Please don’t post pictures of your credit cards online.

Etienne Martin
Aug 26, 2017 · 5 min read
Simone Starita think it’s cool to show off his credit cards on Instagram.

The story

Last week I came across this article by Michal Špaček about why you shouldn’t post your boarding pass on Facebook. He explains how easy it is to hijack a person’s account with just a barcode. He also show us how to quickly find boarding pass pictures simply by searching for the hashtag #boardingPass on Instagram.

Inspired by this, I wanted to know if people were actually stupid enough to publish other sensitive information on social networks.

I was not disappointed.

A simple search for #visaGold on Instagram returned dozens of credit card numbers.

#visaGold on Instagram

Screenshot from Instagram: https://www.instagram.com/explore/tags/visagold/

Jackpot. Intentionally or not, people are actually posting pictures of their credit cards online. I was surprised to see how popular the trend is. I didn’t even scroll the page and I could already see five credit cards.

Let’s see what we can find

Screenshot of Victoria’s card

Thanks to Victoria, we have a shiny close-up of her card. It looks promising at first glance but she took the time to hide the first digits. Clever… Well not really. As you may already know, the first sequence of numbers on your credit card is the same across all the cards issued by your bank.

Let’s zoom in a little bit.

Upon closer inspection, we can see that the card recently expired. Bummer. But don’t be discouraged. When an expired card is renewed, most of the time only the expiry date changes.

Another problem is that we’re missing the CVC code on the back of the card. Some people call that the “security code”. I learned a couple of things about credit card processing by developing payment solutions for my clients. One of those things is that merchants who process credit cards online are not required to check the validity of CVC codes when accepting payments. In fact, it is totally optional. The code doesn’t really protect the card holder. It’s mostly there to protect the merchants from fraudulent payments.

The only information needed in order to charge a credit card is the number and the expiration date. You don’t event need the card holder’s name or their zip code.

Finding the missing digits

Here’s the number we have so far:

Looks like a 4 to me.

The spacing pattern for Visa cards is xxxx–xxxx–xxxx–xxxx so we know for sure that we’re only missing the first four digits, also known as the issuer ID.

As I said before, the first sequence of numbers on a credit card is the same for all cards issued by a given bank. In this case the bank is сбербанк, a Russian bank. It is spelled Sberbank in latin characters.

A quick Google search

Let’s ask Google about credit card issuer id.

The first search result links to the following site:
http://stevemorse.org/ssn/List_of_Bank_Identification_Numbers.html

Bingo. We now have a list of issuer IDs along with the associated banks. A little ⌘+F and we get this:

The card is a Visa Gold so we can guess that the issuer ID is 4279.

So far so good, we now have a complete card number. The only missing piece of the puzzle is the expiration date.

Finding the card’s expiry date

This one is a little bit trickier. We need a way to verify the expiration date against the credit card network without actually charging the card. One way to do that is by adding the card as a payment method on an online website. No payments involved.

Let’s create a burner account on amazon.com with a fictional email address. Amazon is one of those merchants who don’t ask for the CVC when adding a new payment method. Great.

Amazon’s payment method form

All set. We already have the card holder’s name and the number. Let’s start guessing the expiration date.

Banks generally renew the expiration date in chunks of 3 to 5 years. That gives us about 60 valid expiration dates possible (12 months × 5 years into the future). We just need to brute-force it.

The expiry date on the card is 05/17. We’ll increase the year by 3.

2017 + 3 years = 2020

Drum roll… And It worked, we made it.

Our new payment method, courtesy of Victoria.

I stopped at this point and removed the card from the account. I wasn’t there to cause trouble to anyone. I called Visa and informed them of the issue. The man on the line let out a long sigh. I smiled.

In conclusion

It’s surprising how easy it was to find the missing pieces with information laying around on the internet while I comfortably laid down on the couch. The sad thing is that most of the time you don’t even need to work for it. It’s just all there for you to see. Overall, it took me about five minutes and I had a completely valid credit card ready to use.

I doubt that Victoria posted her card number intentionally. I also doubt that the trend is going to slow down with the growing influx of users bragging online these days.

With that said, be careful about what you post on the internet. And again, please don’t post pictures of your credit cards online.

)

Etienne Martin

Written by

Freelance full stack developer & web designer.

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade