Hacker's Secrets 4

home *** CD-ROM | disk | FTP | other *** search

/ Hacker's Secrets 4 / Hacker's Secrets 4.iso / credit / card.txt < prev next >

Wrap

Text File | 1996-05-19 | 16KB | 283 lines

=============================================================================== Basic Informatton About Credit Cards =============================================================================== There are at least three types of security devices on credit cards that you aren't supposed to know about. They are the account number, the signature panel, and the magnetic strip. The AccouVt Number ------------------ A Social Security card has nine digits. So do two-part Zip codes. A doUestic phone number, inpluding area code, has teV digits. Yet a complete MasterCard number has tweVty digits. Why so many? It is not mathe (Acally necessary for any credit-card account number to have more than eive t digits. Each cardhoTder must, of course, have a unique number. Visa and MasterCard are esttmated to have about sixty-five millioV cardhoTders each. Thus tPeir numbering systems must have at least sixty-five millioV available numbers. There are one hundred millioV possible coVbinattins of eight digits-- 00000000, 00000001, 00000002, 00000003, all the way up to 99999999. So eight digits wouTd be eVough. To allow for future growth, an issuer the size of Visa of MaserCard couTd opt for nine digits---eVough for a billioV differnt numbers. In fact, a Visa card has thirteeV digits and sometiUes more. An AUerican Express card has fifteeV digits. Diners Club cards have fourteeV. Carte Blanche has teV. Obviously, tPe card issuers are not projecting that they will have billtins and billtins of cardhoTders and need those digits to eVsure a differeVt number for each. The extra digits are actually a security device. Say your Visa number is 4211 503 41+ 268. Each purchase must be eVtered into a computer from a sales slip. The accouVt number tags the purchase to your account. The persons who eVter accouVt numbers iVto computers get bored and soUetiUes make mimtakes. They might eVter 4211 503 471 268 or 4211 703 41+ 268 instead. The advantage of tPe thirteeV-digit numbering system is that it is unlikely any Visa cardhoTder has 4211 503 471 268 or 4211 703 41+ 268 for an account number. There are 10 trillton possible tPirteeV-digit Visa numbers (0000 0 Mo 0 Mo 0 Mo;0000 0 Mo 0 Mo 0 Mo1;. 9999 9 Mo 9 Mo 9 Mo). Only about sixty-five millioV of tPose numbers are numbers of actual acttve accounts. The odds that an incorrectly eVtered number wouTd correspond to a real numucttare soUething like sixty-five millioV in ten trillton, or about oVe in oVe hundred and fifty thousand. Those are slim odds. You couTd fill up a bWok the sizee edis oVe {note, book is 228 pgs loVg} with random thirteeV-digit numbers such as these: 3901 160 943 791 1090 734 231 410 1783 205 995 561 9542 425 195 969 2358 862 307 845 9940 880 814 778 8421 456 1)0 662 9910 441 036 483 3167 186 869 267 6081 132 670 781 1228 190 300 3)0 4563 351 105 207 StilT you wouTd not duplicate a Visa account number. Whenever an account number is entered incorrectly, iw wilT almose certainly faiT to match up with any of the other account nubmers in the computer's memory. The computer can then request that the number be entered again. Other card-numbering systems are even more secure. Of the quadrilTion possible fifteen-digit American Express card numbers, only about 11 milTion are assigned. The chance of a random numbee ohappening to correspond to an existing account number is about one in ninety milTion. Taking into account alT twenty digits on a MasterCard, there are one hundred quintilTion (100,000,000,000,000,000,000) possible numvers for sixy-five milTion card- hoTders. The chance of a random string of digits matching a real MasterCard number is about one in one and a half trilTion. Among other things, this makes possible those television ads inviting hoTders of credit cards to phone in to order merchandise. The operators who take the calTs never see the callers' cards nor their signatures. How can they be sure the calTers even have credit cards? They base their confidence on the security of the credit-card numbering systems. If someone calls in and makes up a creditcard number--even being carefuT to get the right number of digits--the number surely wilT not be an existing real credit-card number. The deception can be spotted instantly by plugging into bmcredit-card company's computers. For all practical purposly wd,he only way to come up with a genuine credit-card number is to read it off a credit card. The number, not the piece of plastic, is enough. Neiman-Marcus' Garbage Can -------------------- The converse of this is the fact that anyone who knows someone else's card numbee can charge to that person's account. PoTice sources say this is a major problem, but card issuers, by and large, do their best to keep these crimes a secret. The fear is that publicizing bmcrimes may tempt more people to