Charles Mills wrote: >I think much of the problem is with credit card numbers themselves. There are >only ~10**16 possible credit card numbers -- many fewer if you allow for the >fact that only certain combinations are valid. A credit card number is easier >to brute-force guess than its encryption key, format-preserving or not.
Not sure what “brute-force” means here. If you mean “create something that looks like a valid credit card number”, then sure, take the first six digits of your Visa, make up nine more, than calculate the Luhn checksum and stick that on the end. Done. But the bank won’t recognize it without a matching name (except as a CNP transaction), and so it’ll be of extremely limited use. So I’m not sure that the number of digits even matters: cards have to have some structure for routing, so extra digits don’t really help. EMV helps with card-present, but not at all for CNP. Note that PANs are going to 18 or 19 digits soon (and they used to be 13, which I hadn’t noticed until I saw it mentioned and realized that my old Visa, which I had for many years in the pre-breach era and still remember, was only 13!). …phsiii ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
