Anatomy Of a Credit Card Number

(Note: this goes for most modern debit cards as well)

MII – Master Industry Identifiers

The very first digit of the long string on your credit card is the master identification number, it tells you which industry the card originated from

• 0 ISO/TC 68 and other industry assignments
• 1 Airlines
• 2 Airlines and other industry assignments
• 3 Travel and entertainment
• 4 Banking and financial
• 5 Banking and financial
• 6 Merchandising and banking
• 7 Petroleum
• 8 Telecommunications and other industry assignments
• 9 National assignment

Some cards may not appear where you expect, but are there for historical reasons. For example, American Express is in Travel and Entertainment, rather than banking.

Another slightly odd one out are Best Buy Credit Cards in the United States, which start with a 7 (I have no idea why Best Buy thinks it’s in the Petroleum industry, but I suspect as it’s an HSBC white labeled card, HSBC owned a company that use to issue under these numbers.)
Just with the first digit we can tell:

• If the card is a VISA card (they all start with 4)
• If they are a specialist business card 0,1,7,8,9
• If they are a second tier (normally debit cards) 6

BIN – Bank Identification Number

Sometimes called IIN (Issuer identification number) this is the first 4 or 6 digits of the card including the MII at the front. With this number you can identify the Issuing party, normally a bank. For example, 4047 83 is NatWest Private Banking Visa Credit Card.

Thinking it is just restricted to Credit and Debit cards? Think again! 6034 50 is Starbucks Card (for Starbucks Europe).

The complete BIN list is kept a closely guarded secret. While the reason normally cited for keeping the list a secret is security by obscurity, it’s more likely simply to protect ISO Registry and American Bankers Associations who publish the list. Bottom line.

There are however numerous attempts to identify all cards a short list can be found on Wikipedia and a larger BINDatabase is also available, which is user contributed. As you would expect, much like postcode data here in the UK, there are people selling copies of the data, but these lists may or may not be genuine so buyer beware.

Checksum

The last digit of the big long number is a checksum. This provides a quick way to validate the credit card number. While not useful in profiling the user, it’s worth noting all modern credit debit cards (including Laser Cards (contrary to Wikipedia) use Mod10 or Luhns Algorithm.

Expiry Date and Sort Code/Issue Number

All Credit Cards have an expiry date and some also include a start date. Using the two numbers and the current date can be used to help determine a risk assessment on the cards. Newer cards will be of a greater risk of charge backs and issues. Older cards are more likely to be hitting credit limits and be maxed out.
Some debit cards have a 6 digit Sort Code (mainly in the UK). The first 2 digits indicate the issuer, much like the BIN number. The last 4 digits are for internal use only, but basically are branch & handling office identifiers. So, for example, 52-41-19 is NatWest, Woolpack Ely Branch.

Getting hold of a list is not easy, as there is no centralised database, but with this date, you know the location of the card holders when they opened their bank accounts. People move; their sortcodes normally don’t.

Issue Number, again, mainly on debit cards, shows how many of that type of card they have had. For example, if a user had a solo card, then was given a switch/maestro card, the issue number on the Switch card would be 1. An issue number could potentially be a way of validating long term stable credit rating, but probably unreliable as such.

Potential Uses For Credit Card Data?

Identifying High Value Customers

Let’s face it: we don’t all have platinum cards in our pockets (well if your card starts 3713 then you do), but just like in a shop, the colour of your credit card often affects your experience. In the online world, it can be the same.

Ecommerce data miners looking for high value customers and can identify more premium credit cards such as the Platinum American Express (3713), Black Card (uk: 3742 88) or Infinite Aerogold (4500 03). There are plenty of others, just remember all that glitters is not gold! There are plenty of gold & platinum cards out there with low limits and anyone can max out their card!

Identifying Fraud Risk/Spending Profiling

Some banks are going to be more likely to have a higher rate of charge backs. In the UK, store cards, most of which are credit cards rather then loyalty cards, have a higher risk of chargeback against them. This can be put down to:

• Targeting people with bad or low credit score
• Lots of pressure from sales staff to push the cards

Likewise, there are certain banks that are likely to have a different approach to risk assessment when offering credit. While it would be unfair to assume all transactions will be fraudulent from these providers, it could be used in any risk calculations. In addition, you can use card types within profiling.

One example is something I’m working on now, which is a donation system where users may select how much they want to pay. When we see a high value platinum card making a $1 donation, it is deemed far more suspicious than if they were making a $50 or $1000 donation. Likewise, if a solo card made a $1000 donation, we would consider that outside of the normal profiling.

Just Being Nosy

When you combine this information with other buyer mining, you can come up with quite a comprehensive overview of a user. Their credit card choice and postcode is enough information along with demographic information from the Acorn Database (for those in the UK)  to make a rough judgment of an individual.

So, next time you use a credit card, ask yourself how much does your card say about you?

It appears that for a number of years, a person has been creating torrent sites that require a login and password as well as creating forums set up for torrent site usage and then selling these purportedly well-crafted sites and forums to other people innocently looking to start a download site of their very own. However, these sites came with a little extra — security exploits and backdoors throughout the system. This person then waited for the forums and sites to get popular and then used those exploits to get access to the username, email address, and password of every person who had signed up. - http://status.twitter.com/post/367671822/reason-4132-for-changing-your-password

so let's recap, user creates turnkey websites with backdoor to grab all usernames, emails and passwords then uses the email/password username/password combinations on numerous sites. You can read the daily mail style Techcrunch reaction.

Now remember...

A scary 92% of people use the same password across all websites including their email accounts.

that was based off Venture Skills research that we presented last year, you may remember the post it was imaginatively entitled please stop using the same passwords. Um it would appear people didn't!!!

While the latest scam hit a big site userbase, literally thousands of sites can be using scripts with backdoors or even deliberately attempting to store usernames and passwords in clear for reuse in hacking attempts. What's more with "invite your friend" scripts still doing the rounds, people are literally giving away the keys to their gmail, yahoo accounts.

back in 2008 I wrote a post on how easy it was to manipulate the invite your friend scripts with just one line of code turning them from a benign tool to literally a way to drain you dry.

Solving Password problems

While in the perfect world every site would have a unique password this is not going to happen. Therefore you need to organise yourself into creating a series of passwords (with the higher security risk being both unique and non linked) here is some handy hints...

• Never use the same password for email and bank details (including PayPal)
• If you struggle with alphanumeric passwords or need to change passwords monthly look at including the date or some representation of the date for better security within the password.
• If you are required to include a capital letter don't do it at the start of the password
• pass phrases tend to be much harder to crack while easier to remember
• Never use an inviter script that asks for your password to your email account
• don't use the same password on that torrent site as your twitter account

Remember if some one accesses your primary email account what information can they get about you?

Last week I released some of the statistics from a project we worked on earlier in the year that revealed 92% of people use the same password for their email as they do for other sites. One of the more interesting stats was actually from the follow up survey where almost a third of Hotmail users believed their accounts had in the past been hacked.

Over the weekend many of them were, along with Yahoo and Gmail accounts, and the emails and passwords were published. They are easy to find on the internet with a few well chosen google searches.

This led me to a great way to promote my message of change your password.

Password Searching Service

My idea is to create a small app that lets people search to see if their email has been compromised, the application asks for their email and for security (and double opt'in for possible future mailing) requires they log in and confirm their email address, when they click the link. The system searches using a couple of google searches for possible passwords, and retrieves any it thinks are passwords that are associated with the user, it then displays these along with some randomly generated passwords on the screen.

The system will never know if it got the password right (the biggest issue with it) but it would provide user with extra confidence. Regardless the page would also leave a message telling them to change their password. If the system returns no results then it tells them such but suggests changing password to be on the safe side.

The question is would such a system be legal?

