Credit Card Validation



Credit Card ValidationApril 292013The Luhn Algorithm is a simple credit card validation hash function. This is used by many small corporations to validate credit cards as they are submitted for transactional processing. Small companies that use this form of hashing as their only way of credit card validation are subject to abuse and in turn theft of service, or product.Abuse using the Luhn Algorithm Credit Card Validation and AbusePrefaceIf you are reading this to gain knowledge of abusing credit card systems all over the world and getting free stuff, unfortunately this is not for you. This is not a how to tutorial, nor will this technique work in very many places. Most companies use multiple forms of validation, even checking with the carrier that the card is indeed valid, and is not over its limit etc. The algorithm that we will delve deeper into is more for quick validation on a card number to ensure that there is no digit transposition, and in turn validation. The information that I am going to share with you is by no means legal to use in practice for malicious credit card activity. With that, I take no responsibility for what you do with this information. This is for information purpose only and under no circumstances is it to be used in any manner whatsoever. This technique will seldom work due to this fact, if you attempt going to an online web page and trying this it will likely cause red flags to come up. The next thing you know the police will be knocking at your door for attempted fraud. As I said before, and I will say it again, do not try this. Now, let’s begin.Credit CardsIssuer Identification Number (IIN)This is where we start to get into legality grey area. The IIN are registered with the American National Standards Institute. The information on IINs is private, and is not supposed to be released to the public. Although some of this information is now public domain, it’s skirting the lines of legality.There are thousands of combinations of IIN that are specific to all companies that issue credit cards. The International organization for Standardization or ISO is the company responsible for this regulation. The IIN are designated by the ISO/IEC7812 which designates this numbering system for the banking institutions to use. Although this information of IIN is not supposed to be public domain, many users have self-submitted what IIN their card has, and effectively crowd-sourced the information the banking institutions have declined to disclose.Carrier specific card informationGo ahead, and pull out your credit card, I will wait. Take a look at the leading digits of your card. If you have the leading digit(s) of 4, you have a visa card sitting in your hand. 6011, must be a discover card, 34, or 37, American express. 5, you have a master card. I know this information due to the fact that all credit card companies are designated a specific Issuer Identification number (IIN) that is specific to the card you are holding via the company that issued you that card. The IIN is not only carrier specific, but also categorically specific. The following table will outline the first leading digit, and the respective category that is assigned that specific leading digit. Some corporations are large enough to completely “Own” and entire categories on their own like visa, discover, and master card.Leading DigitCategory 0ISO/TC1Airlines2Airline, and Future Assignments3Travel, Entertainment, and Banking4Banking (Visa)5Banking (Master Card)6Merchandising, Banking and Financial (Discover)7Petroleum, and Future Assignments8Healthcare, Telecom, and Future Assignments9National Standards BodiesWith just a glance at a credit card you are able to tell the identifying company that has issued the card. The typical bank card will consist of 16 digits. The first 6 digits correspond to the issuer. The next nine digits correspond to who issued the card, and the final digit is a check sum that can be calculated from the Luhn Algorithm.The Luhn AlgorithmThe Luhn Algorithm is a Mod 10 algorithm. It was not, and is not designed as a secure hashing formula. It was designed for accidental errors and for digit transposition. Most companies will use the Luhn algorithm for distinguishing valid numbers, opposed to a collection of random digits that are entered as input. Take a look at your credit card, recognize your last digit. That last digit is the number that we will check the algorithm to ensure that the card is a legitimate card. If your card number is 1234 5678 9123 4567 your validation would be on the number 1234 5678 9123 456 and referencing to the last digit which is a 7. Here is how the Luhn Algorithm works to calculate if a card is valid.Take each digit as a separate number. Starting from the leftmost number, double every second number. Subtract 9 from each number that is greater than 9. Add all of the number together. If the result is divisible by 10, then it’s a valid bank card number.Luhn Algorithm implementation in C #The following code is a C# implementation of calculating if a credit card is