The last five digits attack

Yesterday I was out at NetSec doing my last speaking engagement I currently have scheduled for this year. I sat in on the presentation by Jonathan Rusch of the DoJ on Phishing.

Jonathan showed a phish where the target was shown a form with the first six digits of the credit card number were filled in 1234-56**-****-****.

The point is that the first six digits are the Bank Identification Number, they are known. The perpetrator asks the victim to fill in the rest.

This got me thinking about the security of receipts which have the last four digits and the cardholder name printed on them. In many cases the bank can be guessed from the location where the card is used. So all the perpetrator needs to guess is the remaining six digits.

The last digit on the card is a checksum that is dependent on all the other digits. This can be used in both directions, if you know the checksum and 14 other digits you can calculate the remaining digit. So all the perpetrator needs to do is to guess the other 5 digits.

For many small banks guessing the remaining 5 digits is easy, they are 00000, 00001, 00002 or for the larger longer established bank 00003.

There are two possible fixes for this problem: long and short. The long term solution has to be to get rid of the reliance on static account numbers for security entirely. Strong authentication such as Chip and PIN in Europe and OATH One Time Passwords, an account number that changes every time it is used are the way to go.

In the short term banks must make sure that their account numbers have sufficient randomness to make them unguessable even when four digits are revealed. Instead of putting the account number on the card put a value that is derived from the account number and a secret key in a cryptographically secure fashion.

(This has been edited since posting)