[PLUG-TALK] Card Fraud

Richard Powell plug at hackhawk.net
Sat Jul 2 11:07:23 PDT 2016

On 7/1/2016 8:50 PM, John Jason Jordan wrote:
> In the past six months I have been the victim of three different
> credit card fraud events, the most recent starting yesterday.

This thread is very interesting to me, and I hope you won't mind if I
steer it in another somewhat related direction.  :-)   As an online
business owner, I've been the target of a good amount of fraudulent
transactions in the past year.  The rate has increased dramatically
recently, where just two weeks ago I spent about $40 in a couple of
hours just in the $0.30 transaction/auth fee's alone for fraudulent
signup attempts.  All of the attempts to purchase failed, but of course
I'm still on the hook for the $0.30 Auth and AVS fees.  It's been really
frustrating.  I think the reason they continued trying, even with all
the failures was because my billing system wasn't smart enough to tell
them we ONLY accept cards that support AVS.  That precludes most
internationally issued cards.  And Authorize.net is happy to reject the
transaction because of AVS, but the merchant bank will still charge the
auth fees (grrrr).  Thankfully, I think I've finally put a stop to it
with some GeoIP comparison checks against the issuing bank card and the
billing address provided.  But it really got me thinking about the minds
of the bad guys.  What lengths will they go to?  I think they were only
using my system to test the cards validity.  They weren't actually
caring to steal anything from me.

This may be a little off topic of the original question, because it's
going off in a different type of fraudulent scenario that I've been
contemplating.  Which is, how difficult is it these days to just guess
what card numbers the banks are issuing?   Here are my initial thoughts.

The first 6 digits of any credit card is the IIN (Issuer Identification
Number) to identify the bank.  The last digit is the checksum.  So, for
any given credit card, there are only 9 digits in the middle that will
vary if you know the issuing bank.  Consider a fraudster targeting a
neighborhood where a good number of people are using the same bank(s),
and where the IIN's are limited in scope.  Consider, if a fraudster was
able to intercept the letters containing the initial PIN for
customers.   Probably in those snail mails is also listed, the last 4
digits of the card number.  This would leave only 6 unknown numbers, as
the fraudster would have the first 6 and the last 4.  Also, further
limit the number of possible valid numbers that would need to be
guessed, because the last digit is the checksum, one could run a program
to reduce the number of possible combinations.  I'm guessing it's
somewhere around 100,000 (or less) combinations.  Though I'm not the
greatest at math.  Perhaps someone can correct me on this point if I'm
wrong.  And with an expiration date, best guess would be 12, 24, or 36
months from time of intercepting the letter.  So, lets say 300,000
possible guesses at the full number and expiration date.

Now, considering my situation as a merchant, where I've had a single Ass
Hat attempting roughly 100 transactions in just two hours with 10 fake
accounts.  Imagine, creating a script to auto signup at various online
merchants to test against these fake/guessed numbers.  The bad guys
would need to create roughly 30,000 online accounts where credit cards
are accepted online.  This may seem like a lot of work to find just one
valid credit card number.   But I'm thinking, if one stolen card can net
$1,000 in stolen funds, it actually may be a workable scenario for some
of these larger fraud networks out there.  I don't believe it would be
too difficult to find online merchants to test against.  In my industry
alone (web hosting), there are tens of thousands of businesses using the
same billing system as I am.  That's just ONE industry, easily
detectable online through Google for who's using this particular billing

In the process of blocking the fraud on my network, they even had
throw-away SMS text numbers where they were able to receive a one-time
PIN from me to get around my initial attempts to filter them out.   One
single fraud network used 10 different SMS numbers to get around my
initial filter.  3 of those 10 numbers were t-mobile, while most of the
others were free online services.

Why am I posting this here?  I don't know.  Just feeling a need to talk
about it.  To get it out there, whether it interests anyone else or
not.  This past year has been quite frustrating with how determined the
fraudsters are.  It seems that few things deter them in any meaningful way.


More information about the PLUG-talk mailing list