Please don’t post pictures of your credit cards online.

The story
Last week I came across this article by Michal Špaček about why you shouldn’t post your boarding pass on Facebook. He explains how easy it is to hijack a person’s account with just a barcode. He also show us how to quickly find boarding pass pictures simply by searching for the hashtag #boardingPass on Instagram.
Inspired by this, I wanted to know if people were actually stupid enough to publish other sensitive information on social networks.
I was not disappointed.
A simple search for #visaGold on Instagram returned dozens of credit card numbers.
#visaGold on Instagram

Jackpot. Intentionally or not, people are actually posting pictures of their credit cards online. I was surprised to see how popular the trend is. I didn’t even scroll the page and I could already see five credit cards.
Let’s see what we can find

Thanks to Victoria, we have a shiny close-up of her card. It looks promising at first glance but she took the time to hide the first digits. Clever… Well not really. As you may already know, the first sequence of numbers on your credit card is the same across all the cards issued by your bank.
Let’s zoom in a little bit.

Upon closer inspection, we can see that the card recently expired. Bummer. But don’t be discouraged. When an expired card is renewed, most of the time only the expiry date changes.
Another problem is that we’re missing the CVC code on the back of the card. Some people call that the “security code”. I learned a couple of things about credit card processing by developing payment solutions for my clients. One of those things is that merchants who process credit cards online are not required to check the validity of CVC codes when accepting payments. In fact, it is totally optional. The code doesn’t really protect the card holder. It’s mostly there to protect the merchants from fraudulent payments.
The only information needed in order to charge a credit card is the number and the expiration date. You don’t event need the card holder’s name or their zip code.
Finding the missing digits
Here’s the number we have so far:

The spacing pattern for Visa cards is xxxx–xxxx–xxxx–xxxx so we know for sure that we’re only missing the first four digits, also known as the issuer ID.
As I said before, the first sequence of numbers on a credit card is the same for all cards issued by a given bank. In this case the bank is сбербанк, a Russian bank. It is spelled Sberbank in latin characters.
A quick Google search
Let’s ask Google about credit card issuer id.
The first search result links to the following site:
http://stevemorse.org/ssn/List_of_Bank_Identification_Numbers.html
Bingo. We now have a list of issuer IDs along with the associated banks. A little ⌘+F and we get this:

The card is a Visa Gold so we can guess that the issuer ID is 4279.
So far so good, we now have a complete card number. The only missing piece of the puzzle is the expiration date.
Finding the card’s expiry date
This one is a little bit trickier. We need a way to verify the expiration date against the credit card network without actually charging the card. One way to do that is by adding the card as a payment method on an online website. No payments involved.
Let’s create a burner account on amazon.com with a fictional email address. Amazon is one of those merchants who don’t ask for the CVC when adding a new payment method. Great.

All set. We already have the card holder’s name and the number. Let’s start guessing the expiration date.
Banks generally renew the expiration date in chunks of 3 to 5 years. That gives us about 60 valid expiration dates possible (12 months × 5 years into the future). We just need to brute-force it.
The expiry date on the card is 05/17. We’ll increase the year by 3.
2017 + 3 years = 2020
Drum roll… And It worked, we made it.

I stopped at this point and removed the card from the account. I wasn’t there to cause trouble to anyone. I called Visa and informed them of the issue. The man on the line let out a long sigh. I smiled.
In conclusion
It’s surprising how easy it was to find the missing pieces with information laying around on the internet while I comfortably laid down on the couch. The sad thing is that most of the time you don’t even need to work for it. It’s just all there for you to see. Overall, it took me about five minutes and I had a completely valid credit card ready to use.
I doubt that Victoria posted her card number intentionally. I also doubt that the trend is going to slow down with the growing influx of users bragging online these days.
With that said, be careful about what you post on the internet. And again, please don’t post pictures of your credit cards online.
