Forgot your password?
Security The Almighty Buck

Why Are CC Numbers Still So Easy To Find? 317

Posted by kdawson
from the years'-old-hole dept.
Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.
This discussion has been archived. No new comments can be posted.

Why Are CC Numbers Still So Easy To Find?

Comments Filter:
  • Oy (Score:3, Interesting)

    by Billosaur (927319) * <wgrother AT optonline DOT net> on Thursday May 24, 2007 @08:25AM (#19251763) Journal

    This whole thing should come as no shock. The Internet was not built with security in mind. I don't think anyone imagined the degree to which it would become a method of commerce. Certainly when the first websites were given the ability to accept and process credit cards, the card companies had been dealing with fraud for years, in terms of lost/stolen/duplicated cards. I remember working in a convenience store in the 80's and getting small booklets in the mail from the credit card companies with lists of fraudulent numbers. Like I was going to look them up!

    Credit cards could be made much more secure. It would be expensive, no doubt, as it would require fundamental changes to the system, but compare that to the price of all the fraud currently committed and I'm pretty sure the ROI is pretty good.

  • by jjeffers (127519) <jj AT aprsworld DOT net> on Thursday May 24, 2007 @08:30AM (#19251845) Homepage
    I am a merchant that deals with internet and in person sales of my products. I'm also a computer engineer and have cursorary knowledge of security.

    The credit card companies have no security. They don't care either. It's not them that will foot the bill. As a consumer it is great that you can only get stuck for $50 of fradulent charges. But as a merchant you loose your merchandise and the fraudulent payment. You can receive authorization from the credit card company saying the transaction is good, but they can and do still take the money away from you.

    I've had about a dozen cases of obviously fraudulent orders. The first few I would call the credit card company, report the suspicious card, etc. They did nothing. On one I found out the real owner of the card, called them, and they hadn't even been contacted by the credit card company. I had all of the details that the police would have needed to get the scammer and the credit card company wouldn't even take that information.

    Now I just delete any order that looks unusual.
  • by Sobrique (543255) on Thursday May 24, 2007 @08:31AM (#19251855) Homepage
    Thing is though, why would those numbers be listed on a web page at all, unless it were for billing? I've seen quite a few examples of poorly protected .htaccess files, which go something like:

    #4455 6677 9933 2233 Mr. A Bravo, 231 Some Road, Some Where, XX4 6YY, CVN 123

    Clearly it's a result of a disgusting signup form, but ... well, the OP mentions he rang 'em up, so I'd assume the details were a little more complete than just the CCN.

  • by pytheron (443963) on Thursday May 24, 2007 @08:31AM (#19251859) Homepage

    How can a normal fraudster use a credit card number to his personal gain?
    Rent a flat/bedsit somewhere. Get someone to rent it for you for some cash. There's your address. Getting goods is trivial. The hard part is getting people to accept a card without the corroborating data, like chip-and-pin, signature, D.O.B etc etc.
  • by Gulik (179693) on Thursday May 24, 2007 @08:32AM (#19251875)
    How can a normal fraudster use a credit card number to his personal gain?
    Does he get goods delivered to his house?

    I recall reading that one guy had a bunch of credit card details, and of course came up against that very problem. His solution was to put up a pile of auctions on eBay for various big-ticket items. When those auctions ended and he got the funds, he used the credit cards to order the items and have them shipped to the winners' homes. By the time the people whose cards were used found out, the only information available was for the folks who won the auctions, and the seller was nowhere to be found.
  • Re:Retailers (Score:1, Interesting)

    by Anonymous Coward on Thursday May 24, 2007 @08:39AM (#19251977)
    I've been working on PCI-DSS related initiatives for over a year now. Tier 1 providers are spending significant amounts of money to comply. Non-compliance fines are being handed out regularly.

    Reading the thread, I'm surprised the majority of IT dopes here knew nothing about these standards. You guys could have made a mint doing PCI-related consulting work over the past year. It's been more lucrative than Sarb-Ox over the past year.

    Not too late to jump onto that bandwagon.
  • by grandpa-geek (981017) on Thursday May 24, 2007 @08:43AM (#19252027)
    ... to the authorities responsible for combating credit card fraud and identity theft. This includes the Secret Service, the Federal Reserve, the relevant committees of both House and Senate, the Federal Trade Commission, the Justice Department, the Attorneys General of the states and DC, and possibly others.
  • by WalterSobchak (193686) * on Thursday May 24, 2007 @08:44AM (#19252051) Homepage Journal
    Yes you can use these numbers to shop in a store. Real easy.

    My bank called me to ask if I was in Istanbul, Turkey, over the weekend. When I said "No", they said: "But your Visa Card was", and they did not seem at all surprised that the physical card was still in my possession.

    They gave me a nice list of events: First the thugs bought something small, then tried something big. As the card was declined, they tried something small again, and then a couple of medium purchases (like $100 a piece).
    All in all, they had racked up about $1000 when the call came, but I did not have to cover any of that, luckily.
    Again, all of these were in-store purchases.

