# Chance of guessing any valid credit card data

Information Security Asked by reed on August 8, 2020

What’s the chance of guessing valid credit card data that could be used to make a payment online? To me, it looks like it’s not extremely hard to guess, but I’m not able to calculate the probability. I mean, it’s not like it was designed to be as strong as 128-bit keys, which you know you can’t really crack. So I wonder if any attacks are possible because of this lower entropy, and if not, why.

Ok, there are 16 digits. That alone would provide a bit more than 50 bits of entropy, if all the digits were random. But they are not: some are fixed and define the card issuer, and there should also be some redundancy for a checksum. Also, there are a lot of valid numbers, because a lot of people have credit/debit/prepaid cards today, I guess millions of people. You just need to guess one valid code. Ok, sometimes you have to provide other data for payment as well, for example the expiration date or the CVV. Yet those don’t provide a lot of entropy. There might also be additional checks (like the owner’s name or address), but I’m not sure those are always enforced.

I’m not saying it’s easy to buy something with a specific person’s credit card in a specific online store. I’m just wondering if it’s not that hard, given a large botnet, to try to guess any valid credit card data by testing it (or even actually making a purchase) on random e-commerce websites.

Guessing a valid credit card number is feasible. Choose a known BIN (first six), generate 9 random digits, and then append the appropriate checkdigit. That's only 1,000,000,000 combinations - high, but listing every single one is certainly doable even on a personal computer.

Checking whether your guess is actually valid is harder. Almost every single website will ask for your expiration date and most will also ask for your CVV. Assuming that the card in question will expire within the next four years (standard lifetime of a card), that's still 12*4 possible valid expiration dates. And the CVV is another three digits you would need to guess. All told, that's 10^9*(12*4)*10^3=48,000,000,000,000 combinations - much less feasible.

Additionally, you would need to spread your guesses around - throwing them all at a single merchant's website will likely get them shut down by their payment processor for permitting exactly this kind of attack.

Answered by Bobson on August 8, 2020