Re: [clug-talk] Google wallet

Wed, 28 Nov 2012 23:13:56 -0800 

On 2012-11-28 11:18 PM, Juan Alberto Cirez wrote:



I was just playing with my android phone when I clicked on the movie 
play store. Just for kicks I selected a movie to rent to see what 
happened next: The "enter credit card info" box came on and I just 
dumped a random string of numbers a few times as I was debating 
whether to use my internet credit card or not...



The shocking part was not only did Google allowed me to keep entering 
numbers over and over again...but it let me know when one of these 
combinations turned up a valid number and the card type!!!



I immediately closed the app, of course. Granted it asked for other 
pieces of information as well; but the fact that it confirms that the 
string of numbers is valid is just a frightening thought...WOW!!


Is this a potential flaw...?


No. The last digit of a credit card number is a check digit, which is 
used to ensure that the number is entered correctly before it's 
submitted to a payment processor to validate. This is used to catch 
common mistakes like digit swap errors before going out and checking it. 
Once you enter valid information, the data you enter would still be 
validated by the payment processor and banks before the transaction is 
permitted.



http://en.wikipedia.org/wiki/Luhn_algorithm has a description of the 
algorithm.



Card numbers are actually a well defined format too. 
http://i.stack.imgur.com/Cu7PG.jpg has more details, but some common 
card number formats are (there are others too of course):

MC - 16 digits, starts with 51 to 55
Visa: 13 or 16 digits, starts with a 4
American Express: 15 digits, starts with 34 or 37


Think of it this way - the check digit is to catch the more obvious 
mistakes we make when entering the number, but the payment processor 
still needs to check that the card is valid, not stolen, cancelled, has 
money remaining on it, etc. All those other things happen in addition to 
the simpler client-side check that's done to catch a simple mistype 
without having to make you wait seconds to minutes for the validation to 
complete. A lot of sites don't do the client side check and rely only on 
the payment processor, but this is something that can be done to give a 
better user experience.


Jamie

--
Jamie Furtner [email protected]
"I aim to misbehave"
- Malcom Reynolds (Serenity movie)
"It's not safe...
"For them."
- River Tam (Serenity movie)


_______________________________________________
clug-talk mailing list
[email protected]
http://clug.ca/mailman/listinfo/clug-talk_clug.ca
Mailing List Guidelines (http://clug.ca/ml_guidelines.php)
**Please remove these lines when replying






















					Reply via email to