To me it seems *extremely* unlikely that scammers not only guessed a card number, expiry date and cv code but then did it again within days of a new card being activated. Surely if it were so common that a new card gets hit within days we would all be having fraudulent payments constantly? Halifax appear a bit over keen to attribute this to random fraud and not actually investigate it at all. Amazed the guardian are taking it at face value.
They could guess mine all day long, all they would find is a few quid within it.
> “The first thing to realise is that you are not guessing the full 16 numbers at random,” says Jake Moore, a global cybersecurity adviser at Eset. “The first six digits of a credit card number signify the card network and the issuing bank, while the final digit is the Luhn algorithm checksum.”
>
> That means they only have to guess seven numbers
Hard to take someone seriously when they take 6 and 1 away from 16 and get 7.
> it can also be used by criminals to verify a number could be real.
Sort of. A number which fails the Luhn check is definitely wrong, but passing it doesn’t mean it’s real.
> “There are websites out there that have Luhn verifiers which help find these numbers in little or no time at all, making the chances of locating a card in use relatively high,” Moore says.
Guff. There are websites which do a Luhn checksum, because it’s trivial. But if someone was generating CC numbers to guess at, they’d not be using some online service to check them first. They’d just be generating the last digit as part of the process.
> There are, however, many websites – often located outside the UK – that will accept card payments without any need for a three-digit CVV number or any other proof of identity,
Dominos is not one of these.
> Banks and card companies have sophisticated technologies in place to spot and prevent these sorts of attacks from happening in real time using certain characteristics of each transaction.
Yes, and someone throwing thousands of random CC numbers at a processor is a dead giveaway. They’d last 3 seconds before being locked out.
> In my case, Domino’s did request the CVV of the first card but that, too, was guessed
Rubbish. The odds of guessing, successfully, a credit card, matching expiry and matching CVV are vanishingly small. The odds of being allowed to process enough transactions to hit a match without being blocked first are as close to zero as it’s possible to guess. Criminals would have a better chance of getting a pizza by driving around with their windows open and hoping a pizza fell in their mouths.
3 comments
To me it seems *extremely* unlikely that scammers not only guessed a card number, expiry date and cv code but then did it again within days of a new card being activated. Surely if it were so common that a new card gets hit within days we would all be having fraudulent payments constantly? Halifax appear a bit over keen to attribute this to random fraud and not actually investigate it at all. Amazed the guardian are taking it at face value.
They could guess mine all day long, all they would find is a few quid within it.
> “The first thing to realise is that you are not guessing the full 16 numbers at random,” says Jake Moore, a global cybersecurity adviser at Eset. “The first six digits of a credit card number signify the card network and the issuing bank, while the final digit is the Luhn algorithm checksum.”
>
> That means they only have to guess seven numbers
Hard to take someone seriously when they take 6 and 1 away from 16 and get 7.
> it can also be used by criminals to verify a number could be real.
Sort of. A number which fails the Luhn check is definitely wrong, but passing it doesn’t mean it’s real.
> “There are websites out there that have Luhn verifiers which help find these numbers in little or no time at all, making the chances of locating a card in use relatively high,” Moore says.
Guff. There are websites which do a Luhn checksum, because it’s trivial. But if someone was generating CC numbers to guess at, they’d not be using some online service to check them first. They’d just be generating the last digit as part of the process.
> There are, however, many websites – often located outside the UK – that will accept card payments without any need for a three-digit CVV number or any other proof of identity,
Dominos is not one of these.
> Banks and card companies have sophisticated technologies in place to spot and prevent these sorts of attacks from happening in real time using certain characteristics of each transaction.
Yes, and someone throwing thousands of random CC numbers at a processor is a dead giveaway. They’d last 3 seconds before being locked out.
> In my case, Domino’s did request the CVV of the first card but that, too, was guessed
Rubbish. The odds of guessing, successfully, a credit card, matching expiry and matching CVV are vanishingly small. The odds of being allowed to process enough transactions to hit a match without being blocked first are as close to zero as it’s possible to guess. Criminals would have a better chance of getting a pizza by driving around with their windows open and hoping a pizza fell in their mouths.