The Bankwatch

Tracking the consumer evolution of financial services

Credit cards are still very vulnerable online

This post amazed me, and when I followed some of the suggestions, I was successful.

It is essential that Banks, and credit card companies follow through with enhancements such as “Verified by Visa “.

But more so, this article points to the need for online vigilance for card numbers that are available online. This will result in the usual, ‘is it Visa’s job our [the Bank’s] job’, but the need is so clear, surely that can be sorted out.

It would be simple for companies like Visa, MasterCard, and Discover to take a list of the most common 8-digit prefixes, query for them every day on Google, and de-activate any new credit card numbers that were found that way. (American Express cards are apparently not vulnerable to this trick, because when their 15-digit card numbers are written with spaces, they are usually written in the format “3xxx xxxxxx xxxxx”, and Googling for the first 10 digits as “3xxx xxxxxx” didn’t yield anything in my random test of ten AmEx numbers. But this is still their problem too, since the searches that turn up “treasure troves” of card numbers usually include AmEx numbers as well.) A Perl programmer could write a script in one afternoon that could run through all the known 8-digit prefixes, parse the search results, and pick out any URLs that weren’t listed as matches the day before. From there, the search results would have to be reviewed by a human, in order to spot any situations where one credit card number was exposed at one URL, and a slight variation on the same URL (such as varying an order ID number) would expose other credit card numbers as well, which was the case with several of the hits that I found.

Simple, but time-consuming with so many different 8-digit prefixes — but every minute of effort expended on tracking down and canceling leaked credit card numbers, would save time and grief later by preventing the numbers from being used by criminals. If it would save them time in the long run and help prevent fraud, then why don’t they do this?

Written by Colin Henderson

May 24, 2007 at 17:59

Posted in Chip Cards

%d bloggers like this: