cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
dcontesti
Community Champion

Credit Cards/Phishing/etc.

Just thought I would share this, it popped up in my Linkedin feed.

 

We were talking about phishing attempts and credit cards.  I think this is a good explanation of how credit card numbers work and determining if the card is valid.

 

https://blog.paylane.com/cracking-the-credit-card-code/

 

Of course, I did check that my cards were valid (LOL).

 

Regards

 

d

 

8 Replies
Shannon
Community Champion

 

Well, I've never owned credit cards, so I just had debit cards to try this with. I made us of 2 valid ones, but both yielded numbers that weren't divisible by 10 --- so I assume this doesn't work with debit cards.

 

Anyway, the article talks about the gauging validity, but the technique --- assuming it works --- would only show whether a credit card number is genuine, since validity may be affected by the expiry date or the holder cancelling it. 

 

Here's another place they talked of the algorithm that's used.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
TrickyDicky
Contributor II

Shannon I find it interesting that you prefer debit card over credit card.

I rarely use debit cards any more, and normally use credit cards for my everyday purchases. 

The reason that I take this approach is twofold, but primarily because the purchases that I make on credit isn't putting any of my money at risk. 

 

In the event of a dispute (e.g. merchant overcharging, where purchases are defective, delivery not received), it's the credit card issuers responsibility to recover the funds if the terms of sale have not been met. It's effectively their money. 

In the case of a debit card used for the same purchase, the money has already been taken from my account, and really it's my responsibility to take steps to recover it. The banks will help, but really they're not obliged to.

 

Debit card transaction also attract a small charge for me (or require that I hold a substantial float in the account), whereas credit card transaction do not. As long as I clear my credit card before month end, I attract no charge. 

rslade
Influencer II

> TrickyDicky (Newcomer II) posted a new reply in Tech Talk on 06-19-2019 05:15 AM

> Shannon I find it interesting that you prefer debit card over credit card.

I'm with @TrickyDicky on this, for all the reasons cited. In addition,
compromise of a debit card can drain your entire account, whereas credit card
fraud (in Canada) is limited to $50 liability, if any. (And the banks don't help,
much, on debit cards.)

However, this may vary, depending upon banking regulations (and fees) in
different countries ...

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
I once sent a dozen of my friends a telegram saying FLEE AT ONCE
- ALL IS DISCOVERED. They all left town immediately. - Mark Twain
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
Shannon
Community Champion

 


@TrickyDicky wrote:

Shannon I find it interesting that you prefer debit card over credit card.

I rarely use debit cards any more, and normally use credit cards for my everyday purchases. 

The reason that I take this approach is twofold, but primarily because the purchases that I make on credit isn't putting any of my money at risk. 


 

To be honest, the primary motivating / dissuading factor for me has been relatives & friends whining about the bills due at the end. (These are either be hidden costs, or merely charges levied because they didn't clear the amount at the due date.)

 

If it's a credit card that you must 'pre-charge' with the amount you want to spend, and has negligible / zero service charges, then it's probably worth it, otherwise, a credit has the potential to get you to spend more than what you have at hand --- essentially a loan from the bank. (I might be tempted to do that if I have the card.)

 

Anyways, to offset the risk factor, related to accountability, I tend to limit limit my transactions to specific accounts wherein I keep a low balance. Whenever I want to spend more, I transfer cash to those accounts from others.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
JoePete
Advocate I


@TrickyDicky wrote:

In the event of a dispute (e.g. merchant overcharging, where purchases are defective, delivery not received), it's the credit card issuers responsibility to recover the funds if the terms of sale have not been met. It's effectively their money. 

In the case of a debit card used for the same purchase, the money has already been taken from my account, and really it's my responsibility to take steps to recover it.


Exactly. In the US, the law basically boils down to the fact that a cardholder is liable for a charge if it is under $50, but most of the law and the burden of proof favors the cardholder to the point where the liability really falls entirely on the issuer. In short, the next time a credit card company suggests it is doing something "for your security," you should correct them and explain, it is THEIR ass they are covering, not yours.

Steve-Wilme
Advocate II

Useful to understand how credit/debit card numbers are constructed, as it help specific DLP rules and do card holder data discovery on your internal network.

 

BIN codes are also published:

https://www.bincodes.com/bin-list/ 

 

-----------------------------------------------------------
Steve Wilme CISSP-ISSAP, ISSMP MCIIS
Frank_Mayer
Contributor I

Thank you for a very informative article.  I knew some of the parts of the numbering system but not the validation piece that seems pretty rudimentary.  My issue is that I believe in strong national governance to significantly reduce all types of fraud.  As you probably know the Internet came out of the US Government's development of the ARPA Net.  Therefore, I do not see special rights for the Internet or why it and all other e-commerce systems to include all credit card systems and all other financial instruments and institutions are not subject to nationally verified security controls to prevent fraud, waste and abuse.  Private entities are not accountable to the people.  Governments may not act like they are accountable at times but they are and there is much more scrutiny of governments then there is of the myriad of extra-governmental organizations to include corporations.    I grew up in a world where major infrastructure was regulated and controlled to provide a high assurance of reliability such as banks.  The controls FDR set up on banks was critical to America's confidence in our Banking system but now the trend is to constantly "liberate" the financial system from any controls.  The chips in credit cards is a good thing, however, Europe was doing this well before the USA.  We here in the US seem to apply the approach of muddling along as the correct approach.  Your post is  great because it proves that much of the security we have with this muddled approach is firmly based in "security by obscurity" and to me this is ridiculous.  yes, I know all about the PCI Security Standards Council, however, who do they answer to? Not the people.  The muddling approach always assumes that truly evil people are never going to be geniuses that can circumvent simple minded systems.   This link takes you to a good article on the PCI standard https://www.tripwire.com/state-of-security/regulatory-compliance/beginners-guide-pci-compliance/ and it correctly identifies that compliance is not security. Given that, the power of the national governments in cyberspace should be synchronized and leveraged to protect the people, to include the payment card industry.  Governments rightly provide robust safety controls on all other industries such as automotive and aviation but we  somehow refuse to apply that time tested approach to clamping down on the risk across eCommerce.  All the recent FBI reports highlight how our vulnerable senior citizens are the biggest target of cyber crimes.  It is not right to put all the onus for security on the individual but that is what we have with these weak approaches to cybersecurity.  

Respectfully,

Francis (Frank) Mayer, CISSP EMERITUS
rslade
Influencer II

> Frank_Mayer (Newcomer III) posted a new reply in Tech Talk on 07-09-2019 05:20

>   The chips in credit cards is
> a good thing, however, Europe was doing this well before the USA.

When I was teaching in the States I always had to carry a smart card so that
people could see what it was. In Europe people all had them.

====================== (quote inserted randomly by Pegasus Mailer)
rslade@vcn.bc.ca slade@victoria.tc.ca rslade@computercrime.org
Your time is limited, so don't waste it living someone else's
life. - Steve Jobs
victoria.tc.ca/techrev/rms.htm http://twitter.com/rslade
http://blogs.securiteam.com/index.php/archives/author/p1/
https://is.gd/RotlWB

............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468