Why Your Saved Credit Card Is Less Safe Than You Think
Key Takeaways
- PCI-DSS compliance allows merchants to display BIN, last 4 digits, expiration date, and cardholder name
- Attackers can brute-force the missing 6 digits of a 16-digit card number in under a million attempts
- 3D Secure protections can be bypassed by finding merchants that don't enforce them
The Attack That Shouldn't Work
Metin Ozyildirim thought his virtual credit card was safe. It had spending limits. 3D Secure was enabled. He only saved it to well-known European merchants. Then attackers compromised his account on one of those merchants, and within six hours, they had drained his available balance.
The sequence is instructive. First, an SMS arrived showing a purchase attempt from the site where his card was saved. Ozyildirim reacted fast. He changed passwords, checked for unauthorized purchases, and reduced his card limits. He didn't disable the card entirely because, logically, it shouldn't have been compromised. The attackers only saw what the merchant interface displayed: a masked card number.
Six hours later, 3D Secure authentication requests started arriving from merchants he'd never used. All failed. But the attackers weren't done. They found a merchant that didn't require 3D Secure and made multiple small payments that drained his remaining limit. The money went to an e-wallet that allowed cash withdrawals at physical stores.
What PCI-DSS Actually Allows
The Payment Card Industry Data Security Standard (PCI-DSS) version 4 specifies what merchants can and cannot display when showing saved payment methods. The rules seem reasonable at first glance.
Merchants can display: the BIN (first 6 digits), the last 4 digits, the cardholder name, and the expiration date. They cannot display: the full card number, the CVV/CVC verification code, or PIN data.
Here's the problem. A credit card has 16 digits. If merchants show the first 6 and last 4, only 6 digits remain hidden. That's 1 million possible combinations at most. For an automated system, that's trivial to brute force.
The Math Behind the Vulnerability
Standard credit card numbers follow the Luhn algorithm for validation. This checksum reduces the effective search space further. An attacker who knows your BIN, last 4 digits, expiration date, and name has most of what they need. The missing 6 digits can be enumerated offline, with valid combinations checked against the Luhn algorithm before any online attempt.
The CVV remains unknown. But not all merchants require it. Some payment processors skip CVV verification for returning customers. Others have lax enforcement. The attackers in Ozyildirim's case found such merchants through trial and error. Those failed 3D Secure attempts? They were reconnaissance.
Compliance Versus Security
Ozyildirim's account highlights a systemic issue. PCI-DSS sets minimum requirements. Companies implement exactly those minimums to pass certification. When researchers point out that these minimums enable attacks, companies resist changes because they've already passed the compliance audit.
The certification process itself creates perverse incentives. Each additional security measure means more testing, more documentation, more potential audit findings. So companies stop at the bare minimum the standard requires.
The result: consumers assume their saved cards are protected by serious security controls. In reality, the visible data provides enough information for a determined attacker to reconstruct the full card number and shop around for merchants with weak verification.
Logicity's Take
What Attackers Learn From a Failed Purchase
The initial breach gave attackers access to the saved card view. When they attempted a purchase and saw the 3D Secure page, they cancelled. But that single attempt confirmed several things: the card was active, the bank name (visible on the 3D Secure page), and that 3D Secure was enabled for that merchant.
Armed with this information, they could reconstruct the likely full card number and hunt for merchants that either don't implement 3D Secure or have it configured as optional. The European payments landscape is fragmented enough that finding such merchants takes time but remains entirely possible.
The Cash-Out Pipeline
Ozyildirim notes that the final withdrawal went to an e-wallet service that allows cash pickup at retail stores. This is a well-designed laundering path. The fraudulent payments create store credit. The credit converts to cash. The cash disappears. Each step adds distance between the stolen card and the thief.
He got his money back through a chargeback. Most consumers in similar situations would too. But the existence of the vulnerability remains. The next victim might not notice the SMS alerts. The next attacker might move faster.
What You Can Actually Do
- Use virtual cards with tight limits for online shopping. When compromised, the blast radius is smaller.
- Enable transaction notifications for every purchase, not just those over a threshold.
- Don't assume 3D Secure protects you everywhere. Some merchants opt out or configure it as optional.
- Check which merchants have your card saved. Remove it from sites you no longer use.
