Multiple Protocol Attacks

In 1997, I wrote about something called a chosen-protocol attack, where an attacker can use one protocol to break another. Here's an example of the same thing in the real world: two different parking garages that mask different digits of credit cards on their receipts. Find two from the same car, and you can reconstruct the entire number.

I have to admit this puzzles me, because I thought there was a standard for masking credit card numbers. I only ever see all digits except the final four masked.

Posted on December 20, 2011 at 6:24 AM • 37 Comments

Comments

wombat94December 20, 2011 7:03 AM

I believe according to the PCI spec, the garage masking ONLY the last 4 digits is in violation - there should not be that much of the PAN visible.

But PCI does allow for retailer implemented variations. Also, PCI really aims at large retailer, high volume environments. There are many exceptions for "low value" (my quotes) targets like mom-and-pop shops because the PCI requirements would be prohibitively expensive and the risk of loss is relatively low.

In the US, however, there IS a standard. Several financial regulation bills in the last 10 years have mandated that ONLY the last 4 digits of the PAN be visible (the rest need to be truncated or masked) AND the expiration date must be masked.

AnonDecember 20, 2011 7:22 AM

The Visa memo shown on that page spells out the American standard (show no more than the last 5 digits, and none of the expiry date) with a link.

sephDecember 20, 2011 7:29 AM

PCI DSS 2.0, Section 3.3: Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed). NOTE: [This does not supersede stricter requirements for POS receipts]

I don't have access to the full POS guidlines, but the overview I can find says the same thing.

Yeah, anything masking only the last four is going to be contractual violating something.

BenDecember 20, 2011 7:39 AM

Classic "thinko" - someone was told to "mask the last four digits" when what was meant was "mask all but the last four digits".

Dom De Vitto.December 20, 2011 7:46 AM

Could be a 'thinko'. or just someone doing the wrong job - trying to be a 'security guy', without good review.

The person probably thought "An attacker would need to try 5,000 combinations to have a 50% chance of hitting the full number! So it's really secure."

Smart/arrogant people tend to think they are security experts because they have antivirus and backup their computer twice a week.....

BrianDecember 20, 2011 8:23 AM

I really don't think the poster hid enough digits, especially considering that we we can take it for granted that his card passes the Luhn test, thus dropping the effective number of masked digits by one.

AbigailDecember 20, 2011 8:50 AM

My guess is that someone made a mistake during the implementation of the standard. Be it a programming error (flipping a boolean test), an error when translating the credit card standard to a programming spec, or a misunderstanding of the VISA guidance. The latter may have been caused by a non-native English speaker mistranslating the VISA guidance.

What I wonder is, was this tested? And if it was, why did this pass the test? Could it be that the test of created by the same person who made the original mistake?

Happy HelperDecember 20, 2011 9:26 AM

Yeah, Worse still, I found a mid-sized regional chain of fast food printing full unmasked CC numbers on receipts. I reported it to the company HQ, Visa, and my bank. It was fixed within a week.

JonDecember 20, 2011 9:50 AM

I've seen my own slips with either the first 4 or the last 4 visible (the middle 8 are masked).

Typically, though, I only see the last 4.

I don't have a slip handy to see if the expiration is masked; I don't think that it is always, but I'll look at them more closely.

FreekDecember 20, 2011 9:53 AM

The whole credit card business is one giant example of chosen-protocol attacks. And I'm not just talking about the Securecode of Mastercard, which is opt-in, in a lot of shops I can choose between PIN authentication or signature authentication, and online I only have some horribly outdated security-through-obscurity system of which this story is a prime example, even though I consider the XXX mostly security theatre -- any cashier can easily get their hands on a full credit card number, including expiration date and CCV code.

So the real question is: Why didn't credit cards adapt to the security level of debit cards (e.g. PIN code for real world transactions, and one-time-passwords for online transactions)? I presume some of the burden credit card abuse lies with credit card companies, so the incentive should be there.

Natanael LDecember 20, 2011 10:04 AM

There's an attack on pixelated text in images. I can't find it right now, but it's basically based on that the mask don't hide enough detail about the characters.

