Why Are CC Numbers Still So Easy To Find?

Frequent Slashdot contributor Bennett Haselton gives the full-disclosure treatment to the widely known and surprisingly simple technique for finding treasure-troves of credit card numbers online. He points out how the credit-card companies could plug this hole at trivial expense, saving themselves untold millions in losses from bogus transactions, and saving their customers some serious hassles. Read on for Bennet's article.

Some "script kiddie" tricks still work after all: Take the first 8 digits of a standard 16-digit credit card number. Search for them on Google in "nnnn nnnn" form. Since the 8-digit prefix of a given card number is often shared with many other cards, about 1/4 of credit card numbers in my random test, turned up pages that included other credit card numbers, and about 1 in 10 turned up a "treasure trove" of card numbers that were exposed through someone's sloppily written Web app. If the numbers were displayed along with people's names and phone numbers, sometimes I would call the users to tell them that I'd found their cards on the Internet, and many of them said that the cards were still active and that this was the first they'd heard that the numbers had been compromised.

Now, before this gets a lot of people mad, let me say that at first I was planning on holding off writing about this for months if necessary, to give the credit card companies time to do something about it. In other words, I actually had the presumptuousness to think that I had been the first one to discover it, but only because the credit card numbers that I found were still active. (If the trick had been widely known, I reasoned, surely the credit card companies would have found any credit card numbers listed in Google before I did, and gotten them cancelled.) Then I found that the trick had been publicized about three years earlier in a C-Net article by Robert Lemos and was probably widely known even before that. (The article stops just short of describing the actual technique, but one reader posted the full details in a follow-up comment.) Another article from that year in CRM Daily describes an even more efficient trick: Googling for number ranges like 4060000000000000..4060999999999999 to find Visa card numbers beginning with "4060". Google has now blocked that trick, so that trying that as a Google search leads to an error page. But the basic technique of Googling for working credit card numbers, apparently still works. In other words, credit card companies have apparently known about this technique for at least three years, probably longer, and presumably have hoped it would continue being swept under the rug.

At this point, I think the right thing to do is to shine a light on the problem and insist that they fix it as soon as possible. It may result in a short-term spike in people using this technique, but if it results in the problem being fixed, then the total number of fraud incidents will probably be less in the long run.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format "3xxx xxxxxx xxxxx", and Googling for the first 10 digits as "3xxx xxxxxx" didn't yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up "treasure troves" of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren't listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found. Simple, but time-consuming with so many different 8-digit prefixes -- but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don't they do this?

It's considered good etiquette among security researchers, when finding a new security hole, to give the affected companies a chance to fix the issue before publicizing it. When I first contacted the credit card companies and described exactly how the exploit worked and how to block it, after getting a polite "We can't comment" from each one, I figured I'd give them a few months to get a system in place that could find leaked cards on a daily basis and de-activate them before they could be used. But then I found the C-Net article from 2004, and figured that if the card companies hadn't taken action in three years, it was fair game to publicize the trick in order to increase the pressure on them to plug the gap. Of course, it's not the card companies' fault that these card numbers are leaked onto the Web; it's the fault of the merchants that allowed them to get leaked. But the credit card companies are the only ones who are in a position to do something about it.

I did try the "Good Samaritan" approach, calling the credit card companies when I found one of their customers' card numbers on the Web. For each of the four major card companies, I called their security departments and reported two of the cards that I had found compromised, and then a week later, called the cardholders themselves to see if the card companies had notified them. Surprisingly, of the four companies, American Express was the only one whose customers in this experiment, when I called them a week later, said that AmEx had contacted them and told them to change their numbers. But even if all four credit card companies were more proactive about acting on reports of leaked numbers, the problems with scaling this approach are that (a) I usually had to wait on hold for a few minutes with each company and then spell out each card number that I'd found, which doesn't scale for a large number of stolen card numbers, and (b) if lots of people started doing this, then the credit card companies would be inundated with duplicate reports about the "low-hanging fruit", card numbers with common prefixes that appear near the top of some Google search result. Both problems could be avoided if the card companies simply ran their own script that queried Google and brought up a list of any indexed card numbers, whereupon an employee could copy and paste the numbers into an interface that would flag the cards instantly.

