Forgot your password?
Security The Almighty Buck

Why Are CC Numbers Still So Easy To Find? 317

Posted by kdawson
from the years'-old-hole dept.
Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.
This discussion has been archived. No new comments can be posted.

Why Are CC Numbers Still So Easy To Find?

Comments Filter:
  • by Himring (646324) on Thursday May 24, 2007 @09:19AM (#19251673) Homepage Journal
    But how do you know that they haven't already done this?

    At the top of TFA:

    "I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised."

  • by stackdump (553408) on Thursday May 24, 2007 @09:21AM (#19251703)
    I would think the best thing to do would be to learn how to make a bogus credit card. That way you could visit a store out of the way w/ no surveillance and could spend money while signing with some bogus scribble.
  • by Anonymous Coward on Thursday May 24, 2007 @09:21AM (#19251709)
    Something like this would work... []
  • by Anonymous Coward on Thursday May 24, 2007 @09:22AM (#19251717)
    Your presumption that credit card numbers share the first eight digits is flawed. The first six digits of the card reference the referring bank. The next eight digits are the account number. The final two digits are the identifier of the card. If you and your wife both have cards for the same account, yours may end in an 03 while hers ends in a 19.
  • by Average_Joe_Sixpack (534373) on Thursday May 24, 2007 @09:31AM (#19251871)
    Dateline NBC exposed the workings of these frauds a few months back Part 1 [].
  • Retailers (Score:4, Informative)

    by cyphercell (843398) on Thursday May 24, 2007 @09:33AM (#19251891) Homepage Journal
    This has very little to do with the credit card companies and a lot to do with the merchants that process credit cards. The current standard is PCI-DSS (Payment Card Industry - Data Security Standards)discussed here 5227&from=rss []. My job is working to upgrade software that is not compliant with these standards, so I know the credit card companies are doing something. The problem rests with merchants that are largely clueless about the necessary security precautions that need to be taken when working with computers. They want to be in business, process credit cards, have a website, a network, and they want to pay their nephew $5/hr to set everything up. The bottom line is, that having data compromised from your business, when you haven't met these standards, will leave you liable for the loss, possibly incuring fees of up to $500,000 and potentially losing your priviledge of processing credit cards permanantly. Bottom line is the vast majority of business owners are not adequately computer literate and they are too cheap to pay an expert to deal with their network properly.
  • by SrJsignal (753163) on Thursday May 24, 2007 @09:34AM (#19251909)
    Actually, you must not have ever had this happen. There's no "fraud police report" or whatever the heck you're talking about there. Here's what happens: 1. Call CC company tell them there are unauthorized charges 2. Person on the line marks said charges and gets you a new CC # in the pipeline 3. Bank mails you an affidavit that you must highlight fraudulent charges on, and sign stating that you're not lying about it. 4. CC company issues you credit with the note that *credit is not final until investigation is complete. 5. 1-2 months later you get a note saying "Credit is final" Thats it, there's very little burden of proof on the consumer.
  • by rueger (210566) on Thursday May 24, 2007 @09:38AM (#19251959) Homepage
    I'll save you 11,000 characters:

    1) Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form.

    2) You'll find lots of credit card numbers

    3) Profit

    4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net. Thank you.
  • by wowbagger (69688) on Thursday May 24, 2007 @09:40AM (#19251985) Homepage Journal
    Why are credit card numbers so easy to find? Or put another way, why is credit card fraud so easy?

    Because it does not cost the credit card companies.

    When fraud is reported, the credit card company charges back to the merchants. As such, the credit card company is out relatively little money (it is the merchants who get screwed).

    Adding meaningful security to credit cards would cost the credit card companies money. It would also make people less likely to use their cards, costing the credit card companies more money.

    Also, the credit card companies can use fraud to justify higher interest rates, annual fees, and as a marketing gimmick to sell their card over others.

    So, to recap: fraud costs the card companies little, preventing fraud would cost them much.

    Has this helped identify why credit card fraud is so easy?

    Datum: A friend of mine was involved with a large e-commerce site. He detected an on-going fraud ring trying to buy large amounts of goods from the site with stolen cards. He reported it to the card companies - "Here are the cards. Here's where they are trying to send the goods. Do you want to nail these guys?"

    The response: "Thanks, but no, it's not worth our time. Just don't send them anything."

  • by Anonymous Coward on Thursday May 24, 2007 @09:40AM (#19251999)

    The first six digits of the card reference the referring bank.

    Credit card numbers are often written in groups of four digits separated by spaces. Most search engines use spaces as separators between "words" and usually allow you to search for whole words only. Therefore you search for two blocks of four digits = eight digits.