So I guess that you can get the complete card number out of the picture in the link quite easily.

JonathanDecember 20, 2011 10:14 AM

Here in Israel, when you make a purchase with a CC at a shop, you are handed a piece of paper you're supposed to sign, and the vendor keeps it for some (unknown to me) reason. Recently I noticed such a receipt with the full 16-digits printed on it! When I told the cashier, he said "It's safe, no expiration date on it, see?"

But yes, since any waiter takes you card and disappears from your sight, he can easily write down the card number, date and CCV, and later make his own purchases. I wonder why that doesn't happen more frequently.

Philip NewtonDecember 20, 2011 10:27 AM

For bank account numbers in Germany, I see both "everything but the beginning" and "everything but the end".

The first is better, since I have a couple of sub-accounts and knowing the last couple of digits lets me identify which one this is more more than telling me it'll "charge my account with the number 1234xxxx", which could be any of them.

Jordan BrownDecember 20, 2011 10:41 AM

The first few digits of credit card numbers aren't very good for identifying them. I think the leading 4 means "Visa", and after that it looks like it's an institution ID - my Bank of America Visa cards have all started with 4024 and my Chase Visa cards have all started with 4417.

Giving the card to the waiter usually works because most people are not thieves (gasp!) and because even those who are thieves realize that stealing a few thousand dollars and losing your job is a poor tradeoff.

ChoppedBroccoliDecember 20, 2011 10:49 AM

Cal me crazy but this is why I like to shred all my receipts when I'm done with them.

ChrisDecember 20, 2011 11:23 AM

I suspect there isn't more credit card theft because credit card companies concentrate more on spending patterns than actual signature/PIN verification. I've had large transactions held while I verify (from my registered phone number) that I'm the one placing them and I know people who've gotten calls within an hour of a pattern of fraudulent transactions verifying the transactions and shutting the account down.

askme233December 20, 2011 11:24 AM

So what happens to the billions on paper receipts that are signed? I can't possibly imagine they are "archived/imaged" by the gas stations and there are way too many to have any kind of access for verification or audit purposes.

Brent WDecember 20, 2011 11:42 AM

Ten years ago, when I was in high school working at a fast food restaurant, our credit card machine printed receipts with the full name/number. Our owner and transaction processing vendor didn't seem to care - when customers told us about it we reported it up the chain and nothing happened. Of course we were instructed to check their ID so the company wouldn't be stuck with the tab in the event of fraud. This reminds me of the XKCD comic about profit/security incentives and nuclear launch codes.

Andy DingleyDecember 20, 2011 11:50 AM

I've recently changed some code so that rather than showing the leading digits and the trailing digits on a receipt (permissible by the spec), it now only shows the trailing 4 (tighter than the spec).

The problem is that the leading digits are implicit in the card issuing authority (i.e. the bank). This is already being used as an attack vector for social engineering attacks. If you already know the bank, phone up the mark and convince them that you're genuine by "reading them" the first few digits of the card number. They'll probably find this convincing. Alternatively, knowing these first digits tells you which bank to pretend to be calling from.

Also my own cards have the CV2 scratched off the back. I already know what it is, I don't need it if 'm physically present to enter a PIN, but I _really_ don't want any card-handling waiters getting to know it too.

ikeDecember 20, 2011 1:42 PM

Jon said "I've seen my own slips with either the first 4 or the last 4 visible (the middle 8 are masked)."

Revealing only the first 4 is problematic. If you have two cards from the same issuer, there's a good chance that they have the same first digits, so it doesn't help you determine which card you used.

Carlo MilonoDecember 20, 2011 1:55 PM

LUHN model:
First Digit is a Major Industry 0 is ISO/TC 68, 1 & 2 are Airlines, 3 is Travel and Entertainment, 4 & 5 & 6 are Banking and Financial (Merchandizing), 7 is Petroleum, 8 is Telecommunications, and 9 is "National"

First six digits are the Issuer Identifier. 4XXXXX with a card length of 13 or 16 is Visa; 51XXXX-55XXXX with a length of 16 is MasterCard. 34XXXX and 37XXXX with a length of 15 is AmEx. etc.

