Archive for June 8, 2020

Here’s How The Last 4 Digits Of Your Credit Card Can Be Used To Commit Fraud

Posted in Commentary with tags , on June 8, 2020 by itnerd

Following up on this story from last week where Bank Of Montreal or BMO was sending marketing material to customers using the last 4 digits of their credit card, I got a few people who emailed me asking what a miscreant can do with four digits of a credit card number.

Actually, quite a bit. The fact is that credit card numbers aren’t just random blocks of 16 digits. There are some mathematical relationships that hold between them. So if a miscreant knows the last four digits and those relationships, that narrows the attack surface considerably. Let me give you an example. If you know the last four digits up front, here’s what a miscreant can do:

  • All Visa cards start with 4 and all MasterCards start with 5, that’s one digit right there.
  • If you know the bank or the card issuer, that’s few more digits.
  • The type of card, be it gold or whatever, that can give you a couple more digits.

That leaves a miscreant with a handful of digits to figure out. Now, I will admit that this is still not a trivial exercise. But from my research on the dark web, this approach is successful way more often than you think. Which to be frank is quite scary. Sure they still have to figure the expiry date and the CCV number on the back of the card. But it is doable.

The fact is that a small amount of personal information can be used to perpetrate some sort of fraud. The information in question can be used to combine information that has been acquired separately. If there’s a large breach on social security numbers (For example, the Equifax hack), and credit card numbers (like some online store hack) you could link those together to perpetrate some sort of fraud. Which is why I put out the story on BMO’s use of the last 4 digits of customer’s credit cards in their marketing. It’s an attack vector. One that while is not easy to take advantage of, it is exploitable. Thus you need to make sure that you’re on the right side of this so that you don’t become the next victim.

On a related note, I have yet to hear back from BMO on my questions related to this topic. That’s a shame and I think it says something about how BMO views this situation.