  • by ronadams (987516) on Thursday May 24, 2007 @09:41AM (#19252015) Homepage
    Sorry, doesn't work that way. I'm not sure where you're getting the "7 years" from (perhaps bankruptcy laws in your state), but I can tell you from personal experience on both sides of the fence (that is, being frauded and working for a company that handled a fraud case) that the process is not as you describe it. Here's what actually happens:
    1. You get hax00rred.
    2. 1337 H4X00R spends money at a few dozen online stores.
    3. Profit!!! ...sorry, couldn't resist.
    4. You find a gigantor balance on your card, and call the financial institution who issued the card.
    5. They transfer you to the fraud department, where you sit on hold for 15 minutes and get to listen to choice cuts from Phil Collins: The Early Years
    6. Someone picks up, you tell them there's been some purchases on your card that aren't yours. They record the information, and fax you a form to fill out.
    7. You fill out the form and fax it back, after plugging in the fax machine you only keep around to fill out credit card fraud reports.
    8. 5-10 business days (called this because business' use these terms when 13-15 days sounds too long)later, the balance is restored on your account, the institution eats the costs and files it with the IRS as lost profits to get a little of that alleviated.
    9. Your account number is changed and a new card is rushed to you (because every minute you're without a card, they are without your ever-increasing interest money).
    10. A notation is put on the account, just in case you claim another dozen or two of these cases in the future, sometime after your bar tabs run a little high...

    Companies that issue credits and/or debits see a lot of these cases, so the process is pretty well oiled.

  • by Slashdot Parent (995749) on Thursday May 24, 2007 @09:42AM (#19252023)
    Credit card companies aren't doing anything because credit card companies don't care about fraud. They don't care, because it doesn't cost them any money.

    When someone uses someone else's credit card fraudulently, it's not like the credit card company eats the loss. They just do a chargeback against the merchant who accepted the fraudulent transaction and they have to eat the cost. In fact, the CC company charges the merchant a hefty fee for the privilege of eating the cost.

    Of course, that cost just gets passed on to you, the customer, in the form of higher prices.

    Ain't credit cards grand?
  • by Anonymous Coward on Thursday May 24, 2007 @09:53AM (#19252173)
    Gas stations are always a good way to skim money off stolen credit cards ... criminals will routinely recruit bored/underpaid gas bar attendants to run a few dozen cards for several hundred dollars each, make up the difference with cash out of the till, and split the proceeds by some agreed-upon percentage.

    Several years ago when one of my credit cards was compromised, I saw a whole bunch of bogus charges made at gas stations all over southern California.
  • by antifoidulus (807088) on Thursday May 24, 2007 @09:55AM (#19252219) Homepage Journal
    Did you read TFA? The author states that often he found other pieces of info besides the card, such as names and telephone numbers(he called some of the owners of cards he found)

    Sheesh, if you are going to be pompous at least be correct
  • by plover (150551) * on Thursday May 24, 2007 @10:00AM (#19252339) Homepage Journal
    I'm not sure if you're trolling or not, but it's not too difficult at all for a thief to turn a credit card number into products or cash. There are various laundering procedures that some people go through (Dateline's "To Catch An I.D. Thief" exposed an elaborate one) but the sad reality is that most one-off fraudulent purchases aren't even followed up on by the banks, not until the dollars pile up. (They will be tabulated, of course, and people who try using a dozen stolen cards and have the merchandise shipped to the same address do get picked up.)

    Card data can also be turned into products in most stores. The stolen info can be burned on to an expired card, and the thief anonymously walks out of a store with an HDTV. More clever thieves will go to a store that's out of their norm, one that doesn't see as much fraud -- perhaps a craft store or a furniture store -- and buy a bunch of merchandise, and resell it on the streets or at flea markets. There are sophisticated organized theft rings that will purchase certain kinds of stolen merchandise and pose as legitimate wholesalers that resell it to small merchants.

    The underground economy revolving around stolen merchandise and credit cards is rapidly approaching a hundred billion dollars annually in America alone (last figure I saw a year or two ago put the estimate over 60 billion, not counting the MAFIAA.) It's obviously pretty easy to do, if you think like a criminal.

