View Full Version : Can a crook get your entire credit card # by just knowing the last 3-4 digits?

John DiFool

10-01-2008, 07:32 PM

Something that my friend mentioned sparked this question. He said that he saw some program somewhere where some identity thieves were able to discern the entire credit card number by just knowing the last 4 digits. I was skeptical of his claim because it would be almost a total crapshoot trying to guess one of the trillion combinations for the first twelve digits (not to mention the expiration date and the 3 digit security code on the back). Yeah IIRC each bank has a unique combination for the first 4 digits, but after that I will plead total ignorance.

So am I risking ID theft if I don't burn/shred any receipt containing the last 4 digits, or is this something I really shouldn't worry about?

treis

10-01-2008, 07:43 PM

It's obviously impossible unless there are no more than 9999 credit cards in the world.

Santo Rugger

10-01-2008, 07:48 PM

It's obviously impossible unless there are no more than 9999 credit cards in the world.Care to show your work?

treis

10-01-2008, 07:58 PM

Sure. Here's how I count them:

(1) XXXX-XXXX-XXXX-0000

(2) XXXX-XXXX-XXXX-0001

(3) XXXX-XXXX-XXXX-0002

(4) XXXX-XXXX-XXXX-0003

(5) XXXX-XXXX-XXXX-0004

.......

(100) XXXX-XXXX-XXXX-0099

(101) XXXX-XXXX-XXXX-0100

(102) XXXX-XXXX-XXXX-0101

(103) XXXX-XXXX-XXXX-0102

(104) XXXX-XXXX-XXXX-0103

Same all the way to:

(10000) XXXX-XXXX-XXXX-9999

(I originally said 9999, but I forgot to account for 0000)

Basically, there are only 10,000 combinations for the last 4 digits. In order to be able to figure out the full 16 digits from the last 4 digit, there can be only one number for each combination of the last 4 digits. For example, if you have:

1234-5678-9101-2434

4234-4234-2234-2434

Then if you were given just 2434, there would be no way to know if the full number is the first or second one. Thus since there are only 10,000 unique last 4 digit combinations, there could only be 10,000 unique full number combinations if you could determine the full CC number form the last 4 digits.

ultrafilter

10-01-2008, 08:15 PM

Credit card numbers aren't just random blocks of 16 digits, though--there are some mathematical relationships that hold between them. So if a crook knows the last four digits and those relationships, that narrows their search space considerably.

Superfluous Parentheses

10-01-2008, 08:16 PM

It's obviously impossible unless there are no more than 9999 credit cards in the world.

this. also: IIRC most credit card numbers end with a CRC checksum digit, which means that the total of possible numbers would be 10 times lower; so about 999. And we know that's not true.

edit: that's not to mean that you can't come up with a "valid" cc number; it just means that it's not likely you can guess the right cc number for any given customer, given only the last 4 digits.

Telemark

10-01-2008, 08:41 PM

http://insiderguidetocreditrepair.com/blog/2007/11/how-to-decode-your-credit-card-number/

Here's what your CC numbers mean. You can't figure out the rest of the digits from the last 4.

Indistinguishable

10-01-2008, 09:16 PM

this. also: IIRC most credit card numbers end with a CRC checksum digit, which means that the total of possible numbers would be 10 times lower; so about 999. And we know that's not true.

The checksum is on the whole string of digits. It doesn't narrow down the number of possible 4 digits endings, just what can come before each of them. But, yes, there are only 10,000 possible last strings, so the claim is silly right off the bat.

Generally, if you know all of the digits of a credit card except for one, you can calculate the last one easily. But that's not terribly useful for committing fraud...

CookingWithGas

10-01-2008, 09:27 PM

I used to manage a billing and payment system for a large online merchant and worked closely with our merchant acquirer, so I learned a lot about credit cards. I agree that it is not practically possible to determine a credit card number from the last 4 digits. Actually, I sometimes did searches based on the last 4 digits and frequently got multiple hits, and we had only about 8-10 million card numbers in our database.