  • by Anonymous Coward on Thursday May 24, 2007 @09:09AM (#19252515)
    I've had it easier then that once. Called bank when I saw something on my card statement that was questionable. CSR pulled up that receord and stated with that specific transaction, the card was not actually swiped, it was manually entered. I confirmed it was not my purchase. I was immediately credited the money and about a month later I got a letter stating that the results of the investigation were final and the case was closed.

    Now I've also had it harder.. A bill collector that I made a one time payment too via my credit card (stupid me, stupid me, stupid me) decided to use that same card number to charge an additional amount for two more months a "collection fee". When I disputed it, the same process was started but this time, the perp actually stated that I authorized the additional charge and we had a contract. It took a while and a avvidavit but I eventually got the case finalized. It was basically his word against mine. Obviously this guy does this for a living and knows how to game the system. I'm sure he proably has a decent rate of return fighting those with the CC companies and has done it enough to know what to say to them during a dispute. I know for a fact I authorized a one time payment of $120 that I owed, not an additional two payments of $50 for a collection fee. This was for the balance of a densit bill that my insurance company did not pay and I thought had been resolved. I moved from the area and the dentsist could not track me down. I wanted to pay the dentist directly but since the debt was sold to this crook, it was too late.
  • by profplump (309017) <> on Thursday May 24, 2007 @09:10AM (#19252549)
    More commonly I've seen that they obtain access to a merchant account an process ~$10 transactions themselves. THe hope is that they can use the merchant account for a couple of months before people notice -- a $10 transaction doesn't call much attention unless you really do accounting -- and then when they lose access to their merchant account they move on to another.

    This can be done either by obtaining merchant accounts directly (not as difficult or traceable as you might think) or just convincing the clerk at any store with a valid account to process a bunch of bogus transactions and pay them out from the till.
  • by twitter (104583) on Thursday May 24, 2007 @09:35AM (#19253097) Homepage Journal

    I'd hazard a bet that the majority of the leaks, especially the ones the article talks about, are fifty-cent web applications running on a LAMP stack on an ultracheap web host somewhere.

    The problem with that line of reasoning is that LAMP, though free and cheap is obviously better than IIS. The same thing can be applied to retail software. In the free software world, you are never alone. Instead of slapping together a second rate web app yourself, you can install a good one that does not have this five year old problem. Nasty problems that never get corrected are a mostly a non free software problem.

  • by LinuxParanoid (64467) on Thursday May 24, 2007 @09:43AM (#19253271) Homepage Journal
    As a merchant, I found myself treading the same path as jjeffers, initially notifying card companies and card owners and now just deleting the orders.

    The card companies have structured the system so that liability rests with the merchants.

    In part, this is smart because merchants will always have the best 'hinkiness' detectors at the point of the transaction. But it also means that the incentives for system-wide changes by the credit card vendors are weak.

    There is certainly is room for improvement. I always thought it'd be cool for merchants to band together to share suspicious credit card #s that have hit their system (ie ones from merchants' "suspicious/deleted" orders which otherwise the ccard companies never see since we don't even attempt to push them through their systems), and, in return, be able to crosscheck cards entered into their system against the suspicious list. A nice web API to do this wouldn't be too hard, although the API shouldn't itself take or reveal the entire card # either, for security reasons. But it could return spam-assassin-like scores and/or hints for other merchants' manual review ("A telecom merchant in NJ found a card matching 12 of those digits and with the same zip code suspicious 4 hours ago").

  • by niiler (716140) on Thursday May 24, 2007 @09:44AM (#19253289) Journal

    Dateline NBC did a story on this problem this very week and found that with the full cooperation of the credit card companies, it was still quite time consuming to run down the real perps.

    Here's what they did:

    • Got the credit card companies to issue bogus credit cards - with real credit lines of $1000 - for them to sell online.
    • Sold the cards via certain IRC channels and monitored how quickly such funds were spent.
    • Set up a bogus electronics good web site that was advertised via said IRC channels where perps could spend their hard earned cash.
    • Set up a bogus shipping company to deliver the goods to the addresses listed
    • Found that in a large number of cases, the goods were:
      • Dropped at vacationers' houses
      • Dropped at the houses of dupes who were convinced that they were participating in real business deals on behalf of their absentee "fiancees".
    In short there were no direct connections reported. None of these folks were that stupid apparently. Most of the goods were then shipped out of country to places where US law does not apply and then resold in the retail market.

    Personally, I suspect that the reason the credit card companies don't do anything is because the people in charge (not the techies or sysadmins) really don't understand the internet because it doesn't fit into the age old business model. As there is no understanding, there is no drive to fix the problem.

  • Re:Because... (Score:5, Interesting)

    by silas_moeckel (234313) <silas@dsmi[ ] ['nc-' in gap]> on Thursday May 24, 2007 @09:58AM (#19253577) Homepage
    You have to keep in mine CC companies loose nothing in CC fraud they actually make money. Here is how the charge back process works.