- Consider cards that generate unique numbers per merchant. Some banks and services offer this.
None of these are perfect. The underlying vulnerability exists at the standard level, not the consumer level. But reducing exposure limits damage when, not if, a saved card gets targeted.
The Broader Problem
Credit card security relies on secrecy of data that's increasingly hard to keep secret. The 16-digit number, printed on the physical card, is the primary credential. The CVV, also printed on the card, is the secondary check. The expiration date is visible. The cardholder name is public information.
Every time you hand your card to a waiter, every receipt with partial card numbers, every saved payment method on every merchant site adds to the attack surface. The system was designed for a world where transactions happened in person and card data stayed on paper slips locked in a drawer.
We no longer live in that world. The standards haven't caught up.
Frequently Asked Questions
Can attackers really brute force credit card numbers?
Yes. With 10 digits visible (first 6 and last 4) and the Luhn checksum reducing valid combinations, the remaining 6 hidden digits represent under 1 million possibilities. Automated systems can enumerate these quickly.
Does 3D Secure protect against this attack?
Only if every merchant enforces it. Attackers in this case specifically searched for merchants without 3D Secure requirements. The protection is only as strong as the weakest merchant in the payment network.
Are virtual credit cards safer than physical ones?
Somewhat. Virtual cards with low limits reduce maximum exposure. Some services generate unique card numbers per merchant, which prevents cross-merchant attacks entirely.
Is PCI-DSS compliance enough to protect my card data?
PCI-DSS sets minimums that protect merchants from liability. These minimums don't prevent the brute-force reconstruction attack described here. Compliance and security are not the same thing.
What should I do if I receive unexpected 3D Secure SMS codes?
Immediately disable the card through your banking app, not just reduce limits. The SMS codes indicate someone is actively testing your card at different merchants.
For readers interested in building their own security monitoring tools
Need Help Implementing This?
Source: Hacker News: Best
Manaal Khan
Tech & Innovation Writer
Related Articles
Browse all
Robotaxi Companies Are Hiding How Often Humans Take the Wheel
Autonomous vehicle firms like Waymo and Tesla are under scrutiny for refusing to disclose how often remote operators step in to control their self-driving cars. A Senate investigation reveals major gaps in transparency, raising safety and accountability concerns.
Wisconsin Governor Throws a Wrench in Age Verification Plans
Wisconsin Governor Tony Evers has vetoed a bill that would have required residents to verify their age before accessing adult content online, citing concerns over privacy and data security. This move comes as several other states have already implemented similar age check requirements. The veto has significant implications for the future of online age verification.
Apple's App Store Empire Under Siege: The Battle for the Future of Tech
The long-running feud between Apple and Epic Games has reached a boiling point, with Apple preparing to take its case to the Supreme Court. The tech giant is fighting to maintain control over its App Store, while Epic Games is pushing for more freedom for developers. The outcome could have far-reaching implications for the entire tech industry.
Tesla's Remote Parking Feature: The Investigation That Didn't Quite Park Itself
The US auto safety regulators have closed their investigation into Tesla's remote parking feature, but what does this mean for the future of autonomous driving? We dive into the details of the investigation and what it reveals about the technology. The National Highway Traffic Safety Administration found that crashes were rare and minor, but the investigation's closure doesn't necessarily mean the feature is completely safe.
Also Read
Why 2026 Is the Worst Year to Be an MMO Fan
The MMO genre is stuck in a painful paradox. Existing games like WoW, Final Fantasy 14, and Guild Wars 2 remain solid, but new projects keep dying before launch. 2025's wave of cancellations left fans with aging options and little hope for fresh experiences.
7 Star Wars PC Upgrades for May the 4th 2026
Star Wars Day 2026 brings themed peripherals, games, collectibles, and 3D printer deals for PC enthusiasts. From Boba Fett keyboards to Lego anniversary sets, here's what's available to transform your setup into a galaxy far, far away.
Fortnite Droid Tycoon: How to Earn Fast and When to Rebirth
Fortnite's Star Wars event brings Droid Tycoon, a tycoon game where you buy droids, put them to work, and chase the rebirth milestone. This guide covers the fastest ways to earn Credits, which droids to prioritize, and how to use companion perks effectively.