Two holiday seasons in a row, I worked in retail. One year I sold jewelry at a shopping mall retailer. The second year I sold clothing at an outlet in a strip mall.

Neither was a particularly glamorous position, but they both taught me a great deal. I learned how to visually gauge the quality of diamonds. I learned how to flip sales pitches around from features to benefits and experiences. I learned how to better deal with disgruntled customers frantic for that perfect holiday gift.

I also learned the inherent danger in using debit cards.

## Security

Believe it or not, but debit cards are *incredibly* insecure.

We look at debit cards as part of a 2-factor authorization scheme for spending. The first factor is the debit card number, the second is your unique PIN. Unfortunately, most debit cards can be run as credit instead, meaning you swipe the card and defer authorization to a signature (that may or may not be required/verified by a merchant).

So our only defense against fraud is the 16-digit number used for our unique cards. A 16-digit number has possible combinations, ^{1} which feels like it should be somewhat secure. That is, provides 53 bits of entropy, ^{2} meaning the ability of an attacker to guess *your* specific card number (i.e. to make a purchase with your name and card number for validation) is very unlikely. ^{3}

Unfortunately, debit cards aren’t really this secure.

I noticed a trend while working retail: people who banked with the same institutions tended to have the same first 8 digits on their Visa cards. ^{4} In hindsight, *every card I’ve ever had* from my own bank (where I hold several, independent accounts) has had the same first 8 digits. I actually shocked someone who called in an order once and read their card number over the phone by asking how they liked banking with their specific credit union.

“How’d you know I bank there?”

“Well, I do too, and my card starts with the same 8 numbers.”

With this in mind, it means an attacker who *already knows where you bank* is looking to crack a debit card number with only possible combinations. In probabilistic terms, this means our debit card numbers *really* have only 27 bits of entropy. For a determined attacker (read: card thief) that’s much more approachable. ^{5}

Worse yet, most of those receipts printed out at the cash register contain the last four digits of your card number to help you identify which card you used. Helpful to you, also extremely helpful to anyone trying to steal your money.

Given knowledge of your banking institution *and* a discarded receipt from your Black Friday shopping frenzy, an attacker now only has *four numbers left to guess* to empty your accounts. That’s only possible combinations. Just 13 bits of entopy. ^{6}

Given also that the *last* number on your card is a checksum – used to algorithmically determine whether or not the rest of the number is valid – a determined attacker can whittle these possibilities down in no time at all. The checksum reduces the number of valid card numbers with the already-determined digits by a factor of 10 – **given your banking institution and last 4 card digits, there are only 1000 valid card numbers available.**

The likelihood that someone with the above information could correctly guess and exploit your account becomes astronomical. ^{7}

## Remediation

The easiest way to prevent someone from attacking you in such a way is prevention. Keep an eye on your account statements for fraudulent charges. Ask your institution to re-issue you a card (with a new number) if you think someone has gotten a hold of your information without your knowledge. Use credit cards instead of debit and bank cards as they have stronger consumer protections (i.e. laws and legal processes) against fraud.

Always keep your copy of the store receipt, otherwise it often just ends up in a public trash bin – with your name and last 4 digits proudly emblazoned upon it. Keep track of where the receipts you take end up, too.

And *never* ask an ATM for a receipt and just leave it in the trash next to your bank. Knowing your institution *and* last 4 digits is a major security risk. Don’t make it easier for thieves to steal your data.

Notes:

- Actually, this will be a bit less since card numbers with leading 0s aren’t necessarily valid, but for the sake of argument let’s leave thos in place for now. ↩
- To calculate bits of entropy given a set number of possibilities, calculate . In this case, you’d be looking at . ↩
- Specifically, if an attacker could guess (and validate) 1000 card numbers per second, it would take them
*over 300,000 years*to guess your card number. ↩ - The card format is such that the first digit is an industry identifier, the next 5 digits are an institution identifier, the following 6 identify an account, and the final digit is a checksum for ensuring validity. However many institutions pad their account numbers with the same padding digits, leading the first 8 digits to be identical for all of their card-holders. ↩
- Guessing (and validation) 1000 card numbers per second would take only a day to guess your card number. ↩
- A 1000 guesses per second system would be able to generate your card number in just 10 seconds. ↩
- I built a proof-of-concept cracker and tested it against my own account. Given the information above, it was able to correctly guess my card numbers in an average of just 15 attempts. No, I will not open source or publish that code. Ever. I ran the experiment to prove a point: if your information is public, it’s ridiculously easy for someone to abuse it. They don’t even need to wait for a Target/Home Depot/whoever database hack to surface. ↩