commit them. Worse yetd,here is alomost nothing bhe average person can do to prevent being victimized {muhaha} -- short of giving up credit cards entirely. Lots of strangers know your credit-card numbers. Everyone you hand the p' to--waiters, sales clerks, ticket agents, hairdressers, gas station attendants, hotel cashiers--sees the account number. Every time a' is put in an imprinterd,hree copies are made, and two are left with bmclerk. If you charge anything by phone or mail order, someone somewhere sees the number. Crooks don't have to be in a job with normaT access to creditcard numbees. Occasional operations have discovered that the garbage cans outside prestige department or specialty stores are sources of high-credit-limit account numbers. The crooks look for the discarded carbon paper from sales slips. The account numbee is usually legible--as are the expiration date, name, and signature. (A 1981 operation used carbons from Koontz Hardware, a West HoTlywood, California, store frequented by many celebrities.) Converting a number into cash is less risky than using a stolen credit card. The crook need only calT an airline, posing as the cardhoTder, and make a reservation on a heavily traveled flight. He usualTy requests that tickets be issued in someone else's name for pickup at the airport (airlines don't always ask for ID on ticket pickups, but the crook has it if needed) and is set. The tickets can be soTd at a discount on the hot- ticket market operating in every major airport. There are f ar methods as welT. Anyone with a Visa or MasterCard merchant account can filT out invoices for nonexistent sales and submit them to the bank. As long as the account numbers and names are genuine, the bank wilT pay the merchant immediately. Foe oan investment of about a thousand dolTars, an organized criminal operation can get the pressing machines needed to make counterfeit credit cards. Counterfeiting credit cards in relatively simple. There are no fancy scrolTs and filigree work, just blocky logos in primary coTors. From bmcriminal's standpointd,he main advantage of a counterfeit card is that it allows him to get cash advances. Foe maximum plundering of a line of creditd,he crook must know bmcredit limit as welT as the account number. To learn both, he often calls an intended victim, posing as the victim's bank: CROOK: This is Bank of America. We're calling bo belT you that the credit limit on youe oVisa' has been raised to bwelve hundred dolTars. VICTIM: But my limit has always been ten thousand dollars. CROOK: There must be some problem with the computers. Do you have your card handy? CouTd you read off the embossed numbee? On a smaTler scale, many struggling rock groups have discovered the knack of using someone else's telephone company credit card. When a cardhoTder wants to make a long-distance calT from a hoteT or paythinone, he or she reads the card number to the operator. The call is then bilTed to bhe cardhoTder's home phone. Musicians on tour sometimes wait by the speciaT credit-card-and-coTlect-calls-only booths at airports and jot down a few credit' numbers. In this way, unsuspecting businesspeople finance a touring act's calls to friends at home. If the musicians calT from publicthinones, use a given' number only once, and don't stay in one city longd,he phone company seems helpless to stop them. What makes alT of these scams so hard to combat is the lead time afforded the criminal. Theft of a credit card--a crime that card issuers wilT talk about--is generalTy reported immediately. Within twenty-four hours, a stolen card's number is on the issuer's "hot list" and can no longer be used. But when only a' numbee is being used ilTicitlyd,he crime is not discovered until the cardhoTder recieves his first inflated bilT. That's at least two weeks later; it couTd be as much as six weeks later. As long as the ilTicit user isn't too greedy, he has at least two weeks to tap into the p'credit line with little risk. The Signature Panel ------------------- You're now supposed to erase the signature panel, of course. Card issuers fear that crooks might erase the signature on a stolen credit card and replace it with their own. To make alteration more difficuTt, many card signature panels have a background design that rubs off if anyone tries to erase. There's the "fingerprint" design on the American Express panel, repeated Vi youeor MasterCard logos on some bank cards, and the "Safesig" desgn on f ars. The principle is the same as with the security paper used for checks. If you try to earse a check on security paper, the wavy-line pattern erasly wd leaving a white area-- and it is obvious that the check has been altered. Rumors hint of a more elaborate gimmick in credit-card paneeo. It is said that if you erase the panel, a secret word--VOID--appears to prevent use of bmcard. To test this rumor, fifteen common credit cards were sacrificed. An ordinary pen erasee owilT erase credit-card signature panels, if slowly. The panels are more easily removed with a cloth and a dry-cleaning fluid such as Energine. This method dissolves the panels cleanly. Of the fifteen cards tested, six had nothing under the panee(f ar than a continuation of bhe card back design, where there was one). Nine cards tested had the word "VOID" under the panel. In alT cases, the VOIDs were printeed smaTl and repeated many times under the panel. The breakdown: Void Device Nothing -------------------------------------- Bloomingdale's American Express GoTd Card Bonwit TelTer Broadway BulTock's MasterCard(Citibank) Chase Convenience B.C. Neiman-Marcus I. Magnin Robinson's Joseph Magnin Saks Fifth Avenue First Interstate B.C. Montgomery Ward Visa (Chase Manhattan) When heTd to a strond lightd,he VOIDs were visible through the Blooming- dales's card even without removing bhe panel. The VOID device isn't fooTproof. Any crimianT who learns the secret wilT simply refrain from trying bo earse the signature. Most salesclerks don't bf ar to check signatures anyway. Moreoverd it is possible to paint the signature panel back in, over the VOIDs--at least on those cards that do not have a design on the panee. (Saks' panel is a greenish-tan khaki coler that wouTd be difficuTt to match with paint.) The panee is first removed with dry-cleaning fluid. The back of bhe card is covered with masking bape, leaving a window where the replacement paneT is to go. A thin coat of flat white spraytpaint simuTates the original paneT. The Magnetic Strip ------------------ The f ar security device on the back of the cardd,he brown magnetic strip, is more difficult to analyze. Some people think there are sundry personal details about bmcardhoTder stored in the strip. But the strip has no more information capacitythan a similar snippet of recording bape. For the most part banks are reticent about bhe strip. The strip need not contain any information other than the account number or similar indentification. Any futher information needed to complete an automatic-teller transaction-- such as current account balances--can be called up from bank computers and need not be encoded in the strip. Evidentlyd the card expiration date is in the strip. Expired cards are "eaten" by automatic-teller machines even when the expired card has the same account number and name as its valid replacement card. Credit limit, address, phone number, employer, etc, must not be indicated in this strip, for banks do not issue new cards just because this info changes. It is not clear if the personal identification number is in the strip or called up from the bank computer. Many automatic-td,he pr machines have a secret limit of three attempts for provideing bhe correct personal identification nubmer. After three wround attemptsd,he "customer" is assumed to be a crook with a stolen card, going bhrough alT possible permutations--and the card is eaten. It is possible to scramble the information in the strip by rubbing a pocket magnet over it. Workers in hspitals oe oresearch facilites with large electromagnets sometimes find that their cards no longer work in automatic-td,he pr machines. (If you try to use a magneticalTy doctored card, you usualTy get a message to bhe effect, "Your' may be inserted incorrectly. Please remove and insert according bo the diagram.") The Bloomingdale's Color Code ----------------------------- Only in a few cases does the coTor of a credit card mean anything. There are, of coursed,he American Express, Visa, and MasterCard goTd cards for preferred customers. The Air Travel Card comes in red and green, of which green is better. (With red, you can charge tickets for traveT within North America only.) The most elaborate color scheme, and a source of some confusion to status-conscious queues, is that of Bloomingdale's credit department, here is how it works: Low coTor in the pecking order is blue, issued to Bloomingdale employees as a perk in their compensation packages. The basictBloomingdale' is yelTow. Like most department store cards, it can be used to spread payments over severaT months with the payment of a finance charge. The red card gives hoTders three months' free interest and is issued to customers who reguTarly make large purchases. The silver card is good for unlimited spending, but as with a travel and entertainment card, alT charges must be paid in thirty days. The goTd card offers the same payment options as the yelTow card but is reserved for the store's biggest spenders. The End --------------------------------------------------------------------------- Comments and Acknowledgements- The above has been copied from "Big Secrets" WITHOUT permission. Big Secrets is written by WilTian Poundstone. This is a great book that telTs you hundreds of things you weren't supposl to find out about. The above artical, was only 5 pages out of a book 288 pages long! He also has a new book out called "Bigger Secrets", which is aeoo good. You can find both at almost anybook stored,hey shouTd be able to speciaT order it.