Authorities Warn Consumers About Rise in Credit Card “Guess Attacks”

Authorities Warn Consumers About Rise in Credit Card “Guess Attacks”


Scammers can steal your credit card information before you even have a chance to use the card. A new scheme allows thieves to guess credit card numbers while attempting to purchase items online. Eventually, these guesses will steal a card number and put false charges on an unsuspecting person’s credit card.

If you’re thinking that a credit card number is too long and complicated to guess with any chance of success, you’re sadly mistaken. “The first thing to realize is that you are not guessing the full 16 numbers at random,” cybersecurity adviser Jake Moore tells reporters. “The first six digits of a credit card number signify the card network and the issuing bank, while the final digit is the Luhn algorithm checksum.”

How It Works

Most online retail sites don’t require a scammer to know everything about a cardholder. The only information they need is the cardholder’s name and the expiration date and number on the card. Once they have that information, they just need to guess at the three-digit security code and try every combination until they crack the right sequence. 

Most thieves who employ this strategy don’t guess these digits by hand, either. They use automated scripts to force their guesses through brute force. Eventually, the program will land on the correct sequence and the thieves will have everything they need to commit credit card fraud.

Insidious Tactics

This type of attack is particularly insidious because guessing the card information correctly through a retailer’s site also confirms several things for the thief. For one, they learn that the card is valid and they can use it on any other transaction they want to force through before the victim notices the false charges.

For another thing, it tells the scammer that the person they’ve stolen from will likely challenge the charges and cancel the stolen card right away. Then, it’s easier to guess information like the replacement card’s expiration date. Moore explains that the Luhn algorithm checksum is key in these guessing attacks.

“There are websites out there that have Luhn verifiers which help find these numbers in little or no time at all, making the chances of locating a card in use relatively high,” Moore continues.

If you notice bizarre activity on your bank statements, talk to your card issuer and cancel the card. It’s frustrating to fall victim to fraud at no fault of your own. The best thing you can do to prevent this is to stay vigilant and dispute all charges that you don’t authorize.