There is a check digit that is calculated by a simple series of calculations but you can't go backwards--the check digit will not allow you to determine any of the digits even if you know the last 4. After all, it's only one digit so for each check digit value there are roughly a gazillion possible credit card numbers.

Credit card numbers aren't just random blocks of 16 digits, though--there are some mathematical relationships that hold between them. So if a crook knows the last four digits and those relationships, that narrows their search space considerably.

But there still cannot be more than 10,000 possible combinations from a given set of 4 numbers.

So since there are far more than 10,000 credit cards out there, then you can't just know a mathematical relationship and get the other 12 numbers.

Chronos

10-01-2008, 10:09 PM

On the other hand: A few years back, there was some sort of breech of security at Visa, and they had to issue a bunch of people (including me) new card numbers. The old, presumed-compromised, card, and the new, secure one differed only in their last four digits. So a determined crook could have gotten the first twelve digits from the stolen hard drive or whatever it was, and the last four from a discarded receipt or the like, and assembled my entire card number.

The fact that the first twelve digits all matched also suggests the possibility that there's some further pattern, which a crook might conceivably be able to determine from additional information (date when the card was applied for, or the person's name, or whatever).

Gary T

10-01-2008, 10:57 PM

Many (most? all?) credit card receipts show the last four digits of the card (the first 12 being represented by X's) and have done so for years. If there were a way to use those digits profitably, you can be sure it would have been done long ago.

Santo Rugger

10-01-2008, 11:17 PM

Care to show your work?That was pretty dumb. I guess I need coffee in the early evening, too!

slaphead

10-02-2008, 10:49 AM

It's worth bearing in mind that some of the stuff at the front end will be fixed. The first two identify the network (37 for Amex, 45 and 49 for Visa, 54 and probably at least one more for MC, and so on), and then the next few digits identify the bank, then there's the account number, then some issue identifiers (to let them tell if this is your current card or the one you lost last year) and at the end there's a check digit.

If they know e.g. that it's an MBNA Visa card, and the last four digits, and the algorithm which checks the number is valid then it's relatively easy to work out the possible 'valid' card numbers, at least one of which will be your card number. They only have to figure out half a dozen or so digits, and can discard 50% of the possibilities. Some info from wiki (http://en.wikipedia.org/wiki/Credit_card_numbers)

Can they get the card number from the last digits? No.

Does it help them take an educated guess at what your number is? Yes.

Is it an easier way of getting cardnumbers than dumpster diving, restaurant skimming, phishing, hacking servers etc? No.

Many (most? all?) credit card receipts show the last four digits of the card (the first 12 being represented by X's) and have done so for years. If there were a way to use those digits profitably, you can be sure it would have been done long ago.

Never underestimate the stupidity of organizations. Take our local library system. They used to print a patron's whole ID number of the slips put in the books for the on-hold shelves. (A lot of people do this at our branch. Mrs. FtG in particular.) So it made it trivial to walk by the on-hold shelves and pick up hundreds of valid patron IDs. (Which can be used to check out books with no intention of returning them or use the library computers and Do Bad Things on them.)

So they went to the last several digits on the slip. But the prefix is standardized, there's a check digit, etc. So all one needs to guess is a single digit. And you can sit at a library computer and run thru those and have the system tell you when you hit a correct one.

As with several other security issues I have uncovered at the library, the staff is completely uninterested in helping me find someone that would actually care who I could report this to.

control-z

10-02-2008, 03:36 PM

The last digit of a standard 16-digit credit card number is a check digit. The check digit is generated from adding the rest of the 15 numbers together and doing some simple math on the sum which reduces the sum down to a number 0 through 9, which becomes the last digit.

So according to my calculations if you know the last 4 digits you could rule out 90% of the 999,999,999,999 combinations that don't add up properly. That's still a hundred million card numbers. If you knew whether it was Visa, Mastercard, or Discover, then you would know the first digit was a 4, 5, or 6. That would narrow it to 10% of 99,999,999,999 combinations, so ten million possibilities.

That's all the advantage I could see from the last 4 digits.

