Design & Development

How Thieves Can Use Valid Card Numbers without Detection

Editor’s Note: This article was originally published by Web Marketing Today. Practical Ecommerce acquired Web Marketing Today in 2012. In 2016, we merged the two sites, leaving Practical Ecommerce as the successor.

It’s amazing that our credit card authorization system works as well as it does. Unfortunately, it’s full of holes that sophisticated cyber thieves can exploit, and there is little protection for the merchant when that happens. Understanding the “dark and devious” criminal mind and methodology is vital to keep you from losing money.

How the Credit Card Authorization System Works

When your customer enters her creditJust how</strong> do you go about purchasing banner advertising space? Here are your alternatives. card number to make a purchase from you, this is what happens:

Transaction Transmission. The card number, expiration date, and perhaps ZIP code and street address fields are transmitted securely to the credit card processor your bank has contracted with. First Data Corp. handles about 70% of the credit card transactions in the US.

Checks Stolen List. When credit cards are reported stolen, their numbers are added to a list of stolen credit cards. If one of these is used, the system will reject it, and retail merchants are asked to attempt to retain the card, if possible. But if a card has not been reported stolen, it will not be on this list.

Checks Overdrawn List. The credit card processor does not check the actual credit card holder’s account. It only checks a list of accounts reported overdrawn, where the cardholder has charged more than the maximum credit limit available for that card. If the card doesn’t appear on this list, then additional charges can be made.

Reserving Credit. The credit card process has two steps: authorization and sale (which leads to funds settlement). At the first step, authorization, a notice of a charge for a certain amount is sent to the bank that issued the credit card, and that credit amount is held in reserve for several days or until the item is shipped.

Authorization Transmission. Once the above steps are initiated, if there are no problems with the card, the merchant receives an authorization number, and the transaction is allowed to be made on the website or at the cash register.

Sale and Settlement. When the shopper takes with her package with her after purchasing it from a physical store, or items have been shipped following a cyber order, the transaction is marked as “sold.” Overnight, all merchandise that has been “sold” (shipped, information received online, etc.) is then “settled,” that is, the processor records the purchase and funds are transferred out of the cardholder’s bank into the merchant’s bank. (I’m over simplifying a bit here.) If the product is out of stock or unavailable, the transaction is not settled, and eventually the cardholder’s credit amount that has been set aside is freed for other purchases.

I’ve explained the steps so you can see (1) that the check for stolen cards only covers those reported, and (2) that if you detect the fraud immediately you can prevent the transaction from being settled.

Generating Credit Card Numbers

Of course, stolen wallets yield credit cards, but these are usually reported stolen pretty quickly. Unscrupulous waiters, gas station attendants, etc. can steal credit card numbers from cards that are briefly in their possession, and then sell those numbers. These are not so easily reported stolen, since the cardholder isn’t aware of the fraud until weeks after the theft.

But I was not aware until recently that if a crook knows a single valid credit card number, he can generate from that a whole string of equally valid numbers of cards issued by the same bank.

So long as the hacker gets the first six numbers correct that identify an existing card issuing bank correct, and finds a valid card, he can manipulate the last five or six digits of the number — the last four to compute correctly with the mod-10 algorithm, and the previous one or two to create a string of valid numbers. This is complex, but not at all difficult.

Merchants can detect bad credit card numbers, and getting an authorization number from the processor is no assurance that the number has not been generated by a hacker. Only more sophisticated fraud detection systems are likely to catch these numbers. Many banks that issue credit cards don’t provide for AVS (Address Verification Service) checking that tells the merchant whether the billing address on the transaction has the same numbers as the credit card billing address in the address and ZIP fields. Thus for many cards AVS checks yield no errors.

Why am I ruining your day telling you this? Because once merchants are aware of how easily hackers can produce real, valid credit card numbers that don’t turn up stolen, they get more serious about taking further steps to detect fraud.


“International Net-Based Credit Card/Check Card Fraud with Small Charges” by John G. Faughnan.

“Credit Card Fraud Scams and Internet E-Commerce Problems,” by the Belize Development Trust.

“Anatomy of an Internet Credit-Card Scam,” Business Week Online.

Dr. Ralph F. Wilson

Dr. Ralph F. Wilson

Bio   •   RSS Feed


Sign up for our email newsletter