Saturday, April 30, 2011

Hacking Credit Card Numbers


Typical credit card anatomy
Before we understand how credit card numbers are generated, here is a brief explanation of what a typical credit card number means.

§  Out of the 16 numbers on a typical credit card, the set of first 6 digits is known as the issuer identifier number and the last digit is known as the “check digit” which is enerated in such a way as to satisfy a certain condition (the Luhn or Mod 10 check). “Luhn check” is explained later in this post. The term sounds intimidating, but it’s really a very simple (and elegant) concept.
§  Taking away the 6 identifier digits and 1 check digit leaves us with 9 digits in the middle that form the “account number”.
§  Now, there are 10 possible numbers (from 0 to 9) that can be arranged in these 9 places. This gives rise to 109 combinations, that is, 1 billion possible account numbers (per issuer identifier).
§  With each account number, there is always an unique check digit associated (for a given issuer identifier and an account number, there cannot be more than one correct check digit)
§  Amex issues credit cards with15 digits. The account numbers in this case are 8 digit long.
What is the “Luhn” or “Mod 10″ check?
In 1954, Hans Luhn of IBM proposed an algorithm to be used as a validity criterion for a given set of numbers. Almost all credit card numbers are generated following this validity criterion…also called as the Luhn check or the Mod 10 check. It goes without saying that the Luhn check is also used to verify a given existing card number. If a credit card number does not satisfy this check, it is not a valid number. For a 16 digit credit card number, the Luhn check can be described as follows:
1.       Starting with the check digit, double the value of every second digit (never double the check digit). For example, in a 16 digit credit card number, double the 15th, 13th, 11th, 9th…digits (digits in odd places). In all, you will need to double eight digits.
2.      If doubling of a number results in a two digit number, add up the digits to get a single digit number. This will result in eight single digit numbers.
3.      Now, replace the digits in the odd places (in the original credit card number) with these new single digit numbers to get a new 16 digit number.
4.      Add up all the digits in this new number. If the final total is perfectly divisible by 10, then the credit card number is valid (Luhn check is satisfied), else it is invalid.
When credit card numbers are generated, the same steps are followed with one minor change. First, the issuer identifier and account numbers are assigned (issuer numbers are fixed for a given financial institution, whereas the account numbers are randomly allocated - I think). Then, the check digit is assumed to be some variable, say X. After this, the above steps are followed, and during the last step, X is chosen in such a way that it satisfies the Luhn check.
This part is a bit confusing and takes some time to understand. However, don’t get stuck here…continue reading through the examples below and you will figure out what this is all about.
Credit card numbers valid or invalid?
Have you ever wondered if those numbers on the fake plastic or cardboard credit cards that come with the “preapproved” offers are real or imaginary? If they are not valid, how do you know it?…Just apply the Luhn check and all the those fake credit cards will invariably fail.Here is an example of a VISA credit card (look at the expiry date - 01/09 ..it’s still valid ! 

Note that the credit card number starts with “4″…so it is indeed a VISA issued credit card (VISA cards start with “4″ and MasterCard/Maestro cards start with “5″). Now, let us apply the Luhn algorithm to this card. To make it easier on you guys, I have created a schematic of the steps towards the Luhn check (below) for this card number 4552 7204 1234 5678:


§  In this case, when we sum up the total, it comes to 61 which is notperfectly divisible by 10, and hence this credit card number is invalid.
§  If such a credit card number is ever generated, the value of the check digit would be adjusted in such a way as to satisfy the Luhn condition. In this case, the only value of the check digit, that will create a valid credit card number, is 7. Choosing 7 as the check digit will bring the total to 60 (which is perfectly divisible by 10) and the Luhn condition will be satisfied. So the valid credit card number will be 4552 7204 1234 5677.
Let’s try another example, this time with a MasterCard.

Again, performing the Luhn check on this credit card number, we have:

§  The total comes to 65 which is not perfectly divisible by 10. Hence this credit card number is invalid.
§  In this case, a valid credit card number will result only if the check digit is 8. This will bring the total to 70 which is perfectly divisible by 10. So the valid credit card number will be 5490 1234 5678 9128.
Closing remarks
If I still have your attention, here are some additional thoughts. In the context of this post, by the term “valid”, I mean “mathematically valid”. A mathematically valid credit card does not mean a “working” credit card. The Luhn formula validates only the credit card number; it does not validate the expiry date and/or card security code (CVV, CVC). Plus, as discussed before, the 9 digit account number will yield 1 billion combinations; so the chances of getting a working credit card number are very remote. It should also be noted that, this validation is usually employed at the transaction end; which means that numbers that do not satisfy the Luhn check are not forwarded to the card issuer and the transaction is terminated. If you have a fake credit card which satisfies the Luhn check, it will go through at the transaction end, but the card issuer will most likely catch the mischief. So don’t go about trying to use these numbers to buy stuff.
So you think you can separate out valid and invalid account numbers now? Here are a couple of trial numbers for you:
§  5491 9469 1544 4923 - Valid or invalid? If invalid, what should have been the correct check digit to make it valid?
§  4539 9920 4349 1562 - Valid or invalid? If invalid, what should have been the correct check digit to make it valid?
Sudoku fans will quickly figure out multiple valid combinations of the above numbers. .By the way, the Luhn check is also valid for debit card numbers.I am still in the learning phase with this topic and trying to further understand how people use (or misuse (?)) such information. If you have some insight in this matter, please feel free to share it with me.If you liked what you read above, go ahead and subscribe to this blog to get more updates.