Numbers Blog: They’re Called Hackers, Not Guessers, For a Reason
When I was under that magical age of 12, I actually experimented with stealing credit card numbers, by punching in random 16-digit numbers during an automated, over-the-phone purchase—for some trashy toy or other from the back pages of a Boy Scout magazine. I suspect a lot of bored children try this, and it simply never works this way. It certainly didn’t for me, and not only because the odds of correctly guessing a single, unknown CC# and its expiration date are psychotically high. If only Gonzalez and Scott had been as clueless as I was then, they’d be as free as I am today.
The main reason I’m not writing this from a medium-security detention center somewhere is that major credit card providers build a pattern into their card numbers, one invented in 1960 by a German IBM man named Hans Luhn (pronounced loon), who was something of an informatics virtuoso: he’d already invented, among other things, a thread-counting gauge for textile-makers, and a punch-card index of compounds for chemists. The pattern permits credit card numbers to be verified quickly and efficiently, and it weeds out fakes in a heartbeat.
It’s based on pretty simple math, and you can do it with your own credit card in seconds. It’s called the Luhn algorithm. Here’s how it works.
Most major credit card companies issue cards with anywhere between 13 and 16 digits—16 here, for the sake of illustration. The leftmost digit, or sometimes the first few, identifies the card issuer: e.g. American Express cards begin with 3, VISAs with 4, MasterCards with 5, and Discover with 6. The digits that follow refer to the individual account. The Luhn algorithm verifies that this 16-digit number could be a valid credit card. Not that it is, only that it could be: this calculation is the first of several gateways a credit card transaction passes through before being okayed.
So, to begin: start with any credit card number. For example, my debit number is
2718 2818 2845 9045
Beginning with the first (or leftmost) digit, multiply every other digit by 2.
(4)7(2)8 (4)8(2)8 (4)8(8)5 (18)0(8)5
Now, add all these newly-gotten digits together. (Digits, not numbers—e.g. forget that the product of 9 and 2 is 18; for this step, it is just a 1 and an 8).
4+7+2+8+4+8+2+8+4+8+8+5+1+8+0+8+6 = 90
What they add up to is called a “checksum.” Is it divisible by 10? If so, you have just verified that this might be a valid credit card. If not, it isn’t. The checksum is the equivalent of a simple password, given merely to qualify to give a longer, much more complicated one.
Try it on scratch paper with your own credit card number. It really works; you will get a multiple of 10 as your checksum. (When you’re done, eat the paper.)
That’s the algorithm, basic and pure. It ensures that 9/10ths of randomly made-up CC #s are immediately invalid, thereby preventing feckless children from being able to randomly guess the one in your wallet. It also allows credit card advertisements to simulate reality. If you’ve ever wondered why every so often, in ads, a credit card number appears to be real—instead of an obvious placeholder like J. SMITH #0000 0000 0000 0000—now you know why it’s invalid. It’s been made to fail the algorithm. For example:
3141 5926 5358 9793
(6)1(8)1 (10)9(4)6 (10)3(10)8 (18)7(18)3
6+1+8+1+1+0+9+4+6+1+0+3+1+0+8+1+8+7+1+8+3 = 77
77/10 = 7 remainder 7
As an added bonus, Luhn’s operation naturally prevents transcription errors. If a CC # gets garbled during a transaction, or if you write it down incorrectly—say you switch two digits or write one out wrong—the algorithm’s output is unlikely to still add up to a multiple of 10, preventing most transcription errors from ever going through. A similar algorithm exists to validate ISBNs, the 10- or 13-digit bar-coded numbers on the back of a book’s cover (and now also in the URL of its Amazon.com item page). It also verifies potential authenticity, and weeds out most transcription errors. This kind of math—dividing a sum by a given factor, and then checking for a remainder—is call modular math. You use it every day, whether you know it or not.
Take a second to calculate what time it will be 50 hours from now. Or estimate—it doesn’t really matter.
Now, whatever your answer, odds are it isn’t something like “61:30” or “57 pm.” Those look bizarre, or should anyway, and modular math is the reason why. When you calculate a time, your brain automatically divides by key factors—12 or 24—and takes the remainder. If you don’t do that exactly, you use the mathematical equivalent, e.g. subtracting 12 from 50 as many full times as possible (four), determining what’s left over (two), and then adding that remainder to the current time. For this reason, modular math can be thought of as clock math: a circular number line that only goes so far, and then starts over.
It has more uses than you might suspect. Thwarting larcenous children is just one.
Note to potential card thieves: neither credit card number used in the article is real, and currently they never could be. Book of Odds apologizes. Both numbers do come from specific sources, though; a quick internet search should tell you what those sources are.
Zachary Turpin is a former librarian and English/math teacher from Austin, TX. He has also lived in New York, London, Charleston, New Zealand, and now Boston. In 2007, he received a Masters in English from the College of Charleston and the Citadel. While teaching mathematics to unwilling sixth graders, he confiscated Rubik’s Cubes from them and has been obsessed with twisty puzzles ever since. He hopes one day to get a dog, and is looking for suggestions.
From The BookOfOdds.com
- A Few More ID Theft Tips (financialplan.about.com)
- Officials: Teen put $500 of pizza on stolen cards (seattletimes.nwsource.com)
- Officials: Teen put $500 of pizza on stolen cards (sfgate.com)
- How to Quickly Clear Your Credit Cards (helpwithdebtnow.com)
- Jail For Government Credit Card Misuse (order-order.com)
- Credit Card Bonus Initial Offers (pinkbananaworld.com)
- Credit card fraud without a computer (seattletimes.nwsource.com)
- Even Boring Form Data Can Be Interesting (For A Developer) (skorks.com)
- Here’s Your Halloween Costume: Miss Charge It Credit Card (slog.thestranger.com)