Are credit card numbers predictable?

[unixronin]

I pay attention to numbers.  It's one of those Aspie traits.  In particular, something has struck me about credit and debit card numbers.

You see, those numbers are all 16-digit numbers that appear on the card in groups of four.  Some of those digits are coded; for instance, the first digit is always 5 for a Mastercard, 4 for a VISA.  In general, the first four digits identify the card issuer and the type of card, as I understand it.  But one would then expect a high degree of randomness in the remaining 12 digits, or at least a lack of visible correlation between the remaining 12 digits and the identity of the cardholder.

This does not, in fact, appear to be the case.  I have observed over a period of quite a few years now that there is a strong tendency for a comparatively small number of groups to appear again and again in the numbers of cards issued to the same individual, even from different issuers.  There also appears to be some tendency for CVV numbers to repeat.

This makes me wonder whether it might in fact be possible to predict, with a reasonable success rate, the numbers of cards issued to a particular individual, if you know the numbers of cards issued to that individual in the past.  If so, and if you can do this for a number of different cardholders, I further wonder whether it might be possible to take the identifying information for an arbitrary individual and predict (again, with a reasonable success rate) the numbers and CVVs of cards likely to have been issued to that individual.

Comments

[ithildae]

The first eight, and possibly ten, digits identify the banking institution. (Depending on the size of the bank, the typical credit union has very few numbers to work with.) I was out of that aspect of IT when the CCV numbers came about, so I don't know about them.

[tww1fa]

When we were given new cards recently, the first ten digits of the card number were identical to the ones on the previous card. Only the last six digits (and the expiration date and CVV) changed.

[randwolf.livejournal.com]

Oh, probably. But why would any criminal bother, when it's so easy just to steal them?

[unix-jedi.livejournal.com]

To an individual? Possibly, but not really worth the time.

Now, the _likely_ numbers in circulation? Easily. There's a lot of "duplicates" as well. The big distinction is the Expiration Date.

You and I might both have 1234 5678 9012 3456 but we'll have different expiration dates - which is why those are so significant. The CVV is much newer, and the backend stuff mostly doesn't worry about those - that's for POS systems.

So you have to factor in the Exp dates to the "account number" as well - and that introduces a lot more randomness.

[wyrdling.livejournal.com]

yeah, i jus got a new card in the mail. apparently a merchant (unnamed) feared my number was compromised, and so i got a whole new card... same number, different cvv and expiration date...

i'd wondered about the patterns in them. there have been some, but i haven't looked at them to clearly... kind of a number-ey amusement... thought it was mostly random/me drawing connections. maybe not.

[vetpsychwars.livejournal.com]

Yes, it's entirely predictable.

The first four digits are the Bank Identification Number. The next four may or may not be relevant as "prefix extension".

The last digit is a check digit as MOD10 is used to verify that a card number isn't just some random string.

As for duplicate numbers... nope. Ain't possible. The issuing platform (cough) checks for that. Once they're used up, they're used up, and a new prefix is used.

A bank may choose to issue numbers in sequence, but the facility exists to issue them randomly and most now do.