Safety of publishing last 4 credit card digits in age of fast computing?

  • How safe is it to make public the last four digits of a credit card?

    Credit card numbers have a specific format. Digits tell you what type of institution issued the card, what bank issued the card, the account number, etc. The whole 16 digits must conform to the Luhn formula, a simple mod 10 checksum.

    Attackers have lists of valid first four digit numbers (which can be narrowed down using other information often provided with last 4; eg country). Is it feasible for them to brute force matches to these first 4 and last 4 digits using Luhn and fast computers?

    It should be safe if attacker doesn't have the cardholder's name etc, but if it's just so the customer can tell which of their cards they've given you details of, wouldn't 3 digits, or even 2, be enough?

    Actually, the PCI-DSS allows the first 6 and last 4 digits of a credit card number to be stored or displayed, thereby only leaving the middle 6 digits obscured. As you said, it's trivial to brute force "valid" numbers that pass the checksum, but an attacker is unlikely to get to try a credit card transaction millions of times in order to find out which number really belongs to the customer he's attacking, so making his work 10,000 times harder by obscuring the last 4 digits isn't going to make much difference.

  • Rory McCune

    Rory McCune Correct answer

    8 years ago

    Creating Luhn valid credit card numbers is not difficult, if you need them they're available here amongst other places.

    The trick for the criminal is tieing up the credit card number to the rest of the data to create a fraudulent transaction (CVV, expiry, name, perhaps address).

    Even if I have the customers name, expiry date and last 4 digits, brute force shouldn't be a problem as it's an online brute-force and if you start iterating through valid numbers with a credit card processor, I'd expect that you'll get blocked very quickly by fraud detection mechanisms..

    For that you need to assume that all merchants have solid fraud detection mechanisms, right?

    well I wouldn't say so much the merchants as the acquirers/issuers. For the fraudster to tell if the combination of card/cvv/expiry/name is valid it would need to do a look-up so at that point I'd *hope* it would hit a system which can detect a series of combinations being tried in short order..

    There are multiple points in the processing chain that it hits. starting with the merchant, then the processor, then the issuer (visa, mastercard etc) and then finally the bank. SOMEWHERE along the line, at least one of them will have some type of fraud detection.

License under CC-BY-SA with attribution

Content dated before 7/24/2021 11:53 AM

Tags used