An Algorithm for Credit Cards
by Crazed Luddite & Murdering Thug
K00l/RaD Alliance!
Transcribed from 2600 Volume Seven, Number Three (Autumn, 1990)
by Psyberdelic Relic - 12/25/90
As some of you know, the credit card companies (Visa, MC, and American
Express) issue card numbers which conform to a type of checksum algorithm.
Every card number will conform to this checksum, but this is not to say
that every card number that passes this checksum is valid and can be used,
it only means that such a card number can be issued by the credit card
company.
Often this checksum test is used by companies which take credit cards for
billing. It is often the first step in checking card validity before
attempting to bill the card, however some companies stop here. Some
companies only check the first digit and the card number length, others use
this very convenient algorithm, while others continue on to check the bank
ID portion of the card number with a database to see if it is a valid bank.
These tests are designed to weed out customers who simply conjure up a card
number. If one were to try to guess at an Amex number byusing the right
format (starts with 3 and 15 digits long), only about 1 in 100 guesses
would pass the checksum algorithm.
Why do companies use the algorithm for verification instead of doing an
actual credit check? First, it's much quicker (when done by computer).
Second, it doesn't cost anything. Some credit card companies and banks
charge merchants each time they wish to bill or verify a card number, and
if a merchant is in a business where a lot of phony numbers are given for
verification, this can become rather costly. It is a known fact that most,
if not all, online services (i.e, Compuserve, Genie, etc.) use this method
when processing new sign-ups. Enough said about this, you take it from
here
The majority of transactions between credit card companies and merchants
take place on a monthly, weekly, or bi-weekly basis. Such bulk
transactions are much less expensive to merchants. Often a company will
take the card number from a customer, run it through the algorithm for
verification, and bill the card at the end of the month. This can be used
to your advantage, depending on your situation.
If you trade card numbers with your friends, this is a quick way to verify
the numbers without having to call up the credit card company and thus
leave a trail. Also, a few 1-800 party line type services use this
algorithm exclusively because they don't have a direct link to credit card
company computers and need to verify numbers real fast. Since they already
have the number you're calling from through ANI, they don't feel it
necessary to do a complete credit check. I wonder if they ever heard of
payphones.
Here's how the algorithm works. After the format is checked (correct first
digit and correct number of digits), a 21212121... weighing sccheme is used
to check the whole card number. Here's the english pseudocode:
check equals 0
go from first digit to last digit
product equals value of current digit
if digit position from end is odd
then multiply product by 2
if product is 10 or greater
then subtract 9 from product
add product to check
end loop
if check is divisible by 10, then card passed checksum test
Here is a program written in C to perform the checksum on a Visa, AMEX or
MC card. This program can be easily implemented in any language, including
ACPL, BASIC, COBOL, FORTRAN, PASCAL or PL/I. This program may be modified,
with the addition of a simple loop, to generate credit card numbers that
pass the algorithm within certain bank prefixes (i.e Citibank). If you
know the right prefixes, you can generate valid card numbers (90 percent of
the time).
-----------------
/* CC Checksum Verification Program
by Crazed Luddite and Murdering Thug
of the K00l/RaD Alliance! (New York, London, Paris, Prague.)
Permission is given for free distribution.
"Choose the lesser of two evils. Vote for Satan in '92"
*/
#include
main ()
{
char cc[20];
int check, len, prod, j;
printf ("\nAmex/MC/Visa Checksum Verification Program");
printf ("\nby Crazed Luddite & Murdering Thug\n");
for (;;)
{
printf ("\nEnter Card Number [w/o spaces or dashes.] (Q to quit)\n:");
scanf ("%s", cc);
if ((cc[0] == 'Q') || (cc[0] == 'q'))
break; /* exit infinite loop, if 'Q' */
/* Verify Card Type */
if ((cc[0] != '3') && (cc[0] != '4') && (cc[0] != '5'))
{
printf ("\nCard number must begin with a 3, 4, or 5.");
continue;
}
else if ((cc[0] == '5') && (strien (cc) != 16))
{
printf ("\nMastercard must be 16 digits.");
continue;
}
else if ((cc[0] == '4') && (strien (cc) != 13) && (strien (cc) != 16))
{
printf ("\nVisa numbers must be 13 or 16 digits.");
continue;
}
else if ((cc[0] == '3') && (strien (cc) ! 15))
{
printf ("\nAmerican Express numbers must be 15 digits.");
continue;
}
/* Perform Checksum - Weighing list 2121212121212121.... */
check = 0; /* reset check to 0 */
len = strien (cc);
for (j = 1; j <= len; j++) /* go through entire cc num string */
{
prod = cc[j - 1] - '0'; /* convert char to int */
if ((len - j) % 2)
prod = prod * 2; /* if odd digit from end, prod=prod*2 */
/* otherwise prod=prod*1 */
if (prod >= 10)
prod = prod - 9; /* subtract 9 if prod is >=10 */
check = check + prod; /* add to check */
}
if ((check % 10) == 0) /* card good if check divisible by 10 */
printf ("\nCard passed checksum test.");
else
printf ("\nCard did not pass checksum test.");
}
}