Christmas is finally here. Thank you.
posted by gman at 1:07 PM on December 30, 2008

I LOVE YOUR SITE BUT I AM IN NEED OF CREDIT CARDS THAT I CAN USE IN BUYING THINGS AND POSSIBLY MAKE RETURN BY HELPING ORHPANAGE HOMES THE LESS PRIVILEGE.THE SUFFERING IS TOO MUCH LETS TRY TO HELP ONE ANOTHER PLEASE MAKE IT SNAPPY WITH LOVE .
posted by Potomac Avenue at 1:15 PM on December 30, 2008 [1 favorite]

The foolproof method is pretty clever, I had actually never thought to try that one myself. My preferred system is called the cat-burglar-PC-hack, which works most of the time, so I've been sticking with that.

(My team of trained house-cats breaks into your home, steals your wallet, takes your credit card, finds your PC, hacks their way through your password, gets online, and then emails me your CC number and CVV2. They also have a signature move where they poop in your shoe, but I feel that's just being ostentatiously self-congratulatory and I'm trying to discourage it.)
posted by quin at 1:30 PM on December 30, 2008 [18 favorites]

My first forays into programming was to implement the Luhn algorithm to generate 16 digit numbers. I believe I got the algorithm from Phrack magazine... Each language I played around with I'd implement the Luhn algorithm and then write a Guess That Number game. Java, C, Pascal, bash scripting. Ah the memories. I even had a Geocities page with an applet that generated random numbers. The fact that it never got taken down is probably a good testament to the fact that no one ever saw it.
posted by ChrisHartley at 1:32 PM on December 30, 2008

H15 13375P34|< 1Z D3F1[13N7Z0RZ.
posted by Xezlec at 1:32 PM on December 30, 2008

I even had a Geocities page with an applet that generated random numbers. The fact that it never got taken down is probably a good testament to the fact that no one ever saw it.

Why would it get taken down? Those numbers are useless without real accounts, and a lot of time the code is implemented as a quick check by lots and lots of processes.
posted by delmoi at 1:54 PM on December 30, 2008

˙ʇou sı :ɔǝןzǝx

Out of sheer curiosity, could such numbers be used to avoid opt-out systems?

It's a pet peeve, but every time I see the words "Sign up for a free ten-day trial! After which, you'll be subscribed for a year," I twitch a little. It just screams "we don't trust people to actually want our product, so we're hoping some people end up buying it accidentally."
posted by evidenceofabsence at 2:00 PM on December 30, 2008 [3 favorites]

During my script kiddie phase in '99, I had a CC generator program for DOS. I tried a number on a paid porn site just to test the program. Hilarious nostalgic find... thx 4 posting it.
posted by yoHighness at 2:04 PM on December 30, 2008

delmoi: You and I both know that, but did 1990s Geocities?
posted by ChrisHartley at 2:20 PM on December 30, 2008

The vapid, idiotic comments on the post featuring the Luhn algorithm make me nearly blind with stupidity-inspired rage.

if ne1 can tell me wat 2 do wit stupid rage plz just email it to me waiting your reply thx
posted by loquacious at 2:27 PM on December 30, 2008 [2 favorites]

I was laughing my ass off reading the "fool proof method" when suddenly the seriousness of its implications dawned on me. These people CAN get credit cards. These large credit institutions extended predatory forms of credit to these very people, and now, our country is imploding because of it.
posted by JimmyJames at 2:37 PM on December 30, 2008

From the first post of his blog: Hackers successfully install Linux on a potato
posted by qvantamon at 2:40 PM on December 30, 2008 [1 favorite]

JimmyJames, it also has unnecessary steps. For most people the steps are:

1) Check your mail
2) OMFG YOU GOTZ 10 FREE CREDIT CARDZ!
posted by qvantamon at 2:42 PM on December 30, 2008

Why would it get taken down? Those numbers are useless without real accounts, and a lot of time the code is implemented as a quick check by lots and lots of processes.

I've worked a bit in setting up eCommerce-type sites, and OSCommerce and ZenCart at least (and probably every other similar package) do a quick Luhn algorithm check just to make sure the user didn't mistype or transpose a number before sending it off to the third-party verification system. Probably every piece of software that handles credit cards does this (or should do it): retail point-of-sale systems, point-of-sale credit card verification packages, etc.
posted by DecemberBoy at 2:53 PM on December 30, 2008

Pshaw, I have a full proof way to generate PINs and make those in to debit cards - no signature or ID required. It will work at least as good as those credit card numbers, I assure you.

Or in the idiotic parlance of those coments: "i can haz ur banks pin verification key and decilmalization table pls? ok thx bai."
posted by SoFlo1 at 2:54 PM on December 30, 2008

Also, the numbers may be useless now, but they weren't always: there was an infamous application called CreditMaster that just used the algorithm to generate lists just like in this post, except at the time it was made (94-95 or so), the numbers would actually work in a lot of places, particularly early pay-porn sites. Going even further back (early-mid 70s), the old TAP/YIPL newsletter would publish the updated credit card number algorithm (before the Luhn algorithm was adopted) every year, and that was enough information to generate working numbers.
posted by DecemberBoy at 2:58 PM on December 30, 2008

This post is so 1986.