  • by Grax (529699) on Thursday May 24, 2007 @10:04AM (#19252429) Homepage
    Ways to personal gain from a CC number

    1. Long distance calling cards
    2. Online delivery of movies, software products, porn, or anything else with instant gratification.
    3. Print Fake Credit Cards with the numbers on them and go shopping (Yes. This is in the hands of the common criminal)

    My wife's card number was stolen and used to purchase hundreds of dollars of items at a mall over 1000 miles from our home. We did get the charges reversed but it took a number of phone calls (even though their fraud department proactively discovered the fraud on the day it happened and called us right away)

  • by jizziknight (976750) on Thursday May 24, 2007 @10:09AM (#19252525)
    As others have said, this is not the case. I had fraudulent charges on my Chase card about a year ago; a few <$50 charges, and a couple >$1000 charges, enough to go over the limit. So I called them up, the lady on the line (who was very nice) looked at the transaction history, and immediately noticed that there were charges to places far outside of my normal buying area, some even in India. She marked and canceled the charges, ran through the rest of the charges that were on my current statement, canceled the card, and issued me a new one. I got the new card in three days, a statement that I had to sign and return a few days later, and heard nothing more of it. As far as I can tell, my credit has not taken any sort of hit (I was later able to get another card with another bank at a similar limit and APR).

    The way I understand it, the CC companies take no liability for fraudulent charges. They make the merchant that processed them pay for it. I see this as a good thing. If the merchant bears all financial liability for fraudulent charges, it gives them a reason to make sure that the person buying the product/service is who they say they are.

    As a side note... can we get a -1 Idiot or -1 Wrong moderation? It would have been really useful here.
  • by Macthorpe (960048) on Thursday May 24, 2007 @02:49PM (#19257655) Journal
    IIS 6 has had only 3 vulnerabilities found since it's release in 2003: Look here. []

    Apache 2.0.x has had 31 vulnerabilities in the same time period: Here. []

    What were you saying again?
  • by Peil (549875) on Thursday May 24, 2007 @03:46PM (#19258623) Homepage
    Thats 493 cautioned - no big deal - these people accepted a police caution (We don't have enough to take you all the way to court but we will lean on you like hell so you voluntarily accept a criminal record), with the attendant registration on a Sex Offenders register. Given that people caught up in the whole sorry debacle have come out since and said they accepted a caution to try and stop their families being dragged through the press - then find they cannot have access to their own children - no big deal [] may shed some light on what the whole bloody mess was about. Remember the UK police have in the past week admitted that they are chasing conviction targets - so much so that one 14 year old whole raised money for a chrity event and didn't hand the money over didn't get cautioned for one offence of fraud, he ended up getting cautioned for over 400!
  • by Frank T. Lofaro Jr. (142215) on Thursday May 24, 2007 @05:44PM (#19260599) Homepage
    In at least one jurisdiction (Nevada - NRS 193.330 []) any attempt to commit a crime is still a crime. There doesn't need to be any damages for a crime (just for civil), else how could they prosecute for drug possession and other victimless crimes where there are no damages.

  • by MikePlacid (512819) on Thursday May 24, 2007 @06:00PM (#19260897)
    Getting your own mailbox requires just showing your ID (or have a copy notarized if a MB is in another city). I've just got one in Nevada for my company. I doubt that anyone checks them afterwards, unless some fraud triggers investigation.

    But mailboxes are not actually required to cash your credit card number. Here are my 2 real-life examples, that my card was used by fraudsters.

    1. Retail store. We made a purchase, forget to take a slip (newbies). The card was charged an hour later the second time to buy a box of wine bottles. Most probably it was a cashier - who else? We noticed immediately - those $200 were our last money - were scared like hell and offered full cooperation to the bank and the store. No one was interested. A shift manager gave us money back and that was it (yes, we were stupid enough to make a trip to the store to settle things - their attidute was: why are you bothering us?).

    2. $9.95 charge. There was a charge in this amount on my monthly bill. And there was a website url conviniently next to the amount. I went to website to remind myself what I had bought there. 3 products, all of them - electronic ones (like e-books), all of them of no interest to me. And next to the products was the link - press here if charged by mistake... The owner was easily located - he answered cell phone listed in domain registration info (yes, I've talked to him - this time I was just curious). His pitch - if we charged you wrongly we will reverse the charge in a second.

    So. The first fraudster need no PO Box - he got his wine and doesn't care if he get caught or not. No one cares to catch him too. The second fraudster is probably a end-point of some massive cashing operation. But no one will go after him, since 80% of people charged $9.95 would not ever notice, and 80% of those who notice will just reverse the charge and that would be it. The website was alive half a year after I've notified my bank...
  • by KKlaus (1012919) on Thursday May 24, 2007 @10:32PM (#19264285)
    Because if you go read the visa-merchant agreement you see that Visa does not allow merchants to make showing ID a condition sale, i.e. merchants are SOL when it comes to stopping fraud. I guess that's the golden rule for you, along the "he who has the gold makes the rules" line.

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen