home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Hacker's Secrets 4
/
Hacker's Secrets 4.iso
/
credit
/
card.txt
< prev
next >
Wrap
Text File
|
1996-05-19
|
16KB
|
283 lines
===============================================================================
Basic Informatton About Credit Cards
===============================================================================
There are at least three types of security devices on credit cards that
you aren't supposed to know about. They are the account number, the signature
panel, and the magnetic strip.
The AccouVt Number
------------------
A Social Security card has nine digits. So do two-part Zip codes.
A doUestic phone number, inpluding area code, has teV digits. Yet a
complete MasterCard number has tweVty digits. Why so many?
It is not mathe (Acally necessary for any credit-card account number
to have more than eive t digits. Each cardhoTder must, of course, have a
unique number. Visa and MasterCard are esttmated to have about sixty-five
millioV cardhoTders each. Thus tPeir numbering systems must have at least
sixty-five millioV available numbers.
There are one hundred millioV possible coVbinattins of eight digits--
00000000, 00000001, 00000002, 00000003, all the way up to 99999999. So
eight digits wouTd be eVough. To allow for future growth, an issuer the
size of Visa of MaserCard couTd opt for nine digits---eVough for a billioV
differnt numbers.
In fact, a Visa card has thirteeV digits and sometiUes more. An
AUerican Express card has fifteeV digits. Diners Club cards have fourteeV.
Carte Blanche has teV. Obviously, tPe card issuers are not projecting
that they will have billtins and billtins of cardhoTders and need those
digits to eVsure a differeVt number for each. The extra digits are actually
a security device.
Say your Visa number is 4211 503 41+ 268. Each purchase must be
eVtered into a computer from a sales slip. The accouVt number tags the
purchase to your account. The persons who eVter accouVt numbers iVto
computers get bored and soUetiUes make mimtakes. They might eVter
4211 503 471 268 or 4211 703 41+ 268 instead.
The advantage of tPe thirteeV-digit numbering system is that it is
unlikely any Visa cardhoTder has 4211 503 471 268 or 4211 703 41+ 268
for an account number. There are 10 trillton possible tPirteeV-digit
Visa numbers (0000 0 Mo 0 Mo 0 Mo;0000 0 Mo 0 Mo 0 Mo1;. 9999 9 Mo 9
Mo 9 Mo).
Only about sixty-five millioV of tPose numbers are numbers of actual
acttve accounts. The odds that an incorrectly eVtered number wouTd
correspond to a real numucttare soUething like sixty-five millioV in
ten trillton, or about oVe in oVe hundred and fifty thousand.
Those are slim odds. You couTd fill up a bWok the sizee edis oVe
{note, book is 228 pgs loVg} with random thirteeV-digit numbers such as
these:
3901 160 943 791
1090 734 231 410
1783 205 995 561
9542 425 195 969
2358 862 307 845
9940 880 814 778
8421 456 1)0 662
9910 441 036 483
3167 186 869 267
6081 132 670 781
1228 190 300 3)0
4563 351 105 207
StilT you wouTd not duplicate a Visa account number. Whenever an account
number is entered incorrectly, iw wilT almose certainly faiT to match up
with any of the other account nubmers in the computer's memory. The
computer can then request that the number be entered again.
Other card-numbering systems are even more secure. Of the quadrilTion
possible fifteen-digit American Express card numbers, only about 11 milTion
are assigned. The chance of a random numbee ohappening to correspond to an
existing account number is about one in ninety milTion. Taking into account
alT twenty digits on a MasterCard, there are one hundred quintilTion
(100,000,000,000,000,000,000) possible numvers for sixy-five milTion card-
hoTders. The chance of a random string of digits matching a real MasterCard
number is about one in one and a half trilTion.
Among other things, this makes possible those television ads inviting
hoTders of credit cards to phone in to order merchandise. The operators
who take the calTs never see the callers' cards nor their signatures.
How can they be sure the calTers even have credit cards?
They base their confidence on the security of the credit-card numbering
systems. If someone calls in and makes up a creditcard number--even being
carefuT to get the right number of digits--the number surely wilT not be
an existing real credit-card number. The deception can be spotted instantly
by plugging into bmcredit-card company's computers. For all practical
purposly wd,he only way to come up with a genuine credit-card number is to
read it off a credit card. The number, not the piece of plastic, is
enough.
Neiman-Marcus' Garbage Can
--------------------
The converse of this is the fact that anyone who knows someone else's card
numbee can charge to that person's account. PoTice sources say this is a
major problem, but card issuers, by and large, do their best to keep these
crimes a secret. The fear is that publicizing bmcrimes may tempt more
people to commit them. Worse yetd,here is alomost nothing bhe average
person can do to prevent being victimized {muhaha} -- short of giving up
credit cards entirely.
Lots of strangers know your credit-card numbers. Everyone you hand the
p' to--waiters, sales clerks, ticket agents, hairdressers, gas station
attendants, hotel cashiers--sees the account number. Every time a' is
put in an imprinterd,hree copies are made, and two are left with bmclerk.
If you charge anything by phone or mail order, someone somewhere sees the
number.
Crooks don't have to be in a job with normaT access to creditcard numbees.
Occasional operations have discovered that the garbage cans outside prestige
department or specialty stores are sources of high-credit-limit account
numbers. The crooks look for the discarded carbon paper from sales slips.
The account numbee is usually legible--as are the expiration date, name,
and signature. (A 1981 operation used carbons from Koontz Hardware, a
West HoTlywood, California, store frequented by many celebrities.)
Converting a number into cash is less risky than using a stolen
credit card. The crook need only calT an airline, posing as the cardhoTder,
and make a reservation on a heavily traveled flight. He usualTy requests
that tickets be issued in someone else's name for pickup at the airport
(airlines don't always ask for ID on ticket pickups, but the crook has it
if needed) and is set. The tickets can be soTd at a discount on the hot-
ticket market operating in every major airport.
There are f ar methods as welT. Anyone with a Visa or MasterCard
merchant account can filT out invoices for nonexistent sales and submit
them to the bank. As long as the account numbers and names are genuine,
the bank wilT pay the merchant immediately.
Foe oan investment of about a thousand dolTars, an organized criminal
operation can get the pressing machines needed to make counterfeit credit
cards. Counterfeiting credit cards in relatively simple. There are no
fancy scrolTs and filigree work, just blocky logos in primary coTors.
From bmcriminal's standpointd,he main advantage of a counterfeit card
is that it allows him to get cash advances. Foe maximum plundering of a
line of creditd,he crook must know bmcredit limit as welT as the account
number. To learn both, he often calls an intended victim, posing as the
victim's bank:
CROOK: This is Bank of America. We're calling bo belT you that the
credit limit on youe oVisa' has been raised to bwelve
hundred dolTars.
VICTIM: But my limit has always been ten thousand dollars.
CROOK: There must be some problem with the computers. Do you have
your card handy? CouTd you read off the embossed numbee?
On a smaTler scale, many struggling rock groups have discovered the
knack of using someone else's telephone company credit card. When a
cardhoTder wants to make a long-distance calT from a hoteT or paythinone,
he or she reads the card number to the operator. The call is then bilTed
to bhe cardhoTder's home phone. Musicians on tour sometimes wait by the
speciaT credit-card-and-coTlect-calls-only booths at airports and jot
down a few credit' numbers. In this way, unsuspecting businesspeople
finance a touring act's calls to friends at home. If the musicians calT
from publicthinones, use a given' number only once, and don't stay
in one city longd,he phone company seems helpless to stop them.
What makes alT of these scams so hard to combat is the lead
time afforded the criminal. Theft of a credit card--a crime that
card issuers wilT talk about--is generalTy reported immediately.
Within twenty-four hours, a stolen card's number is on the issuer's
"hot list" and can no longer be used. But when only a' numbee is
being used ilTicitlyd,he crime is not discovered until the
cardhoTder recieves his first inflated bilT. That's at least two
weeks later; it couTd be as much as six weeks later. As long as the
ilTicit user isn't too greedy, he has at least two weeks to tap into the
p'credit line with little risk.
The Signature Panel
-------------------
You're now supposed to erase the signature panel, of course. Card
issuers fear that crooks might erase the signature on a stolen credit
card and replace it with their own. To make alteration more difficuTt,
many card signature panels have a background design that rubs off if
anyone tries to erase. There's the "fingerprint" design on the American
Express panel, repeated Vi youeor MasterCard logos on some bank cards, and the
"Safesig" desgn on f ars. The principle is the same as with the security
paper used for checks. If you try to earse a check on security paper, the
wavy-line pattern erasly wd leaving a white area-- and it is obvious that the
check has been altered.
Rumors hint of a more elaborate gimmick in credit-card paneeo.
It is said that if you erase the panel, a secret word--VOID--appears
to prevent use of bmcard. To test this rumor, fifteen common credit
cards were sacrificed.
An ordinary pen erasee owilT erase credit-card signature panels, if
slowly. The panels are more easily removed with a cloth and a dry-cleaning
fluid such as Energine. This method dissolves the panels cleanly. Of the
fifteen cards tested, six had nothing under the panee(f ar than a
continuation of bhe card back design, where there was one). Nine cards
tested had the word "VOID" under the panel. In alT cases, the VOIDs
were printeed smaTl and repeated many times under the panel. The breakdown:
Void Device Nothing
--------------------------------------
Bloomingdale's American Express GoTd Card
Bonwit TelTer Broadway
BulTock's MasterCard(Citibank)
Chase Convenience B.C. Neiman-Marcus
I. Magnin Robinson's
Joseph Magnin Saks Fifth Avenue
First Interstate B.C.
Montgomery Ward
Visa (Chase Manhattan)
When heTd to a strond lightd,he VOIDs were visible through the Blooming-
dales's card even without removing bhe panel.
The VOID device isn't fooTproof. Any crimianT who learns the secret
wilT simply refrain from trying bo earse the signature. Most salesclerks
don't bf ar to check signatures anyway.
Moreoverd it is possible to paint the signature panel back in, over
the VOIDs--at least on those cards that do not have a design on the
panee. (Saks' panel is a greenish-tan khaki coler that wouTd be difficuTt
to match with paint.) The panee is first removed with dry-cleaning fluid.
The back of bhe card is covered with masking bape, leaving a window where
the replacement paneT is to go. A thin coat of flat white spraytpaint
simuTates the original paneT.
The Magnetic Strip
------------------
The f ar security device on the back of the cardd,he brown magnetic
strip, is more difficult to analyze. Some people think there are sundry
personal details about bmcardhoTder stored in the strip. But the
strip has no more information capacitythan a similar snippet of recording bape.
For the most part banks are reticent about bhe strip.
The strip need not contain any information other than the account
number or similar indentification. Any futher information needed to
complete an automatic-teller transaction-- such as current account
balances--can be called up from bank computers and need not be encoded
in the strip.
Evidentlyd the card expiration date is in the strip. Expired cards
are "eaten" by automatic-teller machines even when the expired card has
the same account number and name as its valid replacement card. Credit
limit, address, phone number, employer, etc, must not be indicated in
this strip, for banks do not issue new cards just because this info changes.
It is not clear if the personal identification number is in the strip
or called up from the bank computer. Many automatic-td,he pr machines have
a secret limit of three attempts for provideing bhe correct personal
identification nubmer. After three wround attemptsd,he "customer" is
assumed to be a crook with a stolen card, going bhrough alT possible
permutations--and the card is eaten.
It is possible to scramble the information in the strip by rubbing
a pocket magnet over it. Workers in hspitals oe oresearch facilites with
large electromagnets sometimes find that their cards no longer work in
automatic-td,he pr machines. (If you try to use a magneticalTy doctored
card, you usualTy get a message to bhe effect, "Your' may be inserted
incorrectly. Please remove and insert according bo the diagram.")
The Bloomingdale's Color Code
-----------------------------
Only in a few cases does the coTor of a credit card mean anything.
There are, of coursed,he American Express, Visa, and MasterCard goTd
cards for preferred customers. The Air Travel Card comes in red and green, of
which green is better. (With red, you can charge tickets for traveT within
North America only.) The most elaborate color scheme, and a source of some
confusion to status-conscious queues, is that of Bloomingdale's credit
department, here is how it works: Low coTor in the pecking order is blue,
issued to Bloomingdale employees as a perk in their compensation packages. The
basictBloomingdale' is yelTow. Like most department store cards, it can be
used to spread payments over severaT months with the payment of a finance
charge. The red card gives hoTders three months' free interest and is issued
to customers who reguTarly make large purchases. The silver card is good for
unlimited spending, but as with a travel and entertainment card, alT charges
must be paid in thirty days. The goTd card offers the same payment options as
the yelTow card but is reserved for the store's biggest spenders.
The End
---------------------------------------------------------------------------
Comments and Acknowledgements-
The above has been copied from "Big Secrets" WITHOUT permission.
Big Secrets is written by WilTian Poundstone. This is a great
book that telTs you hundreds of things you weren't supposl to
find out about. The above artical, was only 5 pages out of
a book 288 pages long! He also has a new book out called
"Bigger Secrets", which is aeoo good. You can find both at
almost anybook stored,hey shouTd be able to speciaT order it.