Attempted fraud on Bank of Ireland credit card

Sunny · 22 Mar 2022

Peanuts20 said:
It's actually very easy to guess the 16 digits

the first 6 digits signify the bank and the card issuer. You can look those up online in about 5 seconds for each bank

the last digit is a checksum digit

so therefore you need only guess 9

The 16 digits adhere to an alogrythm called a Luhn alogrythm so with a competent number generator hooked up to a Luhn algorythm, it would be easy to work out card numbers. If you actually understand how the algorythm works (and it's not rocket science and after all, this is a fraudsters livelihood) you could probably work it out by hand or on excel in a few minutes. I used to work in a bank and if we got a damaged cheque, sometimes we'd have to work out account number by hand if you were missing a few digits. It's not hard (although in the case of a cheque it is only 14 digits, 6 digit sort code, 8 digit account, so easier)

the harder thing to guess is the expiry date (one chance in 36) and the CVV number (one chance in 999) but again, bots can try things automatically. Hence the growing complexity of captcha's and MFA.

I'm not encouraging fraud here by the way!!

I know that but the chances of guessing the correct card number together with the correct expiry date together with the correct CVV numbers would require billions of attempts. Add in the the fact that one couple using 4 different cards were targeted 4 times in three months makes this statistically impossible. Add in the fact that no payment processor will allow brute force attacks like that. The card details are being compromised in some way. Or else someone really wants a spotify account and doesn't want to admit it to the other person....

Peanuts20 · 22 Mar 2022

Sunny said:
I know that but the chances of guessing the correct card number together with the correct expiry date together with the correct CVV numbers would require billions of attempts. Add in the the fact that one couple using 4 different cards were targeted 4 times in three months makes this statistically impossible. Add in the fact that no payment processor will allow brute force attacks like that. The card details are being compromised in some way. Or else someone really wants a spotify account and doesn't want to admit it to the other person....

there is almost certainly at least one retailer that the OP does business with leaking details, whether that retailer are even aware of it is another question. That might not even be an online retailer, plenty of example out there of card details being harvested as POS terminals.

In most cases, the full details of an online transaction should be masked. My point is that it is a doddle for a competent fraudster to work out the 16 digits if they only have partial details and the rest are not that difficult either, especially if you throw a bit of computer power at it. It's no different to the robot calls from Amazon we are probably all plagued with these days. Fraudsters know 99.9% of their efforts fail, they make their living on the fraction that gets through.

Lucius Lamb · 22 Mar 2022

circle said:
If you have the card registered to apple pay / wallet, you benefit from getting the new card available to use on your phone immediately, with no waiting for a card to be sent out, which is great here, invaluable if you were travelling. Not sure if similar is available via google pay or other banks?

Thanks Circle. Didn't realise that replacement card could appear on my Google Pay before the physical card arrives in the post. I haven't tried to use the new G-Pay card yet but looks like it's there if I need it. For now I've reverted to cash.

Lucius Lamb · 22 Mar 2022

Peanuts20 said:
there is almost certainly at least one retailer that the OP does business with leaking details, whether that retailer are even aware of it is another question. That might not even be an online retailer, plenty of example out there of card details being harvested as POS terminals.

In most cases, the full details of an online transaction should be masked. My point is that it is a doddle for a competent fraudster to work out the 16 digits if they only have partial details and the rest are not that difficult either, especially if you throw a bit of computer power at it. It's no different to the robot calls from Amazon we are probably all plagued with these days. Fraudsters know 99.9% of their efforts fail, they make their living on the fraction that gets through.

The odd thing is that my spouse's card has been compromised the most. It's inactive, hasn't been used online, offline or anywhere else for year, so there's no data trail for fraudsters to get their hands on. This suggests it's just pot luck and random number generation, which was BoI's explanation.

NoRegretsCoyote · 22 Mar 2022

Lucius Lamb said:
It's inactive, hasn't been used online, offline or anywhere else for year, so there's no data trail for fraudsters to get their hands on.

Has it literally never been used? If it was used years ago the data could have been stored and recently compromised.

Peanuts20 · 22 Mar 2022

Lucius Lamb said:
The odd thing is that my spouse's card has been compromised the most. It's inactive, hasn't been used online, offline or anywhere else for year, so there's no data trail for fraudsters to get their hands on. This suggests it's just pot luck and random number generation, which was BoI's explanation.

Bear in mind that the breech could have occurred over a year ago and the details have just recently been sold on the dark web as part of a broader cache of numbers

Cervelo · 22 Mar 2022

Lucius Lamb said:
The odd thing is that my spouse's card has been compromised the most. It's inactive, hasn't been used online, offline or anywhere else for year, so there's no data trail for fraudsters to get their hands on. This suggests it's just pot luck and random number generation, which was BoI's explanation.

I think for this to happen that many times in such a short period of time seems a bit odd to say the least
My thinking would be where is the CC during the day, is it always on or with your spouse??

Sunny · 22 Mar 2022

Lucius Lamb said:
The odd thing is that my spouse's card has been compromised the most. It's inactive, hasn't been used online, offline or anywhere else for year, so there's no data trail for fraudsters to get their hands on. This suggests it's just pot luck and random number generation, which was BoI's explanation.

Have either of you ever held a Spotify account?

Lucius Lamb · 22 Mar 2022

NoRegretsCoyote said:
Has it literally never been used? If it was used years ago the data could have been stored and recently compromised.

At a guess, I'd say the card hasn't been used in the past 10 years and certainly not in the past five years.

Lucius Lamb · 22 Mar 2022

Cervelo said:
I think for this to happen that many times in such a short period of time seems a bit odd to say the least
My thinking would be where is the CC during the day, is it always on or with your spouse??

Card is buried somewhere in spouse's purse, which thankfully hasn't been robbed or interfered with to our knowledge.

Lucius Lamb · 22 Mar 2022

Sunny said:
Have either of you ever held a Spotify account?

Neither of us have Spotify accounts

Attempted fraud on Bank of Ireland credit card

Sunny

Registered User

Peanuts20

Registered User

Lucius Lamb

Registered User

Lucius Lamb

Registered User

NoRegretsCoyote

Registered User

Peanuts20

Registered User

Cervelo

Registered User

Sunny

Registered User

Lucius Lamb

Registered User

Lucius Lamb

Registered User

Lucius Lamb

Registered User

Attempted fraud on Bank of Ireland credit card

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Registered User

Privacy & Transparency

Privacy & Transparency