Google does have a feature where you can request the removal of pages that contain credit card numbers and other personal data such as Social Security Numbers. Any pages that I found containing credit card data, I submitted for removal, and Google did handle each removal request within two days. But this doesn't guard against the possibility that someone might have found the credit card information before it was removed, and of course it doesn't mean that other search engines like Alta Vista (remember Alta Vista?) might not have indexed the same pages. Running a sample of 8-digit prefix searches on Alta Vista, I found about as many credit cards as I found through Google, including some pages that were not in the Google index (maybe Google never indexed them, or maybe they had removed them already). So removing a page from any engine's search results is more like covering up a symptom of a problem than fixing the problem itself, which is the fact that the card number was leaked to the Web in the first place.

If nothing else, this is another reminder of how terrible the security model is for credit card numbers as a token of payment -- one universal piece of information shared with every merchant, that can be used for unlimited unauthorized charges if it gets compromised, until someone notices. About the only desirable property of credit card numbers from a security point of view is that they can be changed, and most of your existing recurring billing relationships will carry over, but even that is a hassle. Several credit card companies do provide the ability to generate single-use credit card numbers, each one authorized only for a limited purchase amount. The problem with that is that as any security analyst will tell you, if it takes even one extra step, most people won't bother -- as long as all-purpose credit card numbers are the default, that's what most people will use. Perhaps incidents like this will push people towards more 21st-century-aware styles of payment (like PayPal, but without all the horror stories), where you can pay a bill through a system that debits your card or your bank account, without sharing all your information with the merchant.

But in the short term, as long as credit card numbers are still with us, the card companies should make more proactive efforts to find and deactivate the ones that have been leaked on the Internet. If the card numbers are found to be leaked by a clumsy Web interface on one company's site, then that company should be chastised by the card companies that issued them a merchant account. If the numbers are found together in a list posted on some third-party forum, then the companies can cross-reference the charge history against each card in the list, to narrow down which merchant may have been responsible for the leak. I'm sure the card companies do something like this already when they find a list of leaked cards; what they don't seem to be doing is acting aggressively enough to find the leaked numbers in the first place.

Maybe the real moral is not the insecurity of credit card numbers, but the value of transparency and online community relations. If MasterCard had been a hip company like Wikia, some volunteer probably would have discovered this attack very early, and another volunteer would have written an open-source tool to find and deactivate leaked MasterCard numbers automatically, and the problem would have been solved ten years ago. In fact many tech companies, if you report a security problem to them, will thank you and fix it immediately, and some of them will even offer you cash if you find any more, like Netscape used to do with their $1,000 Bugs Bounty program. We get so used to big companies having obvious holes in their security practices and answering every question about security with a flat "No comment", that we forget it doesn't have to be that way -- transparency is not just trendy, it works. After years of having bug hunters poke at the Netscape browser, the security may not have been perfect, but it didn't have any security holes that were as simple and obvious as to be analogous to finding credit card numbers on Google.

How much is it a problem?

[LiquidCoooled]

What does it matter?

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?

Anything purchased with it has an audit trail.
It's not like you can turn up in a shop and swipe the printout or screenshot, and making up blank cards isn't yet in the hands of the common criminal.

I will go out on a limb and say most credit card fraud occurs in the real owners home town right about the time of alcohol consumption.

Regret buying that 'funky' leopard skin jacket? "OMG I haz been haxx0red!!"

Re:Blame M$

[FooAtWFU]

I hate Microsoft as much as the next guy, but please! I'd hazard a bet that the majority of the leaks, especially the ones the article talks about, are fifty-cent web applications running on a LAMP stack on an ultracheap web host somewhere.

Because...

[NightWulf]

It's easier for the credit card companies to just write it off as some fraud and not actually go out and do anything. Realistically most of their early warning systems probably limit their losses to under $1,000 to each card (i.e. the amount of money that someone can charge and get away with before the company discovers the card has been compromised). So figure if even ten people a day get their cards stolen by this method, that's 300 a month, or $300,000 in costs. They probably feel keeping the staff and the equipment to do this costs more than what they'll lose. That and they can always write off their fraud charges on their taxes ad bed debts.

