they would not deal with, and that he needed to contact his local police department.

So, of the three credit card frauds I have personally been privy to, I don't see that there is any attempt to even slow down the fraud. I have to assume that there is some way that the credit card companies make money off of the fraud.

Of course that is why I absolutely refuse to have a 'Check Card'. Given how easy it is to commit credit card fraud, there is no way in hell, I want someone to have anonymous access to my checking account. The downstream problems with things like other bounced checks is just not worth given that they have no advantages over a credit card. Hell, instead of giving me an ATM card that doesn't require a pin, how about giving me a credit card that does. They even advertise how easy it is to commit fraud with 'Check Cards'.

Re:How much is it a problem?

Yes you can use these numbers to shop in a store. Real easy.

My bank called me to ask if I was in Istanbul, Turkey, over the weekend. When I said "No", they said: "But your Visa Card was", and they did not seem at all surprised that the physical card was still in my possession.

They gave me a nice list of events: First the thugs bought something small, then tried something big. As the card was declined, they tried something small again, and then a couple of medium purchases (like $100 a piece).
All in all, they had racked up about $1000 when the call came, but I did not have to cover any of that, luckily.
Again, all of these were in-store purchases.

Alex

Re:How much is it a problem?

The "audit trails" you are describing do nothing to deter serious criminals. I dated a girl that was charged with CC fraud. She simply ordered by online and had the package delivered to a nice house in a nice neighborhood that was for sale, one where the owner had already moved out. You can find dozens or hundreds of such houses in any city by checking the real estate listings. UPS drops the package off on the porch, and the fraudster drops by in the late afternoon to pick up the loot. The neighbors see people coming and going all day (real estate agents and prospective buyers), so one more visitor with a package tucked under the arm is not noteworthy. It doesn't work 100% of the time, but it works pretty damn frequently.

So as you can see, the fact that you think an "audit trail" prevents such crimes comes down to a lack of imagination on your part, and a very false sense of security. It is exactly that false sense of security and lack of imagination which explains why identity theft is rampant.

Re:How much is it a problem?

I'm not sure if you're trolling or not, but it's not too difficult at all for a thief to turn a credit card number into products or cash. There are various laundering procedures that some people go through (Dateline's "To Catch An I.D. Thief" exposed an elaborate one) but the sad reality is that most one-off fraudulent purchases aren't even followed up on by the banks, not until the dollars pile up. (They will be tabulated, of course, and people who try using a dozen stolen cards and have the merchandise shipped to the same address do get picked up.)

Card data can also be turned into products in most stores. The stolen info can be burned on to an expired card, and the thief anonymously walks out of a store with an HDTV. More clever thieves will go to a store that's out of their norm, one that doesn't see as much fraud -- perhaps a craft store or a furniture store -- and buy a bunch of merchandise, and resell it on the streets or at flea markets. There are sophisticated organized theft rings that will purchase certain kinds of stolen merchandise and pose as legitimate wholesalers that resell it to small merchants.

The underground economy revolving around stolen merchandise and credit cards is rapidly approaching a hundred billion dollars annually in America alone (last figure I saw a year or two ago put the estimate over 60 billion, not counting the MAFIAA.) It's obviously pretty easy to do, if you think like a criminal.

Re:How much is it a problem?

Discarding the ways to make a profit from credit card numbers, how about using police ignorance to screw people over. Only a month or so ago details were revealed about the massive flaws in police operations such as Operation Ore in which thousands of people in the UK were arrested in connection with paedophilic-related charges due to their credit card numbers being used to buy access to porn affiliate networks.

Now, using the above methods may not allow you to target anyone specifically, but let's not kid ourselves into thinking that there aren't plenty of people who would happily take a whole load of these credit card numbers and use them to implicate complete strangers in this way. Just for the hell of it.

Money lost on stolen credit cards can be reclaimed. Lives destroyed by false charges cannot.