Expanded, reason I ask is because while the passwords are floating on teh web, to extract the users potential password would mean the system would have to access and parse the contents which are "stolen", of course the quick way to do this would be to store the lot but thats a quick way to a cell I would think.

92% is a scary statistic here how we got it

Over the last 6 months we have been working with two clients to experiment with their security authentication methods our first issue was to see if what the issues was, one of the questions asked was do people use the same passwords across multiple sites.

So we set up a very simple test using several websites registration processes, we identified users who's email address were yahoo, gmail, hotmail and a few of the smaller free email providers. Next we added a special terms and condition box (this was in addition to the normal terms and conditions) which they needed to opt into but was not defaulted to nor a requirement. We tried very hard to make sure what we were going to do was utterly transparent, to our surprise the opt-in rate was nearly 70% we can only assume people were blind clicking.

Why do we think they were Blind Clicking because they just agreed to:

Give xxxxxx permission to attempt to login to your mail account using the details you provided, no mail or contact details will be collected and no personal identifiable information will be stored about this attempt. Please be aware allowing this action maybe in breach of the terms of service for your email provider and could cause discontinuation of your service. xxxxxx will not be held liable in such cases.

We then provided a link with more explicit information on what we were planning on doing and all the legal arse covering bits. now we had just over 2000 "volunteer" that link was clicked just twice and one of them then went and agreed to it! Sadly as the data is dissociated with the account we have no way of knowing if that person did it because he knew it would be a failed login or not.

Once we had their permission we used a simple bot to attempt to login, storing successful logins in a database identifiable only by an ID and the mail server we never stored who's email it was which is just as well as it would have been a privacy nightmare.

Our Registration pages were split into two types, one that required at minimum a weak password and ones that required alpha numeric password of more then 8 characters.

Finally we surveyed 1 in 10 about their email and password habits.

Gmail users the worst at password protection

With a little over 93% of the passwords working with their Gmail accounts, it would appear Gmail password users are the laziest of those we tested, though the figure dropped to 89% when a stronger password was required.

Yahoo Mail users have shocking memories

That's the conclusion we reached as they were the only user group where the secure password sites had a higher % of successful logins then the weak account 91% vs 90% which is strange because it has only been recently that YMail has had any decent requirement for password strength.

Hotmail passwords most secure, surely not!

It's true Hotmail users came out best but we are pretty sure we know why, in the follow up survey almost a third of Hotmail users claimed they believed their account had been hacked.

Oh and users lie about their password habits

We all know security and regularly changing and different passwords is important which is probably why only 42% of people asked admitted to using the same password on both email and the site they registered on.

So couple of take away points, people really really do not read terms and conditions and for god sake use a different password for your email to the one you use to register at free sites!

Go change it now...

update As if to reinforce the point news at thousands of Hotmail passwords being posted online is announced.

Passwords have been recently in the news in 2010 when a heap of twitter accounts were attacked and then used to grab GMail accounts. See Password Protection Round X

Your World Ruined with one line of code

Just think about it for a moment, what private details are in your account? Paypal account perhaps? hmm what about your bank details...

Your Email is in this day and age the effective way into your life, never give your password away even your administrators will never ask for your password as if they are indeed your email admin they already have back end access.

I really want to drive home how potentially dangerous these scripts could be, but I think Andy has done a good job with How to Screw Up Your Business a must read for all marketers thinking of using such features.

So how would a marketer or developer screw your business?

$name = $_POST['importername'];
$email = $_POST['email'];
$password = $_POST['password'];
$description = $_POST['description'];

$SQL = " INSERT INTO cashmachine ";
$SQL = $SQL . " (name, email, password) VALUES ";
$SQL = $SQL . " ('$name', '$email','$password'";
$result = mysql_db_query($db,"$SQL");

Those simple lines of code added to the friends adder script by the Marketer or even the developer will happily store your info into a db for their pleasure...
Are people doing this right now? Some one will be, it might not be the marketer who asked for your password though, many PHP scripts are delivered encrypted what is lurking behind there? a call to another server perhaps?