According to a 2002 report Visa's commissions alone were over $455 million. If that entire $300,000/month fee was all on Visa, the 3.6 million a year is a drop in the bucket to them, less than 1% of their commission. Trust me, if it cost them less to setup the system than the money that's lost, it would be done.

Re:How much is it a problem?

[Anonymous Coward]

How can a normal fraudster use a credit card number to his personal gain?
Does he get goods delivered to his house?

Are you kidding??? Not everything you can buy is physical and gets delivered. If it was as simple as that, there wouldn't be any card fraud at all.

Re:because the credit card companies don't care

[The Lurker King]

The credit card companies don't care because they get their money either way.

If someone places a fraudulent order and the merchant ships the the product(s) even if they receive authorization from the credit card company, the credit card company will debit the merchant for the entire order, including the transaction fees.

Not only did the credit card company not lose any money on the bad transaction, they will also charge the merchant a fee for the fraudulent order. So the merchant is out the cost of the goods that were shipped, plus shipping, plus a fee.

The credit card company makes money on the fraudulent transaction.

Re:How much is it a problem?

[Anonymous Coward]

The "audit trails" you are describing do nothing to deter serious criminals. I dated a girl that was charged with CC fraud. She simply ordered by online and had the package delivered to a nice house in a nice neighborhood that was for sale, one where the owner had already moved out. You can find dozens or hundreds of such houses in any city by checking the real estate listings. UPS drops the package off on the porch, and the fraudster drops by in the late afternoon to pick up the loot. The neighbors see people coming and going all day (real estate agents and prospective buyers), so one more visitor with a package tucked under the arm is not noteworthy. It doesn't work 100% of the time, but it works pretty damn frequently.

So as you can see, the fact that you think an "audit trail" prevents such crimes comes down to a lack of imagination on your part, and a very false sense of security. It is exactly that false sense of security and lack of imagination which explains why identity theft is rampant.

Re:Because...

[cyphercell]

Maybe the card companies are still turning a profit, but estimated losses are around 49 billion, that's twice M$'s annual revenue. It's worth going after.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How much is it a problem?

[cpt.hugenstein]

I do a lot of online shopping and as a result I have remembered my cc number and accociated inforation. I have had stores take my cc as a number alone with out ID. I then asked if that is their standard policy and told them that I could have easily been using a stolen number. They are always surprised at my question but I give them my drivers liscence and another piece of ID where they seem satisfied. It may be because I am in Canada and we have the presumption of honesty and innocence but it is not hard to find a store to take you number.

Not so clever?

[Anonymous Coward]

Ok, Ok, that makes it one step more difficult for the police/FBI to track you down. But not much. Ok, so now the credit card orders point to the people who bought the stuff on Ebay. So, the person who received the goods then explains to the police that they bought it in an Ebay auction. The police go to Ebay and ask Ebay who the funds for those auctions were sent to, and *then* they go to the guy's house and arrest him. This adds one additional layer of obfuscation, but it doesn't seem like a very good scheme to me. You will still probably be caught.

If it ended up in an article where you could read it, that probably indicates they *did* catch the guy. (Or at least have a good idea who it is - he might be on the run somewhere, so not yet in custody).

Re:How much is it a problem?

[LighterShadeOfBlack]

Discarding the ways to make a profit from credit card numbers, how about using police ignorance to screw people over. Only a month or so ago details were revealed about the massive flaws in police operations such as Operation Ore in which thousands of people in the UK were arrested in connection with paedophilic-related charges due to their credit card numbers being used to buy access to porn affiliate networks.

Now, using the above methods may not allow you to target anyone specifically, but let's not kid ourselves into thinking that there aren't plenty of people who would happily take a whole load of these credit card numbers and use them to implicate complete strangers in this way. Just for the hell of it.

Money lost on stolen credit cards can be reclaimed. Lives destroyed by false charges cannot.

Re:Finding credit cards numbers is easy

[multipartmixed]

First number fails the Luhn checksum.

