An Algorithm for Credit Cards by Crazed Luddite & Murdering Thug K00l/RaD Alliance! Transcribed from 2600 Volume Seven, Number Three (Autumn, 1990) by Psyberdelic Relic - 12/25/90 As some of you know, the credit card companies (Visa, MC, and American Express) issue card numbers which conform to a type of checksum algorithm. Every card number will conform to this checksum, but this is not to say that every card number that passes this checksum is valid and can be used, it only means that such a card number can be issued by the credit card company. Often this checksum test is used by companies which take credit cards for billing. It is often the first step in checking card validity before attempting to bill the card, however some companies stop here. Some companies only check the first digit and the card number length, others use this very convenient algorithm, while others continue on to check the bank ID portion of the card number with a database to see if it is a valid bank. These tests are designed to weed out customers who simply conjure up a card number. If one were to try to guess at an Amex number byusing the right format (starts with 3 and 15 digits long), only about 1 in 100 guesses would pass the checksum algorithm. Why do companies use the algorithm for verification instead of doing an actual credit check? First, it's much quicker (when done by computer). Second, it doesn't cost anything. Some credit card companies and banks charge merchants each time they wish to bill or verify a card number, and if a merchant is in a business where a lot of phony numbers are given for verification, this can become rather costly. It is a known fact that most, if not all, online services (i.e, Compuserve, Genie, etc.) use this method when processing new sign-ups. Enough said about this, you take it from here The majority of transactions between credit card companies and merchants take place on a monthly, weekly, or bi-weekly basis. Such bulk transactions are much less expensive to merchants. Often a company will take the card number from a customer, run it through the algorithm for verification, and bill the card at the end of the month. This can be used to your advantage, depending on your situation. If you trade card numbers with your friends, this is a quick way to verify the numbers without having to call up the credit card company and thus leave a trail. Also, a few 1-800 party line type services use this algorithm exclusively because they don't have a direct link to credit card company computers and need to verify numbers real fast. Since they already have the number you're calling from through ANI, they don't feel it necessary to do a complete credit check. I wonder if they ever heard of payphones. Here's how the algorithm works. After the format is checked (correct first digit and correct number of digits), a 21212121... weighing sccheme is used to check the whole card number. Here's the english pseudocode: check equals 0 go from first digit to last digit product equals value of current digit if digit position from end is odd then multiply product by 2 if product is 10 or greater then subtract 9 from product add product to check end loop if check is divisible by 10, then card passed checksum test Here is a program written in C to perform the checksum on a Visa, AMEX or MC card. This program can be easily implemented in any language, including ACPL, BASIC, COBOL, FORTRAN, PASCAL or PL/I. This program may be modified, with the addition of a simple loop, to generate credit card numbers that pass the algorithm within certain bank prefixes (i.e Citibank). If you know the right prefixes, you can generate valid card numbers (90 percent of the time). ----------------- /* CC Checksum Verification Program by Crazed Luddite and Murdering Thug of the K00l/RaD Alliance! (New York, London, Paris, Prague.) Permission is given for free distribution. "Choose the lesser of two evils. Vote for Satan in '92" */ #include main () { char cc[20]; int check, len, prod, j; printf ("\nAmex/MC/Visa Checksum Verification Program"); printf ("\nby Crazed Luddite & Murdering Thug\n"); for (;;) { printf ("\nEnter Card Number [w/o spaces or dashes.] (Q to quit)\n:"); scanf ("%s", cc); if ((cc[0] == 'Q') || (cc[0] == 'q')) break; /* exit infinite loop, if 'Q' */ /* Verify Card Type */ if ((cc[0] != '3') && (cc[0] != '4') && (cc[0] != '5')) { printf ("\nCard number must begin with a 3, 4, or 5."); continue; } else if ((cc[0] == '5') && (strien (cc) != 16)) { printf ("\nMastercard must be 16 digits."); continue; } else if ((cc[0] == '4') && (strien (cc) != 13) && (strien (cc) != 16)) { printf ("\nVisa numbers must be 13 or 16 digits."); continue; } else if ((cc[0] == '3') && (strien (cc) ! 15)) { printf ("\nAmerican Express numbers must be 15 digits."); continue; } /* Perform Checksum - Weighing list 2121212121212121.... */ check = 0; /* reset check to 0 */ len = strien (cc); for (j = 1; j <= len; j++) /* go through entire cc num string */ { prod = cc[j - 1] - '0'; /* convert char to int */ if ((len - j) % 2) prod = prod * 2; /* if odd digit from end, prod=prod*2 */ /* otherwise prod=prod*1 */ if (prod >= 10) prod = prod - 9; /* subtract 9 if prod is >=10 */ check = check + prod; /* add to check */ } if ((check % 10) == 0) /* card good if check divisible by 10 */ printf ("\nCard passed checksum test."); else printf ("\nCard did not pass checksum test."); } }