Are there ways to guess credit card details?
What's the chance of guessing valid credit card data that could be used to make a payment online? To me, it looks like it's not extremely hard to guess, but I'm not able to calculate the probability. I mean, it's not like it was designed to be as strong as 128-bit keys, which you know you can't really crack. So I wonder if any attacks are possible because of this lower entropy, and if not, why?
It's quite possible to guess credit card details. Choose a known BIN (first six), generate 9 random digits, and then append the appropriate check digit. That's only 1,000,000,000 combinations - high, but listing every single one is certainly doable even on a personal computer. Checking whether your guess is actually valid is harder. Almost every single website will ask for your expiration date and most will also ask for your CVV. Assuming that the card in question will expire within the next four years (standard lifetime of a card), that's still 12*4 possible valid expiration dates. And the CVV is another three digits you would need to guess. All told, that's 10^9*(12*4)*10^3=48,000,000,000,000 combinations - much less feasible.Additionally, you would need to spread your guesses around - throwing them all at a single merchant's website will likely get them shut down by their payment processor for permitting exactly this kind of attack.