• filter:
  • Page :
  • 1
  • Text Only
  • Search this Topic »
Voting History
rated:

Member Summary
Staff Summary
Thanks for visiting FatWallet.com. Join for free to remove this ad.

rated:
I suspect that it's not guessing so much , but connecting the dots brought data in emails.

For example, one online receipt shows the last 4 digits, another set of emails shows you have a checking account with X bank, and other emails show that a new card is being issued.

From that data, you know the first 6 and the last 4 digits, also, the last digit is a checksum, so that limits the middle 6 digits to certain combinations that would be required to validate the checksum. If you had some valid card numbers, you might even be able to limit some of those middle 6 since you know thaey haven't gotten that high yet.

From there, you can probably get to within a few months for the expiration date ffrom emails about new cards being issued, and get the exact expiration year knowing the bank's practices for issuing new cards.

From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

Also, you can probably beat AVS verification by simply having your billing address in one email.

rated:
This is what i dont understand

Hacker generates credit card number but dont know the real cardholders name and address

How does the online shopping websites allow a transaction when the name address and catd number expiration date do not match?

rated:
fleetwoodmac said:   This is what i dont understand

Hacker generates credit card number but dont know the real cardholders name and address

How does the online shopping websites allow a transaction when the name address and catd number expiration date do not match?

  Depending on the merchant, an incorrect CVV does not necessarily result in a failed transaction, It is flagged as incorrect in the backend, but if the merchant has allowed incorrect CVVs the transaction will still process. I believe the same could also happen with AVS matching.

Source: Purchased item from Best Buy a while back, entered incorrect CVV, transaction went through anyway.

rated:
Incorrect CCV results in a higher interest rate as well as an easier path for Chargeback.
It puts an extra burden on the merchant when you accept an invalid CCV.

rated:
stanolshefski said:   
From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

 

  this is true, I bought two prepaid visas in the same batch and they had same CVV

rated:
AVS sometimes cost extra so some merchants don't use it.

rated:
What seems odd to me is the rather flippant position from VISA about it. Aren't they on the hook for fraudulent charges or is it actually the merchants taking the loss in case of fraudulent transactions that went through via the method? I can imagine that if this type of fraud was more common, they'd be interested in plugging that vulnerability to match the performance of Mastercard network in detecting the guessing attempts quickly. After all, customers and merchants may turn to mastercard network cards if they know they're less at risk, in which case VISA is likely to lose market shares.

rated:
The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.

rated:
Merchant typically gets the short end of the stick and the chargeback and to top it off there are typically fees to the merchant for the chargeback as well.
 

rated:
forbin4040 said:   The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.Since you seem to be mistyping it on purpose, the possible correct values are: CVV, CVC, CVD, CID, and CSC.

rated:
rufflesinc said:   
stanolshefski said:   
From there, now you're on to the CVV -- which in a perfect world is a random 1:1000 shot, but I have the feeling that it's not so random.

 

  this is true, I bought two prepaid visas in the same batch and they had same CVV

  
If they are truly random, that will happen on occasion.

rated:
scripta said:   
forbin4040 said:   The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.
Since you seem to be mistyping it on purpose, the possible correct values are: CVV, CVC, CVD, CID, and CSC.

  CCV is also an acceptable form.  
https://accounts.comodo.com/help/cvv_code

I learned the term a long time ago.

rated:
I wonder if this could possibly explain a situation I was in a few weeks ago. Checked emails early on a Friday morning and had several BofA alerts for CC use. None were mine but added up to $700ish. Called BofA they cancelled card and issued new one. Saturday morning I checked emails, you can guess it, had several declined charge attempts on NEW number (also few hundred $$ worth). A number I did not yet know because it was being sent overnight via UPS. I did know last 4 digits as my online account info showed this. I called back, cancelled, issued new card, etc. That seemed to stop the charges. Now I use the temp numbers I generate from my account online to use for each online purchase. I was all happy thinking I had figured out a way around the issue........foolish me I guess.

PS - I did have one random $1 test charge for Lyft.com but it was declined fortunately.

rated:
taxmantoo said:   
rufflesinc said:    this is true, I bought two prepaid visas in the same batch and they had same CVV
 

  
If they are truly random, that will happen on occasion.
 

A certain well-known prepaid company uses CVVs which are not random by any stretch of the imagination.  Or at least that's how it was with them ~8 years ago.  Just for kicks, "a friend of mine" did some poking around logging into the prepaid's www site with random (usually depleted) card numbers to test the hypothesis.  It worked, and we were absolutely shocked.  Interestingly, the #1 type of charge that showed up in the account history was poker rooms and other gaming sites.

rated:
From reading the article, it sounds like they're basically brute forcing the numbers but distributing the brute force across multiple websites that use Visa.

So if I try to buy something w/your name and a generated card # on Amazon.com, I get to try it say 10 times, then I use HomeDepot.com and try it 10 times, then WalMart.com 10 times, etc.

I would guess that Visa's clearing house or something has an API that lets you pass the transaction source and that's how they did it? Not sure.

rated:
All 4 major card fraud departments actually fire off when you try something like this especially online.

rated:
forbin4040 said:   scripta said:   forbin4040 said:   The merchant has a choice, accept it, or not. Some force it. Others need to do 'recurring charges' and those are not allowed to store CCV, hence a CCV less charge.
Since you seem to be mistyping it on purpose, the possible correct values are: CVV, CVC, CVD, CID, and CSC.
CCV is also an acceptable form.  
https://accounts.comodo.com/help/cvv_code

I learned the term a long time ago.
The page you linked doesn't mention CCV...

rated:
Scripta, I don't want to be an ass, but did you even VISIT the page?

  • Quick Reply:  Have something quick to contribute? Just reply below and you're done! hide Quick Reply
     
    Click here for full-featured reply.


Disclaimer: By providing links to other sites, FatWallet.com does not guarantee, approve or endorse the information or products available at these sites, nor does a link indicate any association with or endorsement by the linked site to FatWallet.com.

Thanks for visiting FatWallet.com. Join for free to remove this ad.

While FatWallet makes every effort to post correct information, offers are subject to change without notice.
Some exclusions may apply based upon merchant policies.
© 1999-2016