Second number isn't a credit card number at all. Maybe a calling card or something (telecom MII).

Why don't you post your REAL VISA number?

Re:How much is it a problem?

[d3ac0n]

Don't forget there are always direct funds transfers, and quick-cash. If you can make a good replica of a CC or bank card, and have the correct info, it's often easy to just use it for quick cash at ATMs. Just wear an appropriate disguise and hunch over a bit to cover your height. With enough cards you can clean up quick.

Also, I have hear of instances where people will use a stolen CC to setup a fake bank account, and then perform many small wire transfers from other CC"s into the fake account until it has a large amount in it. Then they just empty the bank account (or transfer the money away to an overseas account) and walk away quite a bit richer.

Re:Not so clever?

[EndlessNameless]

Blargh.

This is real life. If you add enough layers of obsfuscation, you win.

Suppose he setup a P.O. box with a fake ID for the payments, "borrowed" an unoccupied house, or just had the money sent to his neighbor's address?

There are a lot of ways to get money orders cashed, or he could have setup a checking account using a fake identity.

Obsfuscation works because all the criminal needs is to have one trick in the works that makes the investigating officer throw up his hands and say, "I don't know where else to go with this."

Re:because the credit card companies don't care

[jrumney]

When the credit card companies have clauses in their contracts expressly forbidding merchants from carrying out their own checks on the identity of the cardholder, is it still fair that fraudulent card use is treated the same as counterfeit money?

Re:How much is it a problem?

[beyondkaoru]

i think this demonstrates a fundamental flaw with credit cards; they're trying to do asymmetric crypto using a shared secret key.

in order to pay with a credit card, you must give your number -- your secret key -- to the merchant. you must then trust the merchant to not do something evil with it. therein lies the problem; merchants can be evil or can be incompetent (usually incompetent/ignorant). they're just not trustworthy with security. but because credit card fraud is not generally worried about that much, people go on as usual.

the real solution would be to digital signatures -- specifically, you carry something around that has a computer on board (like a cell phone or blackberry or whatever) and when you need to pay for something, you create a message (we'd have to construct a standard for these) saying you are paying x amount to them and digitally sign that message and give the message (which would not contain your key, obviously) to the merchant.

voila, merchant is no longer a problem. the credit card companies don't even have to store the secret key if the customer wants, just the public key. in that case, the credit card companies wouldn't even be hackable for the purposes of credit card fraud. (though they would be for the data, which is also valuable)

Re:Blame M$

[encoderer]

Your post is entirely useless.

A bug exposing credit card numbers is language agnostic. Even experienced programmers can create security bugs. Even EXPERT programmers can create security bugs. Your notion that there's a correlation between a langauge and a propensity for bugs is outrageously wrong. if that were the case, you'd never have a rich client app written in C or C++ crash on you.

And your idea that "the ones smart enough to write proper code are generally smart enough to avoid scripting language" shows such an abject lack of understanding of the software development industry that I'm just stunned. The ones smart enough to write proper code are the ones smart enough to use the RIGHT TOOL FOR THE JOB. PERIOD.

I'm sorry for being so harsh, but I'm not sure if you're trolling or if you actually believe that crap. Frankly, I'm not sure which would be worse.

Re:Edited for the time impaired

[DerekLyons]

4) Credit Card companies should have employees who Google for credit card numbers and de-activate any card whose number is found in the ' net.

Right - and here I am in a city distant from my home (maybe even overseas), and all the sudden I have no credit card. Or, I'm one of those people who charges everything to their card and pays it all in one lump sum at the end of the month - all of the sudden my charges start bouncing. (And I have to spend many hours refilling out forms to send the charges to my new card - after waiting four to six weeks for it and hoping my utilities don't get shut down or my prescriptions run out, etc... etc...)
 
I see a lot of Slashdotters, as is typical, advocating a simplistisic and brute force solution - automagically cancelling all cards whose numbers are found on the net. What they seem to forget is that those numbers don't exist in isolation - those cards belong to real flesh and blood people, and automagic cancellation can mean anything from a minor inconvience to serious problems. (Heck, I write checks so rarely - I just checked and found that even though I've lived in this house two years, I don't have any checks with my current adress on them!)

