Vulnerable Credit Card Applications
I went to an OWASP meeting last year where I heard someone in passing mention testing credit card applications with the credit card company’s default cards. After doing quite a bit of research I uncovered a pretty thorough list of all possible test credit card numbers and test check numbers used for testing purposes. Why is this interesting? Well thanks to shoddy programming, often the default credit card numbers are left in the system for quality assurance testing. In most cases tests less than $1000 USD will go through if they are still enabled.
Some companies, like Cybersource remove this option once the site goes live. However, developers, in their ingenious know-how, often code the loopholes in manually so they can continue development on the platform after the site has gone live. Here is the most complete list of test credit card numbers and test check numbers on the net (at the time of writing):
Possible test credit cards:
- Visa: 4111111111111111 (16) Characters
- Visa: 4012888888881881 (16) Characters
- Visa: 4007000000027 (13) Characters
- Visa: 4222222222222 (13) Characters
- MasterCard: 5431111111111111 (16) Characters
- MasterCard: 5424000000000015 (16) Characters
- MasterCard: 5105105105105100 (16) Characters
- MasterCard: 5555555555554444 (16) Characters
- MasterCard: 5500000000000004 (16) Characters
- MasterCard: 5276440065421319 (16) Characters
- American Express: 370000000000002 (15) Characters
- American Express: 340000000000009 (15) Characters
- American Express: 341111111111111 (15) Characters
- American Express: 378282246310005 (15) Characters
- American Express: 371449635398431 (15) Characters
- American Express: 372425119311008 (15) Characters
- American Express Corporate: 378734493671000 (15) Characters
- Discover: 6011000000000012 (16) Characters
- Discover: 6011000000000004 (16) Characters
- Discover: 6011601160116611 (16) Characters
- Discover: 6011111111111117 (16) Characters
- Discover: 6011000990139424 (16) Characters
- Diners Club: 38520000023237 (14) Characters
- Diners Club: 30569309025904 (14) Characters
- Diners CLub: 30000000000004 (14) Characters
- Carte Blanche: 30000000000004 (14) Characters
- JCB: 3530111333300000 (16) Characters
- JCB: 3566002020360505 (16) Characters
- JCB: 3088000000000008 (16) Characters
- JCB: 3566111111111113 (16) Characters
- EnRoute: 201400000000009 (15) Characters
- Australian BankCard: 5610591081018250 (16) Characters
Possible test checks:
- Possible test Check Numbers (MICR)
- Check# 1001 Routing# 12345678 Account# 0439085000
- Check# 1001 Routing# 12345678 Account# 0439085001
- Check# 1001 Routing# 12345678 Account# 0439085002
- Check# 1001 Routing# 12345678 Account# 0439085003
- Check# 1001 Routing# 121000358 Account# 2222222222
- Check# 1001 Routing# 121042882 Account# 4100
- Check# 1001 Routing# 121107882 Account# 4101
- Check# 1001 Routing# 071923284 Account# 4102
- Check# 1001 Routing# 122101191 Account# 4103
- Check# 123 Routing# 12345678 Account# 0123456789
- Check# 123 Routing# 12345678 Account# 067890
Happy Auditing!
April 12th, 2007 at 8:22 am
pls can i know the procedure that i can use to get other peoples credit card information online since they have been doing same to mine?
thanks
May 19th, 2008 at 8:55 am
Please i really want to know how to get other peoples’ bank and credit card informations, i will make good use of them. I am an old man with alot of money, i do not know what to do with this money, i have done so much in africa, and now i want to give the money out through credit cards, that it what my mind tells me.
May 19th, 2008 at 10:24 am
@Charles - well since you are doing a Nigerian 419 scam, I would assume the best possible way to “give money” to an unsuspecting person is to get them to get someone to give you a bunch of credit information. But seriously, you can rip people off elsewhere. This isn’t the right place for that. Hence our post to the same: http://www.fthe.net/blog/?p=3
June 13th, 2008 at 12:23 pm
Nice if hacking