    Person reports the fraud to CC company
    CC company issue charge back notice to merchant gives them time to dispute etc.
    CC company takes the amount of the charge (not what they gave the merchant after fees) + $35 bucks charge back fee from the merchant
    Refunds all or most of the charges to the CC holder, issues a new card etc.
    If they find the merchant the cards got stolen from they fine them and change them to reissue cards, Fines alone can be 500k, and I have heard of 5 figure fines for a handful of stolen cards. They have some good software that correlates stolen cards and what merchants have ever seen the cards.

    So no visa etc does not loose anything they shifted that liability to the merchant for accepting the fraudulent charges.
  • by fritzk3 (883083) <.moc.liamg. .ta. .3kztirf.> on Thursday May 24, 2007 @10:43AM (#19254415)

    Why are you bothering to call the CCard companies? Credit card fraud is *illegal*. Call the police instead. "Hi Officer Friendly, A criminal just tried to defraud me. Here's his address, here's the details. Sic 'em!"

    The problem with this, speaking from personal experience, is that if the CC companies cancel all of the fraudulent transactions, then the police won't do anything, because you're not out any money (despite the criminal INTENT of the perpetrator).

    You somehow have to find out the details of the perpetrator before you get the charges reversed, then call the police while you still have missing / stolen currency.

  • by shiafu (220820) on Thursday May 24, 2007 @10:44AM (#19254431)
    Per the instructions in this article, I tried googling the first eight numbers of my credit card, "4640 1820". As soon as the results showed up on the Google page, Firefox immediately came up with this warning message:

    Security Error: Domain Name Mismatch

    You have attempted to establish a connection with "" However, the security certificate presented belongs to "". It is possible, though unlikely that someone may be trying to intercept your communication with this web site.
    If I change the Google query to be one number off (i.e. not a valid credit card prefix) I don't get this security warning. Has anyone else ever seen this? I have a very bad feeling that I've got some kind of credit card sniffing trojan on my PC, so I'll probably be spending my evening reformatting my hard drive. Oh joy.
  • Re:Not so clever? (Score:5, Interesting)

    by Belial6 (794905) on Thursday May 24, 2007 @01:13PM (#19257083)
    Of the three credit card fraud cases, I have personally known about...

    1) One was my card. The fraud was an internal job at Chase. Locked cards that I could not make charges were still getting new charges, dates were being moved around after I pointed this out, and replacement accounts were being used before cards were even being printed. Online access to view purchases the account that showed purchases before the post date on the replacement cards envelope was cut off. Chase simply refused to even discuss the possibility that the fraud was internal. After the third card in a row showed up with fraudulent activity, I simply made sure all accounts were canceled and put Chase on the list of businesses not to do business with.

    2) Another was my wife's. Her estranged mother opened an account under her name, ran up the card, then filed bankruptcy. We found out about it from a credit report when we went to refinance our home. The card was opened before she turned 18, and over a year after she was no longer living at home. My wife offered to testify so they could prosecute. Their response was that since they had removed her name from the account, they would no longer discuss the account with her.

    3) A friend had charges made on his card. The items were purchased mail order, so there was an address to track the person down with. The local police said that they would not deal with it because you had to contact the police where the card was used. The police where the purchase was made said that they would not deal with, and that he needed to contact his local police department.

    So, of the three credit card frauds I have personally been privy to, I don't see that there is any attempt to even slow down the fraud. I have to assume that there is some way that the credit card companies make money off of the fraud.

    Of course that is why I absolutely refuse to have a 'Check Card'. Given how easy it is to commit credit card fraud, there is no way in hell, I want someone to have anonymous access to my checking account. The downstream problems with things like other bounced checks is just not worth given that they have no advantages over a credit card. Hell, instead of giving me an ATM card that doesn't require a pin, how about giving me a credit card that does. They even advertise how easy it is to commit fraud with 'Check Cards'.
  • by rickwood (450707) on Thursday May 24, 2007 @03:41PM (#19259513)
    I worked with the legal department in charge of chargebacks at a major credit-card payment processor for about two weeks. I walked away from the deal when I figured out how evil they are.

    Pretty much all you need to know about it is that the chargeback department is seen as a profit center, and they were proud of the millions in chargeback money they added to the bottom line. Sure, there were a few "bad apples" among the merchants who were frauds and got what they had coming to them. However, the vast majority were Mom and Pops who through no fault of their own wound up on the wrong end of a chargeback.

    For example, Sally Suburb pays for auto repair via her Visa card, and Hubby decides it was too much and disputes the charge. There was nothing wrong with the repair, and the amount was legitimate, he just didn't thought it was too much. In due course it's charged back and now the mechanic has to come up with the full amount plus fees and expenses.

    Looking over the files, I saw chargebacks had put lots of these folks out of business and into bankruptcy. I suppose I'm too much of a sentimentalist, but I couldn't be a part of that. They kept calling for months but I wouldn't even talk to them. Effin' vampires if you ask me. Nowhere in business will you find a more wretched hive of scum and villainy, not even in insurance or banking.

Maybe Computer Science should be in the College of Theology. -- R. S. Barton