[Report file] Can I pay by changing the last digit? security breached cards

Where you should know one and not know ten 

'Moon Ilji'.

If you hear one, you know the heat.

It's a skill everyone wants.

How effective would it be if you could learn more than just one thing? 

But there are places where this phrase should never be used.

It is the 'world of security'.

Because keeping the information I have from gaining additional information is key to security.

For example, I know someone's Facebook ID, but out of curiosity, I typed the same password.

Sure enough, I'm logged in.

In this case, we will assume that the user has used a 'weak security' ID and password.

That's why some sites do not recommend using the same characters as much as possible so that others cannot easily guess them. 

Anyone can guess the card number?

In summary, the life of security lies in 'impossibility of analogy'.

However, I received a report that there are financial companies that ignore this obvious rule.

It was Shinhan Card, the No. 1 credit card company.

The content of the report was not simple.

The key was that the number of a specific card issued by Shinhan Card was simply arranged so that anyone could guess.

The 16-digit card number is divided into three pieces.

The first 6 digits are the BIN number, which indicates the card brand, card type, and card grade information such as Visa and MasterCard.

If the same card is issued, the first 6 digits are fixed.

The next 7th to 15th digits are the customer's unique number. Since it is a number that identifies the customer, it is generally assigned randomly or according to a specific rule so that it cannot be guessed.

And the last 16th digit is the check digit.

It is a number that verifies whether this card is a valid card or not. It is created by multiplying and adding the 1st to 15th numbers.

Enlarging an image

Hackers pay attention to BIN numbers.

If it is the same card, using the fact that the BIN number is a fixed value, run a program and randomly combine the remaining numbers to select a real card.

This is called a 'BIN ATTACK crime'.

The leak of 2,000 card numbers from KB Kookmin Card in 2019 was also a victim of the Bean Attack crime. 

However, the whistleblower's problem was more serious.

Because it said, "You can hack easily without having to run a program."

We are wary of the risk of copycat crimes, but to outline the method:

As mentioned earlier, a unique customer number is a number that literally identifies a customer, so it should be randomized to make it difficult to guess.

However, the informant claimed that the cards in question were simply numbered in the order of issuance, such as 1, 2, 3, and 4.

That is, the first issued card is 000000001, the second issued card is 000000002, the 500th issued card is 000000500, and so on.

If this were true, that was a big deal.

This is because cards issued at the same time have the same validity period.

For example, on April 17, 2022, Mr. A was issued a card, and Mr. B was also issued the same card on the same day.

If so, their cards will all expire on 04/27, 5 years later.

In other words, with just one physical card, you can infer the number and expiration date of another person's card. 

'Does it matter if you only know the card number and expiration date?'

You may have your doubts.

This is because domestic online shopping malls usually require a CVC code and password in addition to the card number and expiration date.

Double-triple identity verification.

But what about abroad?

The largest online shopping mall in the US, 'Amazon', allows you to pay without CVC and password.

That's why hackers make fraudulent payments through the Amazon site every day.

This is because Amazon insists on a simple payment system. 

There was a need to check whether the whistleblower's statement was true.

In fact, 'Is it possible that a large credit card company called me is giving card numbers so lazily?'

skepticism prevailed.

But the informant was right.

Through the phone payment system, we tested the card by increasing the card number by one while leaving the validity period as it is, and it was confirmed as a valid card.

In the blocked part, when I passed the validity period to the next month, I was able to confirm that it moved to the payment stage again.

Of course, I didn't actually pay because the card numbers I checked were in someone else's name. 

FDS to catch fraudulent payments

Shinhan Card responded to a reporter's question, "Is it true that the cards were simply issued in the order of issuance?" and said, "We cannot confirm the card number system because there is a possibility of criminal abuse."

It's a trade secret.

Then he said, "We are working to prevent fraudulent payments through FDS."

The Financial Supervisory Service also said that the issue of fraudulent card use is left to each card company's abnormal financial transaction detection system (FDS).

It was saying that FDS was working well, and they weren't even looking into the card numbering system.  

Enlarging an image

That's the right story.

FDS, abnormal financial transaction detection system, is a system that filters out suspicious transactions or financial transactions in a different pattern than usual.

Each financial company has an FDS system and operates it 24 hours a day.

In fact, the amount of damage caused by card information theft crimes is drawing a downward curve to 670 million won in 2018, 230 million won in 2019, 360 million won in 2020, and 20 million won in 2021.

As the FDS is strengthened every year, the fraudulent payment blocking rate is also increasing.

In the case of KB Kookmin Card in 2019, 9,300 fraudulent payments were attempted, but FDS blocked them all, so no actual damage occurred. 

'Pre-risk' should be taken more closely

Nevertheless, we must continue to look at 'pre-risk'.

As technology advances, the capabilities of hackers also grow.

Empty attacks happen every day, and now hackers create gaps that don't exist.

If you find a hole, you need to fill it up quickly to reduce the damage.

However, when asked if there is a plan to take countermeasures, Shinhan Card said, "The card number is decided by each company in their own way, and we cannot talk about countermeasures because there has been no damage."

It's not about losing cattle and fixing the stall.

Card information is both financial and personal information.

This means that the range of damage that can be returned to individuals as well as financial damage is limitless. 

Upon entering the interview, the Financial Supervisory Service admitted that the numbering system of the card was vulnerable to the risk of information theft and fraudulent use.

Shinhan Card also said, "We have identified a problem with the grant system and will come up with ways to improve it." 

An expert in the security industry pointed out, "There has already been a problem with the serial number system in the past." He pointed out, "Although it may be easier to manage from the point of view of the credit card company, it is highly likely that it will be exposed to crime."

Kim Hyung-joong, a special professor at Korea University's Graduate School of Information Security, also said, "Security is always a human problem, and there is a problem with weak links." "The problem is that we tried to make things easier." 

Of course, not all cards issued by Shinhan Card are like that.

There are many cards that are already doing well.

However, an official from the card industry said, "I know, but there are many problems that are hidden."

Behind it are cost and policy issues.

Every financial company will have a complicated insider.

However, I think we should pay more attention to the attitude of taking precautions before we break out, especially if it is a financial company with sensitive information.  

(Statistics source: Yuu-dong, People's Power, Office of Parliamentarians)