1. A Change of Season
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Mar 2004
    Next Door
    Rep Power

    Form hackers use to steal credit card expiry date and cvv


    Let's say the hacker has access to 10000 credit card numbers.

    How do they test different expiry date and cvv on these?

    There should be a system to test different variations (year, month and cvv) fast.

    I understand I may not get a response but I am curious to know this.
  2. #2
  3. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    A Land Down Under
    Rep Power
    There's known formulas for how credit card numbers relate to expiry dates, so that one is a pretty simple thing to do and get it down to a few possible dates in the future. For CVV numbers, not every online billing system needs them (even thought they really should), so you'd target one that doesn't need it. At worst they'd brute-force things from multiple hacked IP addresses so they don't get blocked out to quickly and jsut keep on running their tests on multiple platforms until one accepts what they've tried.

    Remember, hackers are not into making things more complicated then they need to be. They like to keep it simple and automate things to do as much as possible to keep their own costs down.
  4. #3
  5. No Profile Picture
    some internet guy
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jul 2013
    the hot aisle
    Rep Power
    I worked at a place once where someone used our order form to wash a list of cards overnight. Woke up in the morning to thousands of automated orders, all credit card. As best as I could tell, he was checking which ones would authorize and which wouldn't. I don't recall if he was cycling through expiration dates or not (I doubt it because we required CVV and if he didn't have the date, he probably didn't have the CVV). We added a captcha, refunded any charges, and closed out the orders.

    In theory, if you have a number, you can narrow the expiry date to probably 48 options (the next 48 months). With the way Big-O complexity works, computationally there isn't a huge difference between 10,000 attempts and 48,000 attempts. And like the guy above me said, CVV isn't required on a lot of forms.

IMN logo majestic logo threadwatch logo seochat tools logo