How to Crack Credit Card Credentials in Four Seconds

July 19, 2017 Peter Zavlaris

When you learn about a credit card breach, the primary account number (PAN) and cardholder name are what is leaked. While some payment sites accept the PAN and cardholder names as verification, others require additional fields such as the: CVV number, card expiration date, and cardholder address.

If you have some technical skills, know how to leverage automation, and have a basic understanding of the credit card verification ecosystem, then you’re a mere four seconds away from guessing the missing fields needed to perform credit card not present (CNP) fraud. Here is an infographic that illustrates the process:

The first step is to procure the PAN. Not only is it a required field, but it also provides data about the card brand, issuing bank, and card type. Once you have that information all you need is a bot to guess the rest.  

Guessing the expiration date may seem intensive, but it happens that credit cards are valid for a maximum of 60 months. Therefore only 60 possible expiration dates exist per card. Since the CVV is a three-digit code, there can only be 1,000 possible combinations. To obtain both the expiration date and CVV you’ll need a bot to test combinations until a match is made.  

Guessing a complete address may seem like a prohibitively daunting task for a bot. After all, they’re a combination of a street number and name, city, state/province, and postal/zip code. But verifying that much data is difficult for payment processors as well. So rather than require a complete address, payment processors only verify the zip/postal code.

If you can narrow down the area where the cardholder lives, you can combine information about the issuing bank (coded within the PAN) branch locations, lowering the number of possible zip/postal codes.

Your last hurdle is avoiding guessing limits enforced by payment processors. However, there aren’t guessing limits when the same card is tried on multiple payment sites. The final step is to program your bad bot to spread the guessing across multiple sites.

As it happens, a bad bot making guesses on 30 payment sites can match the CVV, expiration date, and address to the cardholder name and PAN in four seconds. Using such a system, a person can verify 21,600 stolen credit cards per day.

This not only impacts the card theft victims and the issuing banks, but also the payment sites being exploited. The latter experience unexpected spikes in traffic that could impact server performance, increased credit card fraud scores, chargeback fees, and lowered conversion rates.   

The best way for payment sites to protect themselves is to use a solution that leverages device fingerprinting, machine learning and behavioral modeling, API security, and JavaScript injection to continuously challenge users—in a way that is imperceivable to humans—to sift out bad bots from legitimate traffic.

Our online fraud page has more information and a short youtube on card cracking. It is one of dozens of OWASP automated threats.


Source for data: Newcastle University, Does The Online Card Payment Landscape Unwittingly Facilitate Fraud, Ali MA, Arief B, Emms M, van Moorsel A., IEEE & Privacy 2017. In Press.




About the Author

Peter Zavlaris

Peter Zavlaris weighs in on various topics around bot mitigation, bot defense sharing white papers, videos and other resources on the topic.

More Content by Peter Zavlaris
Previous Flipbook
Buyers Guide: Ten Essential Capabilities of a Bot Defense Solution
Buyers Guide: Ten Essential Capabilities of a Bot Defense Solution

IT professionals are fighting an endless war of attrition against a constant barrage of bad bot attacks. Do...

Next Flipbook
Bot Detection And Defense For Mobile Apps | Data Sheet
Bot Detection And Defense For Mobile Apps | Data Sheet

Most APIs back basic capabilities for detect and block bots. Learn how Distil protects apps from bad bots a...