Can You Check This for Me?

Recently, during her vacation to visit me, my sister forgot her cell phone and had to use her credit card in a pay phone to call me. Later that day, she tried to use the same credit card to check into her hotel and it was declined. After calling the credit card company, the man on the phone informed her that criminals often test stolen credit cards in pay phones to verify if it is still valid. Credit card companies know this and instantly put a hold on the card when this occurs.

Of course, this doesn't bode well for the criminal. They have checked if the card works and by doing so, it has been flagged and possibly deactivated. What is a criminal to do? What other methods can they use to verify the validity of the card but yet, still be able to buy that limited edition R2D2 DVD projector after the process? In a previous blog, it was observed that some criminals use the stolen credit card to donate a small amount to a major charity. If the transaction was successful, then they know the card is valid.

In the underground economy servers that Symantec monitors, I noticed that criminals are now offering "background check" services for credit cards. Not only are criminals concerned about the validity of the cards they purchase (the often use "fresh" in their ads to indicate that they are still valid), but they are also concerned about the validity of the numbers they are given and that all parts, such as the expiry date and CVV2 number, match up. (The "card verification value" is a three-digit number on the back of credit cards used for not-in-person transactions.) For example, one vendor offered checking services for expiration dates, CVV2 numbers, and dumps (information stored on the magnetic strip). For $10, the vendor will check 1000 CVV2 numbers against the corresponding credit card numbers. Quelle bargain!

Now, verifying a credit card number is pretty simple, since the major credit card companies use the Luhn algorithm for error checking. The Luhn algorithm can detect single-digit errors and transpositions in the card number, and is only used to validate credit card numbers. What about CVV2 and expiration dates?

If you don’t want to pay (or if you don't trust) someone else to check your numbers, you can buy a CVV2 checker online for 50€ ($78 USD). Not only will you be able to check an unlimited number of cards, you get the bonus of being able to generate your own CVV2 numbers. There are also expiration date validation scripts available for download, too. The one I found was free as long as you didn't change any of the comments in the source file. This type of criminal activity just underlines the importance that companies should be moving towards stronger multi-factor authentication and not just relying on "secret" numbers on a plastic card.

Message Edited by SR Blog Moderator on 06-23-2008 12:38 PM