5

I want to confirm that this understanding is correct:

A card has 16 digits plus a CV2

The first 6 digits are an issuer identification number

The last digit of the 16 is a Luhn mod 10 check digit.

This leaves 9 digits in the middle. Are these 9 digits random, as in, unguessable ?

The last 3 digits, the CV2, are these random also?

Cris
  • 153
  • 1
  • 4

2 Answers2

5

The first six digits are the Bank Identification Number (BIN). The last four digits are commonly found on receipts, and are not required by US law to be kept secret. Assuming you know (or guess) the bank, and have the receipt with the last four digits, you know 10 of the 16 digits. The Luhn algorithm can be used to reconstruct any missing digit, not just the last digit. That means only 5 unknown digits remain.

Given all of the above information, if you are spinning through a hash algorithm trying to test "found" hashes, you would need to execute only 100,000 tests to brute force a card number. That doesn't even take a graphics card accelerator to accomplish in a second or less.

The CVV2 number printed on the reverse side of the card is derived from data not present on the card, and cannot be guessed or determined solely from the information on the card or the mag stripe.

John Deters
  • 34,205
  • 3
  • 61
  • 113
  • Excellent, thank you. Would you say that 5 of the Card digits plus the 3 cv2 digits could be used to construct an encryption key ( if one desire only 100million entropy) would they have sufficient entropy or are they further structured? – Cris Mar 06 '14 at 22:46
  • Certain banks structure more digits than just the BIN. Some banks use digits 7-9 to designate health account information. Many banks issue cards in batches of sequential numbers, so if you know card #1 and #2, you can guess card #3 pretty easily. (And technically US law exempts the last 5 digits, not the last 4, but most retailers display only 4.) Would I trust what's left to create an un-bruteforceable key? Probably not. – John Deters Mar 06 '14 at 23:16
  • 1
    Just an anecdote: in South Korea you will see first 8 digits on many receipts, and on some first 8 and last 4. That only leaves 3 digits to bruteforce (1 can be calculated with Luhn). – domen Mar 07 '14 at 10:23
4

Yes, the first 6 are an issuer ID

Those middle 9 digits are unguessable in the sense that should you try to brute force them with a payment processor they'll catch you.

If somehow you had a hash of the complete CCN (or an encrypted version and the public key) you should only need a maximum of 10^8 (100,000,000) attempts to figure it out, as Luhn's decreases the complexity by one order of magnitude.

To calculate a 3-digit CVV, the CVV algorithm requires a Primary Account Number (PAN), a 4-digit Expiration Date, a 3-digit Service Code, and a pair of DES keys (CVKs). source

David Murdoch
  • 282
  • 2
  • 9
  • Thank you. Are you sure about Luhn ? I thought it added a single check digit, the 10th digit, and imposed no restraint on the previous 9? In any case brute force usually takes key space/2 on average, right? – Cris Mar 06 '14 at 22:33
  • So would we agree the entropy of a CC number is roughly 27bits: 2^27 ~ 134,217,728 ~ 100,000,000 – AaronLS Nov 07 '19 at 16:00
  • This answer is missing something very important: the number of issued cards. What I want to know is: what is the probability that if I type in a random number into those 9 digits it will be somebody, anybody's valid credit card number? – Ring Mar 17 '22 at 15:28