How do websites know when you input a fake credit card number?

186 views

How do websites know when you input a fake credit card number?

In: Technology

The very last digit of a card number is a checksum digit. Using the Luhn algorithm, the last digit should only have one single possible value for a given sequence before it. If that number doesn’t match what it should be, then there must have been some mistake entering the card number.

In a credit card number of any country, the first few digits are always a kind of identifier of the bank network, so the websites check those digits in their registry before requesting money from the respective bank. Then the request for an amount is sent to the bank which verifies the presence of that particular account and if money is available to be deducted or not. and after this whole process the transaction takes place.

There is some structure to the credit card number. The first digits is the issuer of the card. Notice how all Visa cards start with the digit 4, Mastercard used their 51-55 range but ran out so now their cards start with 2. So you can look up the first digits of the card in a big table and check if it is active and who the issuer is. It might be possible to then send a request to this issuer checking if the number is valid or not. But even if you can not contact the issuer most do include a check digit at the end. So you can calculate this digit and compare it to the one the user provided. This means that even if you copy the first 8 digits from an existing credit card you only have a 1/10 chance of getting the check digit right by random. Of course you can calculate the check digit yourself so this is only a verification against typos and random numbers.

When you pay for something with a credit card, an electronic transaction occurs between the website and your credit card company. The site requests the charge and the company either accepts or declines the purchase. This takes a matter of seconds.

Now if you type a random set of numbers in, you’ll probably get rejected without the transaction even happening. Credit card numbers are not completely random. Different credit card companies follow different patterns of numbers so if you type in random numbers, it won’t likely follow the algorithm and the site will automatically know it CANT be a really number.

Valid card numbers follow a set of rules.

Some of the numbers in certain positions are reserved for the different providers like Visa or Mastercard. If you say you have a Visa but type in certain numbers, it’ll “look like” a Mastercard thus it’s clear you made a mistake.

There is also a “checksum”. This means for valid credit card numbers, if you do certain math with the digits, the result should match the last digit. If you’re just guessing randomly, it’s likely this check fails.

But that stuff is widely known. People can write programs that generate valid credit card numbers. So how does a site know if you just guessed?

Well, you have to put in information about the cardholder like a name and address. Then the website connects to the card’s issuer and says, “Hey, I got this card number with this name and this address. Can I charge their card this much money?”

The issuer knows who they have given credit cards. If you manage to guess a number of one of their cardholders, they’ll note the name and address don’t match. “No, you can’t charge this card.”

If you manage to guess a number AND a name AND an address, well, lucky you. The problem now is that cardholder is going to report a fraudulent charge. So if you got the item shipped to your house… well, someone’s going to have a talk and it’s not going to be a good one.

Besides actually checking the vendor (there’re like 4 vendors for all cards. Visa, Master Card, American Express, and Discover. Everyone else uses one of those, usually Visa or Mastercard) which would verify if the card is valid, most cards follow a certain numbering convention. You can read up more on it here
https://en.wikipedia.org/wiki/Payment_card_number#:~:text=Payment%20card%20numbers%20are%20composed,the%20individual%20account%20identification%20number.

And when you add a card to a website (like amazon or even an online game for microtransactions) they actually send a small test charge (usually one cent) which they will refund. All it’s doing is testing the route to make sure that it’s valid and there is money in the account. That said, sometimes banks twig out about it if it isn’t your usual thing and lock down your card until you confirm that it’s not someone stealing your card.