Don’t Post Images of Your Credit Card Online
Yes, people actually do that and an account I’ve been following @NeedADebitCard aggregates credit card photos on Twitter. Not all images are relevant but many are. Credit card fraud is a serious issue as is, with all our connectivity to the World Wide Web and technology that allows us to be “social” that makes many people act irresponsibly, aggravates this.
And some people actually think there’s nothing bad in posting parts of the card. Yet, the same people have no understanding of which parts are safe to display and which are not. General rule – don’t show your credit card at all, especially online for the general public to view. I have wiped out the critical information in my version of the image as to stop the propagation of this nonsense. The cardholder pasted the image in the clear. Size is taken from the original.
This was a recent image shared via Instagram and Twitter. The person’s peers left 20+ “aww”-type comments, and nobody pointed out that it might have been a bad idea. A sane person on Twitter did so, and the cardholder responded with confidence that it was not a problem since not all the information is available. Now, see, what you get when you don’t understand the technology you use every day?
The cardholder’s screenname contained her name, so the missing name on the left side is not missing any more. The first four digits are a BIN, a Bank Identification Number (or IIN, Issuer Identification Number). We know the issuer – Capital One, it’s a MasterCard Platinum. Quick search through the many BIN lists available online yielded the first 6 digits of the card – 517805, with the last two digits to confirm a match, plus upon closer inspection you can see digits two and three of the BIN in black under the silver numbers, a 7 and an 8 (look under the finger on the left).
After pointing out the bits of “concealed” information that I’ve managed to find out in under 5 minutes, the cardholder took down the image.
Quite excellent. Even if say the last 4 digits were somehow concealed, Luhn’s Algorithm would decrease the search space quite a bit, leaving a handful of valid numbers (probably, whoever does the math gets some kudos). We’re missing the CVV, but we have the rest – issue and expiry date, photo of the card, photo of the person, and a whole bunch of other photos of the person online (identity fraud anyone?). And the CVV part is not an issue in many CNP (card-not-present) points of sale.
Is posting images of your credit card online bad? Without doubt. And teach your children to be highly responsible when using modern technology, and think twice, no matter how confident they are.
Be safe.
The Luhn algorithm decreases the keyspace by 1/10. So if 3 random digits are missing (not the BIN), there are 100 possible valid numbers. If 4 digits are obscured, 1000 possibilities.
You won’t believe this, but I was just running tests for this in Python (I’m not too good at math)! Another person posted an image of their card and blotted out 4 numbers, ran a test and came back with only 1000 numbers to try. Thanks for your input; what a coincidence!
yeah, I was curious a few days ago and wrote a script myself in perl using Algorithm::LUHN that does the same thing.
my friend posted his visa credit card online with the last four digits covered by his thumb, im been trying to find a way to figure out what they are but i cant find anything. Is there anyway you could help me?
Like the above states there are 1000 possible valid numbers, without actually trying to charge the card (which is certainly illegal) there’s no way to find out.
I cant believe that people actually post their credit card images online.
These people should know that they will get in serious trouble if the police find out about this. I suppose they already have. There are children out there who feel like it’s ‘okay’ to use someone’s credit card just because they posted it online. Also, if you use someone’s credit card, police can use date and time to track you down so… be warned!
Hi, I have a question related to this topic: I bought some clothes from an online site. I had to pay with my credit card, so the site asked me for some information like: cardholder’s name, issue and expiry date and CVV. The weird thing is that, after giving them the information required they sent me an e-mail telling me to send them a picture with my last 4 digits(on the back of the card) and another one like the picture which was posted on twitter. Is it that normal? It never happened me again and I have no idea what to do about it.
Alexandra, some merchants do have a high percentage of fraud and will make customers go through additional verification steps. Some might ask you to send a photo of your ID even. But this is very rare, and had they had the intent of stealing your card details the information you put in the site would be enough, the photo of the card is not needed. This would make me think that they’re indeed just scared that you’re using stolen details without having the actual card on hand and just want to check.
You should use PayPal or virtual debit cards issued by your bank for online purchases to stay safe. Let me know if you have any more questions or concerns.
My son posted a pic of my card on Facebook I’ve taken it down and cancelled the card, can you suggest any. Further steps I should take?
Sorry to hear this, Sarah. You did the right thing by cancelling right away. Pretty sure you talked to your son about how secret credit cards should be, so you should be fine 🙂