23 comments

[ 0.19 ms ] story [ 54.3 ms ] thread
A newspaper vendor from Buenos Aires, Argentina,has been captured for credit card fraud with thousands of them.

News and police claimed that he developed an algorithm, to calculate, by hand, valid credit cards numbers and codes.

Ps: his last name is Falsetti, false.. etti

Edit: I don't know where is the URL, I will add that here (in Spanish).

https://www.lanacion.com.ar/seguridad/falsetti-el-estafador-...

Autotranslation: https://www-lanacion-com-ar.translate.goog/seguridad/falsett...

I read it this morning and was very surprised. Is this just some congruence modulo a big number? Is this check well known and the police/newspaper is overhyping then discovery?

(If it's so secret and powerful, why are they publishing a photo of the method?)

It's been known since 90s for plain ccns, and, well, about two years after CVC got phased in they were also broken. Besides once you submit both somewhere, you're potentially toast. 2 factor auth without, or better with disposable CC numbers is the only solution.

It's just that AR only now caught up to the usual fraud level.

Originally CVCs were intended to prove that you had physical possession of the card (before chips and NFC). Now it is required everywhere for every purchase.
> Now it is required everywhere for every purchase.

That very much breaks the rules, and I can't say I've ever had to use it outside of customer-not-present purchases, in around 30 countries I've used cards in.

Where are you that this happens? Is this something that people are doing when processing magnetic stripe transactions in places where that's still supported?

It’s required for almost all online transactions in the United States. Amazon is one of the notable exceptions
Online, sure. That’s the whole point of it. The post I replied to implied it went further than that.
I suppose you are right now that i think about it more closely. If I’m present for the transaction and using the card, I’m using chip or NFC, so no one bothers to ask for the CVC. They know I have physical possession of the card and that it’s not a fake because NFC and chips are too hard to fake?
Basically yes, but I still find it unusual (having worked in the industry) if you were ever asked for it in a customer-present situation, because the whole point was that it was for not-present situations.

But then I find many things about payments unusual, like the longevity of mag-swipe in the US in the face of much better tech… I’m happy not to really be in that world any more :)

> the longevity of mag-swipe in the US

Yes, it was strange. My guess is it was simply related to cost: cost of replacing hundreds of millions of POS terminals and hundreds of millions of plastic cards by snail mail.

Perhaps it was easier in countries with a smaller population and/or fewer merchants because the scale was just smaller.

I did hear that way-back-when, and that the relative power of the retailers vs the banks and networks was fundamentally different in the US, so it couldn't easily be imposed.
i dont think it is super secret stuff. I was thinking about the luhn algorithm since i read the article today, but the real story is (could be) that the guy is just a newspaper vendor and he do that by hand. If that is true.., well, chapeau.., bad thing is that the guy was stealing, but is impresive if he never read about the algorithm.

the other funny part is his last name...

From my understanding CVV/CVCs are a function of the PAN, expiry, and some DES encryption. Does this mean that the target bank had a weak DES key or was some other vulnerability discovered?
My guess is that he discovered a method to break the Luhn check https://en.wikipedia.org/wiki/Luhn_algorithm that is not a strong check. It's only useful to avoid typos. That's probably enough to make the "send" button happy.

I guess he didn't discover how to break the secret code of the card, and the transactions were flagged by the server immediately. Some servers flag the card secretly, so credit card thieves have more problems to validate the stolen cards.

The press article claims it was something impressive, but my guess is that it's just a bad report by the police or by the journalists.

i was thinking about the same algorithm when i saw the 4 and 14 multiplications
I don't think it's like that? At least in the US, you can have literally the same card number, expiry, and name, with only the CVC being different.
The Apple Card has this feature. You can generate a new CVC at any time, but your card number stays the same (unless you report fraud, obviously).
There exists no algorithm to calculate CVV from card number. The article also does not claim this.

> In other notes, he had left a record of how he had managed to obtain the security codes of the credit cards

Generating card numbers that pass the mod10 (Luhn) check is easy. He figured out how to pass the 3 digit code check. Given that it’s only three or four digits, and that plenty of breached cards are available to hackers, it’s probably not super hard to crack.

I suspect that test cards we get from processors work on a lot of production systems, in case you’re interested in starting a career in criminality.

With a big enough training set of cards I wonder if an ML would have any luck with the CVV.

3 digit code check can not be cracked, with or without ML. You need other methods to verify if the code is working for a particular card number, most of which require trial(and error) payments.

Furthermore, it is plausible that a credit card fraudster keeps notes on, well..., credit cards. Guy could have been old school skimming the card numbers and CVV from purchases at his newspaper stand.

One interesting note is "The 8th and 9th digits change every 12 or 2 numbers"

A credit card number, typically 16 digits, starts with 6 digits (the BIN) identifying the issuer/bank and the last number is a check digit with a well known algorithm (Luhn).

This leaves 9 digits for all the customers of a bank (well, all that share a BIN, I assume a bank can be assigned multiple). With some patterns in those digits and millions of customers, it becomes relatively likely that you'll hit a valid number. If there is anything that lets scammers validate the CC number separately from validity and CVC2, the rest of the attack becomes doable.

Let's do some back of the envelope calculations. We are almost 50 millions in Argentina, and excluding the people that is too young or too old or has a job that avoid taxes, let's assume only 15 millions have a credit card. Most of us have only one or two credit card (Visa & Amex or Master so they have a disjoint BIN).

The biggest bank is the National Bank, that has like a 30% of the share of deposits https://es.wikipedia.org/wiki/Bancos_de_Argentina I couldn't find the number of clients of each bank, but let's assume a 5% of share for each of the big banks, that's like 1 million each.

The 9 free digits for each bank, i.e. 10^9 possibilities and only 1^6 clients, so only 1/1000 of the numbers are valid. I think he didn't change the check digit, but he increased some digits, so it's somewhat like sampling only in the subset of numbers with a correct check digit. If you don't ask your nearby mathematician that says that multiplying by 2 a number in a modulo 10 check, you can estimate that with his method he sampled numbers with 10x more probability and only 1/100 of the numbers were valid. It's in the bruteforce range, but perhaps too low for a manual data entry.

Assuming each bank use the first 2 digits of their 9 digits for the branch (one in each capital city of each province, but some provinces have many big enough cities, and some cities here are huge, perhaps I need 3 digits...). Anyway, there are 2 fixed digits for the branch and 7 for the number of client. If not all branches have the same number of clients, and some of them don't even exits (if they have like branches 97-98-99 that are reserved for future use), then it makes it easy to guess a number if he noticed that BIN+branch is fixed because he is looking at the card of the clients near his business. I'd estimate x5 or x10 easier, but my handwaving is not strong enough to give a good justification.

So, with a lot of estimations, in ¿1/10? of his attempts he got a real card number.

About the CVC2, my guess is that he used a random number, the server noticed something strange and reported it silently, but the article is very light in details.

If you start with known valid CC numbers, the rest is just brute force to crack the CVC. Scripted attacks for this are common. Find an e-commerce site with a really poor checkout process, no rate limiting, etc. Brute force account creation and card tasting, and hammer it until you get hits. I've seen it first hand.