CookingWithGas

10-02-2008, 03:50 PM

...a determined crook could have gotten the first twelve digits from the stolen hard drive or whatever it was, and the last four from a discarded receipt or the like, and assembled my entire card number.That may be true for that very specific scenario, but in general, if you have the last 4 digits but have no other information about the cardholder and the card, you can't reconstruct the entire number.

jharvey963

10-03-2008, 11:58 AM

I once heard someone say that with the "authorization number" on the credit card slip and the last 4 digits of your card, you could "look up" the transaction or credit card number.

Does anyone know if this is true?

J.

p.s., to slaphead: All visa cards do not start with 45 or 49. Mine starts with 44.

Chronos

10-03-2008, 04:09 PM

That may be true for that very specific scenario, but in general, if you have the last 4 digits but have no other information about the cardholder and the card, you can't reconstruct the entire number.With no other information, of course not. The relevant question, though, is how much they can reconstruct with easily-obtainable information.

The last digit of a standard 16-digit credit card number is a check digit. The check digit is generated from adding the rest of the 15 numbers together and doing some simple math on the sum which reduces the sum down to a number 0 through 9, which becomes the last digit.

This is a common mistake. The position may matter in the few milliseconds it takes to first create the whole number, but from then on any digit can be treated as the checksum digit. E.g., given me all but the 7th digit and I can generate the whole number. Hence, the last digit is no more nor less significant than any other. So thinking of the last 4 digits, for example, as 3 "real digits" and a checksum digit would be pointless.

Also, the bank prefix is quite easily guessed in many situations. So while the number of possible valid matching numbers that go with the last 4 digits is a good size number, it is not nearly as large as doing simple 10^11 (16-4-1 not 12) calculations would lead you to believe.

Jane D'oh!

10-03-2008, 04:32 PM

I once heard someone say that with the "authorization number" on the credit card slip and the last 4 digits of your card, you could "look up" the transaction or credit card number.

Does anyone know if this is true?

J.

p.s., to slaphead: All visa cards do not start with 45 or 49. Mine starts with 44.

You might be able to use some social engineering to get the full number if you have an authorization code, but it would take some work.

Really Not All That Bright

10-03-2008, 05:07 PM

The first two identify the network (37 for Amex, 45 and 49 for Visa, 54 and probably at least one more for MC, and so on)

My BofA Visa starts with 43XX-.

KneadToKnow

10-03-2008, 05:16 PM

Never underestimate the stupidity of organizations. Take our local library system. They used to print a patron's whole ID number of the slips put in the books for the on-hold shelves. (A lot of people do this at our branch. Mrs. FtG in particular.) So it made it trivial to walk by the on-hold shelves and pick up hundreds of valid patron IDs. (Which can be used to check out books with no intention of returning them or use the library computers and Do Bad Things on them.)

So they went to the last several digits on the slip. But the prefix is standardized, there's a check digit, etc. So all one needs to guess is a single digit. And you can sit at a library computer and run thru those and have the system tell you when you hit a correct one.

As with several other security issues I have uncovered at the library, the staff is completely uninterested in helping me find someone that would actually care who I could report this to.

Our library system requires a PIN number to self-checkout or log on to use a computer. Of course, our self-serve hold slips only show the last four digits of a library card number which has 8 significant digits for most people.

As to who you should report the security holes in your system's ... system to, start at the Director's Office.

DesertDog

10-03-2008, 10:03 PM

http://insiderguidetocreditrepair.com/blog/2007/11/how-to-decode-your-credit-card-number/

Here's what your CC numbers mean. You can't figure out the rest of the digits from the last 4.Nifty site, but there is one inaccuracy -- or rather, an update needed. Visa no longer has 13 digit account numbers; all are 16. About eighteen months ago all of our terminals' software was updated to accept only 16 digit Visa card numbers. This was not considered vital enough to call out and make sure everyone got updated, but if someone calls in, and we notice that they have the old version in their terminal, we are to encourage them to update. Master Card and Discover are 16 digits, AmEx is 15.

The check digit uses the Luhn algorithm. Here (http://en.wikipedia.org/wiki/Luhn_algorithm) is Wiki on the subject. It's quick and easy to calculate, and will catch any single-digit error, and all two-digit transpositions but 09/90.