Digits 7-onward represent the Account Number with the last digit a Check Digit (like a checksum).

With a few rules, you can tell a bad CC number without transmitting it

SamDecember 20, 2011 4:35 PM

A very similar problem exists (or existed) in the credit reporting agencies. A few years ago I obtained my annual free credit report and two of the agencies requested and displayed the last 4 digits of my social security number and the other used and displayed the first 5 digits.

ChoppedBroccoliDecember 20, 2011 5:36 PM

@ Andy Dingley

"""
Also my own cards have the CV2 scratched off the back. I already know what it is, I don't need it if 'm physically present to enter a PIN, but I _really_ don't want any card-handling waiters getting to know it too.
"""

Oooo I like this idea - how did you do this successfully? My CV2 digits aren't raised, they are 'imprinted'. I suppose if I scratch deeply all around this area and then sharpie it that would suffice :P

Brian GilbertDecember 20, 2011 7:14 PM

My mother runs a restaurant and isn't particularly tech savvy. When she finally added a credit-card machine to her business, it defaulted to printing the entire credit card number on both her receipt and the customer's receipt. She wanted it left that way, I had to step in and insist that it be changed to hide all but the last 4.

Nick PDecember 20, 2011 8:53 PM

I know of a Fortune 500 company that used first five digits of a social for paychecks and last four for something else. I pointed out the obvious issue this created and they switched to sealed, named paycheck envelopes. Commendable!

Chris LDecember 20, 2011 10:11 PM

This is not thinko but an issue of international standards. In Japan, the JCCA (Japan Credit Card Agency), which is made up of the credit card companies has determined that customer receipts mask all but the last 4; however, the store copy masks only the last 3. This is their national standard and is used by the handful of payment processors there. Even worse, until a few years ago, the masking standards were different for Eastern and Western Japan.

As Philip Newton mentioned above, it appears that Germany may also have a similar standard.

WilliamDecember 21, 2011 3:34 AM

Here in China, many ATMs print all but four digits of the card number on the transaction receipt. It has always struck me as incredibly stupid, especially in a country with so many fraudsters. I shred my receipts when I no longer need them.

RonKDecember 21, 2011 4:51 AM

IIRC, Amazon has a patent on masking out all but the last N digits of a credit card number when reporting/returning feedback on a transaction made via the net. Uggh.

Steve DispensaDecember 21, 2011 3:01 PM

It always annoyed me that the standard is the last four digits, because that's where all the real randomness is. One top-50 bank I'm familiar with issues all their Visa cards with the same first six digits, and they're particularly common in my area (100's of branches in the city). So, if you get a receipt with the last four, plus you have the first six, you're really down to 6 digits. Not that that's nothing, but there are card number formatting rules that further restrict the number of possibilites, and that just assumes that the middle six digits really are as random as possible, which indeed they may not be for other reasons.

JonDecember 21, 2011 5:13 PM

@ Jonathan et. al:

Yes, not only does the waiter disappear with the card, they disappear with the total amount, too.

My parents had, deliberately for lousy service, left a $1 tip on a c'card restaurant bill. Somewhere between the table and the cash register it became an $11 tip, and was charged to the c'card as such...

It's a loophole.

J.

ChoppedBroccoliDecember 21, 2011 8:30 PM

@Jon

"""
My parents had, deliberately for lousy service, left a $1
tip on a c'card restaurant bill. Somewhere between the
table and the cash register it became an $11 tip, and
was charged to the c'card as such...
It's a loophole.
"""

keep your customer copy of the transaction until the transaction actually gets charged to your account. if its different than you agreed to dispute the charge with your cc comoany and you'll have your copy to prove it.

JonDecember 22, 2011 1:43 AM

That's how Mum caught them.

But without verra careful record-keeping on the part of the cardholder, it's easy to get away with.

The exceptional thing here isn't that they did it - it's that they got caught at it.

J.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..