Re:Is identity theft really that big a problem?

[Anonymous Coward]

The "identity theft" threat is not a few fraudulant purchases appearing on your credit card, that are easily taken care of with a phone call. The fear being marketed by the credit industry, is that you will suddenly discover a completely new, and unknown credit card was set up in your name with a different billing address -- usually that of an unoccupied apartment or a MailBoxes Etc type place. After that card is maxed out and not paid off, the card company sends to collections which tracks you down to your real address and demands money.

You don't pay, but the item appears on your credit report and you have to write letters every few months to keep it off and keep it from re-appearing, or else you might not be able to get more credit cards or other types of loans.

Worse, some time after that you may find that someone applied for a mortgage in your name, and purchased a house somewhere, and then defaulted on it. Perhaps they rented it for a time for cash, or the house was "purchased" for far above the market rate, to inflate local values, as part of a mortgage fraud scheme.

If you depend on upon cheap credit to buy nice cars, your house, and maybe every consumer item you get because you never use cash and always run a balence on your cards, that can be a very scary prospect.

HOWEVER, not having credit does not mean you become homeless, if you have any economic resources at all. It simply means you can't live in that credit-based world. You are more likely to rent or even have roommates (it is hard to rent an appartment without a good credit score in some areas), and thus be forced to save up 20% or more of the price of your first house. It is not that you will simply have no credit and have to buy the house with cash, it is merely the case you will have to come up with more up front, and shop around more for a lender, and perhaps write some nasty certified letters. Over time it will add up to 10 to 20 hours more work, and perhaps a delayed closing, but you will still get what you want. In the long run, you will probably be financially better off in the later half of your life.

So, why all the "identity theft crisis" hype ?

The American credit industry profits immensely by throwing credit at anyone who walks in the door. They need to extend their product to a large portion of the population, and it is expensive to carefully check out each person, and carefully checking out each person introduces delays in the process that can cause someone to save up more money, not buy the product, or re-think their finances. If you walk into Sears, find the biggest refridgerator there is, and tell the salesman you want it only if you can sign up for a Sears card and put it on the card today, you are going to leave the store with that refriderator. Checking you out carefully potentially costs them the sale, or causes you to buy the smaller model.

Since the Credit Industry doesn't want to run their system securely, they have to pass on the cost of fraud. They could simply charge higher interest rates or fees. However, that might also drive away customers -- why do that if you can spread the cost out over the entire population, even those who are not your customers ? This tactic works well for credit card processing fees; the card issuers do not allow a retailer to charge the merchant fee to each credit card user, but force them to spread out that cost over the cash using customers as well.

The credit industry has traditionally run the security-oriented aspects of their operations in a parasitic manner. The would rather leech onto the pre-existing social security number system, than track identities and coordinate among themselves. They would rather piggy back onto the driver's license system (the newest "innovation") so they don't even have to print plastic cards at 1/10 of cent each.

So it is natural that they would try to externalize the cost of fraud. For a while they were pushing the Republicans in Congress to "do something" for them about identity theft,

Re:Because...

[mindstrm]

You would not be on the hook based on any card contract I've ever seen, in multiple countries.

The merchant would be on the hook; the onus is on them to prove the transaction was legitimate and authorized by the cardholder. If they cannot do that (like, show your signature, or stuff shipped to your home address, etc) then THEY eat the charges. The mearchants take the risk here, not you.

In fact, one of the benefits of using a charge/credit card is that you are protected from fraud... if using a credit card meant I was at risk of owing tens of thousands of dollars I never authorized, I wouldn't have one, and neither would most poeple.

Re:Why would you think that?

[Zombywuf]

Well the MS ones are along the lines of: the default config is vulnerable (with one arbitrary code execution), and the Apache ones are more like: if the config is really weird and the moon is just right you might be able to DOS it.

Also of course, fewer advisories doesn't mean less secure. Hell, one of the Apache vulnerabilities is that a local admin user can get information about the request headers sent to the server.