I once heard someone say that with the "authorization number" on the credit card slip and the last 4 digits of your card, you could "look up" the transaction or credit card number.

Does anyone know if this is true?I don't see how. The authorization number is six digits (sometimes a letter or two will get into the mix). With the hundreds of millions of transactions every day, those authorization numbers are going to be repeated many times a day at the same bank, never mind at more than one bank. As people have pointed out, if it was a worry, the authorization number would not be printed on the same receipt as the truncated credit card number. That would be as dumb as writing your PIN on the back of your debit card.

amarone

10-03-2008, 10:26 PM

You might be able to use some social engineering to get the full number if you have an authorization code, but it would take some work. Nope - the authorization number has no relationship to the credit card number.

slaphead

10-06-2008, 08:46 AM

p.s., to slaphead: All visa cards do not start with 45 or 49. Mine starts with 44.

Doh! That'll teach me to oversimplify - they've obviously expanded usage over the last few years, and I had a brain-fart about the debit ranges. At any rate, if you know the acquirer brand and the issuing institution you can have a good go at figuring out the prefix of the cardnumber, and the more digits you can pin down, the easier it is to guess the whole cardnumber.

But at the end of the day, the risk of someone going to all this trouble is essentially irrelevant - phishing, skimming, videoing ATMs/POS terminals, dumpster diving and hacking are generally the way people get cardnumbers. Why spend hours cracking one card number when you can get thousands for less effort, and often the PINs/addresses to boot?

Derleth

10-06-2008, 11:30 AM

Anyone who worries about the last four digits is high-hanging fruit that doesn't know how much really low-hanging fruit there is in the world.

slaphead

10-06-2008, 04:18 PM

Anyone who worries about the last four digits is high-hanging fruit that doesn't know how much really low-hanging fruit there is in the world.

So the OPs friend is a high-altitude fruit?:D

ming the merciless

10-06-2008, 04:54 PM

I cannot throw much light on the op but as a recent victim of credit card fraud I would like to add a couple of things,

I’m one of those people who uses their card infrequently and always pay the balance at the end of the month so I tend not to keep a close eye on what’s happening with the card.

To cut a long story short I was defrauded for quite a bit of cash, panic ensued it all got sorted but here’s the thing the fraudsters had been in touch with my bank pretending to be me and changed my address to another city.

When I asked the fraud investigator how they had managed this as surely they would have to answer some security questions this is what he said, if your card has had its details stolen then they know your name and address from that they can look at the electoral register and find out your age etc. the most common security question is ….what is your mothers maiden name. given that they have your name address and age its then quite easy to pay a small fee to get a replacement birth certificate and then they have your mothers maiden name.

The advice I was given was to have the security question as what is your mothers maiden name but then to use something completely different a favourite pets name or so, that way they will never be able to alter your details to commit fraud.

fritzzz25

10-06-2008, 11:35 PM

As a law enforcement member, and a person trained in credit card fraud detection, there are a number of ways people can get your numbers. The biggest way is dumpster divers retrieving discarded receipts. Make sure that when you sign your receipt, that you totally scratch out the credit card number on it. Don't worry, the merchant already has it in their electronic log, and they have been paid. Destroy any part of the number, expiry date, and your name. This is some of the easiest way to prevent being a victim of fraud.

See below for more info.

http://en.wikipedia.org/wiki/List_of_Bank_Identification_Numbers

The above shows the first digits of the credit card numbers, and what bank they belong to. There are credit card number generators, as well as CVV generators available (do a search). It basically would come down to nailing the expiry date then.

It isn't very hard.

Now you know why the interest rates are so high, so that they can "make up" for the losses they write off to fraud.

amarone

10-07-2008, 07:24 AM

Make sure that when you sign your receipt, that you totally scratch out the credit card number on it.

Which shouldn't be on there in the first place or it is a violation of the PCI Data Security Standard. (https://pcisecuritystandards.org/)

vBulletin® v3.8.7, Copyright ©2000-2017, vBulletin Solutions, Inc.