Messing with Credit Card Scammers

Yesterday, we had a scammer call into the office from “Visa” offering to lower our credit card interest rates. It was actually a pretty decent scam, because he was able to pull publicly available information about his target (name and address), give the phone number. Since it was a slow afternoon, we decided to mess with him a little.

His objective was to get credit card information out of us – our objective was to keep him busy as long as possible so that he couldn’t try and scam someone that would actually fall for it. Our guy was on the phone beside me, and after the introductory spiel was asked for his card’s issuing bank , and what type of card it was (ie. Standard/Gold/Platinum/Infinite), as well as the last 12 digits of the card number – for “verification purposes,”of course.

This is pretty clever, actually. The first 6 digits of a credit card are considered well known and identify the issuing bank and type of card. So, given the bank, type and last 12 digits, he can use a service like BinDB or even the Wikipedia page to figure out the full 16 digit number while saying say that he doesn’t have to ask for it.

Our guy started out by just making up a credit card number. That, unfortunately, didn’t fly. The scammer’s system performed at least a basic validation on the credit card number using the Luhn Algorithm, and it came up as invalid, so he asked us for the full 16 digit number.

Fortunately, it is very easy to generate a credit card number that will pass the validity check, but is not useful in any other way. We used www.getcreditcardnumbers.com, cross-referenced against the Wikipedia page to produce a different credit card number, and gave that to him, saying “try this one instead”. It validated against his system, so he asked us for the expiry date and CVV. Fortunately for our purposes, these don’t matter unless they try to run a transaction against the card, so we made some up. At this point, satisfied, he tried to get us to give him another card, but we were done wasting his time.

In the end we strung him out for about 25 minutes before we got bored of it and ended the call. If you get the chance, you should do the same. Try checking out the tools that I’ve mentioned here and have some fun of your own.