Information Security
hash credit-card
Updated Fri, 12 Aug 2022 11:00:49 GMT

Safety of publishing last 4 credit card digits in age of fast computing?


How safe is it to make public the last four digits of a credit card?

Credit card numbers have a specific format. Digits tell you what type of institution issued the card, what bank issued the card, the account number, etc. The whole 16 digits must conform to the Luhn formula, a simple mod 10 checksum.

Attackers have lists of valid first four digit numbers (which can be narrowed down using other information often provided with last 4; eg country). Is it feasible for them to brute force matches to these first 4 and last 4 digits using Luhn and fast computers?




Solution

Creating Luhn valid credit card numbers is not difficult, if you need them they're available here amongst other places.

The trick for the criminal is tieing up the credit card number to the rest of the data to create a fraudulent transaction (CVV, expiry, name, perhaps address).

Even if I have the customers name, expiry date and last 4 digits, brute force shouldn't be a problem as it's an online brute-force and if you start iterating through valid numbers with a credit card processor, I'd expect that you'll get blocked very quickly by fraud detection mechanisms..





Comments (3)

  • +1 – For that you need to assume that all merchants have solid fraud detection mechanisms, right? — Jun 20, 2013 at 15:39  
  • +1 – well I wouldn't say so much the merchants as the acquirers/issuers. For the fraudster to tell if the combination of card/cvv/expiry/name is valid it would need to do a look-up so at that point I'd hope it would hit a system which can detect a series of combinations being tried in short order.. — Jun 20, 2013 at 18:26  
  • +0 – There are multiple points in the processing chain that it hits. starting with the merchant, then the processor, then the issuer (visa, mastercard etc) and then finally the bank. SOMEWHERE along the line, at least one of them will have some type of fraud detection. — Jul 25, 2018 at 13:54