Lemme guess... you plan on following up this post with something on red boxes?
posted by Civil_Disobedient at 5:20 PM on December 30, 2008

the old TAP/YIPL newsletter

Somehow I had never heard of TAP/YIPL before, but here are all the issues as PDF. Cool!
posted by drstupid at 5:57 PM on December 30, 2008

This post is so 1986.

Lemme guess... you plan on following up this post with something on red boxes?

I don't think the algorithm was very widely known that long ago. Back then, it was all about going through the department store dumpster for discarded carbon slips, hacking TRW or social engineering random people. In any case, the post is more about the broken-English responses the guy got from various Nigerians than the actual credit card number generating algorithm.

Somehow I had never heard of TAP/YIPL before, but here are all the issues as PDF. Cool!

Yeah, they're really fun to read through. The Yippies had an ideological justification for sticking it to the phone companies (ITT's involvement in the Pinochet coup, Ma Bell funding pro-Vietnam War politicians, etc.) that was lost later on when it became all about being able to call long distance for free just because you can. TAP was the very first hacker newsletter, and later efforts like Phrack and 2600 were directly inspired by it. In fact, Phrack came about to fill the void created when TAP became only semi-active and then totally inactive, and the unsuccessful efforts to restart it are detailed in some of the early issues of Phrack.
posted by DecemberBoy at 6:16 PM on December 30, 2008

Lemme guess... you plan on following up this post with something on red boxes?

I'm thinking something on Blue Boxes would be more, I dunno, MeFi.
posted by MikeMc at 9:49 PM on December 30, 2008

Eh, I just have all teh tonez on my !P0Đ. Lazy is the new 1337
posted by filthy light thief at 10:12 PM on December 30, 2008 [1 favorite]

As others have said, this shit really won't work anymore. They have these things called computers now that will verify the card numbers actually mean something, that the names match, etc. Technology!
posted by chunking express at 11:15 PM on December 30, 2008

Out of sheer curiosity, could such numbers be used to avoid opt-out systems?


Possibly, but probably not. The credit card system is actually a 2-step process, where the first step is to reserve the money (called "getting authorization for the charge"), and the second step is to transfer the money. Generally when you place an order, the vendor authorizes reserves the funds. When the order's fulfilled, they collect the money.

Authorizations don't show up on your credit card bill. They expire after a certain amount of time, around 14 days or so. If this happens with a credit card, the only way you might notice it is that it reduces your available credit, and you might get the next authorization declined.

An opt-out system can make a authorization for something like $1, just to test if the card is valid. If it is, then they just let the authorization expire, and you won't know that they did it. If the card is not valid, they know immediately.

Also, with debit cards that work as credit cards, they still use the authorization system, with one big difference. When the debit card, your "available credit" is actually your balance, so on an authorization the bank actually does take money out of your account, and holds it in reserve. When the authorization expires, it puts the money bank. This can be a problem if you go to the ATM. I remember there was some issue with gas stations doing this, when for instance you put in your card, it takes $50 out for a full tank, you pump $30 and they collect $30, but that remaining $20 is reserved by the bank for 2 weeks. What's going on is the authorization system, but most people aren't familiar with it.
posted by cotterpin at 12:49 AM on December 31, 2008 [1 favorite]

Greetings, Esteemed sir.

Your name has been forwarded to me from a trusted source as someone of class and descretion who can be trusted to handle a very delicate finanacial transactions discreetly.

I am son of deposed King of Nigeria. I have need to move the sum of FIFTY SEVN MILLION UNITED STATES DOLLAR out of escrow in the National Bank of Nigeria to US or european bank account. Unfortunate that Mugabe government will not allow me to do so.

I would like you to help me perform this financal transaction. For your trouble, you will be recompensated at 20%, or EELEVEN POINT 4 MILLION UNITED STATES DOLAR.

To begin transaction, plaese immediately forward your name, address, tel and fax nos, a credit card number with CCV2 no (merely to pay for minor incedentals) and complete bank account information (to recieve funds) in confidence.

I thasnk you much for your help. I think this will be rewarding for both of us.

PS - time is of the essences. we must work quickly before this monies are discvored and stolen by the current corrupt regime
posted by SteveTheRed at 5:31 AM on December 31, 2008

I put some simple scripts in place at a company I work with to detect outgoing CC#s in email, using a basic Luhn check. They then decided that free wasn't good enough and put in an expensive system to filter and block or encrypt email that might contain a CC#. Of course, this system uses the same Luhn test.

Then they had problems with attachments being blocked for unknown reasons. The commercial vendor wasn't much help, their device wouldn't log specifically which field in a giant spreadsheet was causing the hit. So I made a drag-and-drop perl script (using Business::CreditCard, I think) for the support guys; it'll basically run strings on a file and spit out a list of matches. Then they can search in the document for that exact string.

The biggest culprit, when the user swears there's no CC# in the document? It's either in the document's revision history or in an unused and hidden spreadsheet cell.
posted by These Premises Are Alarmed at 6:37 AM on December 31, 2008

Man, and I thought the real money was in NINJA HELOCs.
posted by dhartung at 8:54 AM on December 31, 2008

Yeah, that authorization system can really be a pain with debit cards. I recently had an issue with fraudulent transactions on my debit card. My bank's fraud department caught the anomalous transactions, contacted me to confirm and disabled the card, but I still had several hundred dollars tied up for two weeks as I awaited their expiry.
posted by Samizdata at 12:23 PM on December 31, 2008