valid. Although the code is slightly different than the way the previous pseudo-code is laid out, it is essentially the same methodology. This implementation uses a command line interface where you can enter in as many credit cards as you would like, separated by a space, then calculating if they are legitimate. using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;namespace luhnAlg{ class Program { static void Main(string[] args) { for (int i = 0; i < args.Length; i++) { Console.WriteLine("Credit Card Number: {1} ", i, args[i]); Console.WriteLine("Valid? "+IsValidNumber(args[0])+"\n"); } } private static bool IsValidNumber(string input) { //Contains the Correction for doubling the digits //Calculates the finite difference if the number doubled is greater than 9 //what the difference needs to be to correct to the correct number. int[] DELTAS = new int[] { 0, 1, 2, 3, 4, -4, -3, -2, -1, 0 }; int checksum = 0; char[] ccNumber = input.ToCharArray(); int j = 0; //Iterate backwards through card for (int i = ccNumber.Length - 1; i > -1; i--) { //Convert form char to int j = ccNumber[i] - 48; //if it's not a number if (j < 0 || j > 9) return false; //add the digits to checksum checksum += j; //if it's an odd number if ( ( ( i - ccNumber.Length ) % 2 ) == 0 ) //take the sum, and add //it to the correction for doubling digits checksum += DELTAS[ j ]; } //return true if checksum mod 10 is 0 //creditcard is valid return ((checksum % 10) == 0); } }}This is where you should be able to tell where the validation problem exists. Just because the credit card number validates, that does not mean that it’s a real credit card. Unfortunately people that implement webpage checksums for credit cards sometimes do not realize this. This realization is what we will use to attempt to hack a credit card system.“Hacking “Credit card Validation SystemsIt was stated earlier, and I will state it once more for more clarification. This is not legal to perform on systems, and likely will not work. It’s most likely against the Terms of service provided from the company you would be purchasing for. If it would work, it would be fraud. Not something you would want on your hands. As online transaction processing is extremely popular it is unlikely to find a site that this would work on, but it is definitely a possibility. The ideal site would be a site that would calculate if your information is all in the proper format, and validate with Luhn, or not validate at all. It would then allow you to finish checking out before the information has been processed from the payment gateway that would be in charge of charging you. If this happens, for all the site knows your payment was valid. When they send it to the payment gateway it would come back that it’s not legitimate. As this system is usually automated, this would be sent to a log, or would not be noticed. Finally the item or service you purchased, would be in the category to complete the purchase and send to the user. You should already be familiar enough with the way this algorithm works to use this to “Hack” a validation service. You should have noticed that I am putting hack in quotes, because this is not really a hack, more or less it’s a security vulnerability that could be present. The way you could potentially use this would be find a random string of numbers that would validate. Then attempt to use this on the system you are trying to exploit. There are many different ways to go about this, one would be to calculate a string of 15 digits, then use the Luhn algorithm in a reverse fashion to calculate what the check digit should be. That would give you your 16 digit validation that you would need. To calculate what the check digit should be, take your 15 digit string of numbers, append a 0 to the end and calculate the Luhn checksum. If it validates as is; your 15 digits string is a valid number with a 0 at the end. If the does not validate, you will need to subtract 10 from the checksum. PreventionEasiest way to prevent this “Hack” would be to send the information to the processing gateway, for immediate transaction. If it fails the transaction send they back to correct the information. You can save time, and help the users before even submitting, by validating and ensuring that it’s a legitimate card by using Luhns, and regular expressions.By doing this simple check with the transaction company, you will prevent your business being stuck with the bill when a user incidentally exploits your system. When an ounce of prevention is worth a pound of cure, if you process credit cards and don’t process payments this way your system will be exploited, and you will have to foot the bill. With this information, I hope that you have learned something about how credit cards are validated. Explained how you can do to attempt to bypass validation by providing a pre-validated, false card number. Lastly, what you can do if you process credit card information for transactions what you can do to prevent this from happening to your systems. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download