Re:Banks save nothing

Actually, you must not have ever had this happen. There's no "fraud police report" or whatever the heck you're talking about there. Here's what happens: 1. Call CC company tell them there are unauthorized charges 2. Person on the line marks said charges and gets you a new CC # in the pipeline 3. Bank mails you an affidavit that you must highlight fraudulent charges on, and sign stating that you're not lying about it. 4. CC company issues you credit with the note that *credit is not final until investigation is complete. 5. 1-2 months later you get a note saying "Credit is final" Thats it, there's very little burden of proof on the consumer.

Re:Banks save nothing

Sorry, doesn't work that way. I'm not sure where you're getting the "7 years" from (perhaps bankruptcy laws in your state), but I can tell you from personal experience on both sides of the fence (that is, being frauded and working for a company that handled a fraud case) that the process is not as you describe it. Here's what actually happens:

1. You get hax00rred.
2. 1337 H4X00R spends money at a few dozen online stores.
3. Profit!!! ...sorry, couldn't resist.
4. You find a gigantor balance on your card, and call the financial institution who issued the card.
5. They transfer you to the fraud department, where you sit on hold for 15 minutes and get to listen to choice cuts from Phil Collins: The Early Years
6. Someone picks up, you tell them there's been some purchases on your card that aren't yours. They record the information, and fax you a form to fill out.
7. You fill out the form and fax it back, after plugging in the fax machine you only keep around to fill out credit card fraud reports.
8. 5-10 business days (called this because business' use these terms when 13-15 days sounds too long)later, the balance is restored on your account, the institution eats the costs and files it with the IRS as lost profits to get a little of that alleviated.
9. Your account number is changed and a new card is rushed to you (because every minute you're without a card, they are without your ever-increasing interest money).
10. A notation is put on the account, just in case you claim another dozen or two of these cases in the future, sometime after your bar tabs run a little high...

Companies that issue credits and/or debits see a lot of these cases, so the process is pretty well oiled.

Re:Banks save nothing

As others have said, this is not the case. I had fraudulent charges on my Chase card about a year ago; a few <$50 charges, and a couple >$1000 charges, enough to go over the limit. So I called them up, the lady on the line (who was very nice) looked at the transaction history, and immediately noticed that there were charges to places far outside of my normal buying area, some even in India. She marked and canceled the charges, ran through the rest of the charges that were on my current statement, canceled the card, and issued me a new one. I got the new card in three days, a statement that I had to sign and return a few days later, and heard nothing more of it. As far as I can tell, my credit has not taken any sort of hit (I was later able to get another card with another bank at a similar limit and APR).

The way I understand it, the CC companies take no liability for fraudulent charges. They make the merchant that processed them pay for it. I see this as a good thing. If the merchant bears all financial liability for fraudulent charges, it gives them a reason to make sure that the person buying the product/service is who they say they are.

As a side note... can we get a -1 Idiot or -1 Wrong moderation? It would have been really useful here.

Re:Finding credit cards numbers is easy

>> 4245 8611 9994 1245

That's amazing. I've got the same combination on my luggage.

Re:Finding credit cards numbers is easy

First number fails the Luhn checksum.

Second number isn't a credit card number at all. Maybe a calling card or something (telecom MII).

Why don't you post your REAL VISA number?

Re:Blame M$

Your post is entirely useless.

A bug exposing credit card numbers is language agnostic. Even experienced programmers can create security bugs. Even EXPERT programmers can create security bugs. Your notion that there's a correlation between a langauge and a propensity for bugs is outrageously wrong. if that were the case, you'd never have a rich client app written in C or C++ crash on you.

And your idea that "the ones smart enough to write proper code are generally smart enough to avoid scripting language" shows such an abject lack of understanding of the software development industry that I'm just stunned. The ones smart enough to write proper code are the ones smart enough to use the RIGHT TOOL FOR THE JOB. PERIOD.

I'm sorry for being so harsh, but I'm not sure if you're trolling or if you actually believe that crap. Frankly, I'm not sure which would be worse.