PDA

View Full Version : ****** Card Validation



SyntaXmasteR
09-14-2007, 06:20 PM
Here are some ****** card validation scripts I wrote. It first validates the ****** card, then returns the type of card based on the ****** card number provided. It works on ******card, ****, Discover, American Express.


<?

/* ****** CARD VALIDATION FUNCTIONS */
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////

// RETURNS * FOR VALID
// RETURNS 0 FOR INVALID

function validate_******card($card_number){
if(strlen($card_number)<*7 && strlen($card_number)>*2){
$card_number=str_replace(' ', '', $card_number);
if(ctype_digit($card_number)){

if( (strlen($card_number)%2)==0){ $i=0; } else{ $i=*; }
$odd=get_odd_sum($card_number,$i);

if( (strlen($card_number)%2)==0){ $i=*; } else{ $i=0; }
$even=get_even_sum($card_number,$i);

$combined_odd_even=$odd . $even;
$final=add_numbers($combined_odd_even);

if($final%*0==0){ return(*); } else{ return(0); }
} else { return(0); }
} else { return(0); }
}

function get_odd_sum($card_number,$i){
$odd_sum=NULL;
while(isset($card_number[$i]))
{
$odd_sum .= ($card_number[$i]*2);
$i=$i+2;
}
return($odd_sum);
}

function get_even_sum($card_number,$i){
$even_sum=NULL;
while(isset($card_number[$i]))
{
$even_sum .= $card_number[$i];
$i=$i+2;
}
return($even_sum);
}

function add_numbers($combined_odd_even){
$i=0;$final=0;
while(isset($combined_odd_even[$i])){
$final=$final+$combined_odd_even[$i];
$i++;
}
return($final);
}

//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////



/* ****** CARD TYPE */
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////

// CHECKS FOR ******CARD, ****, DISCOVER, & AMERICAN EXPRESS
// RETURNS Unknown IF NO MATCH IS FOUND

function get_card_type($card_number){
// REFERENCE
if(strlen($card_number)==*6){
if($card_number[0].$card_number[*]>=5* && $card_number[0].$card_number[*]<=55){
return("******card");
}else if($card_number[0]==4){
return("****");
}else if($card_number[0].$card_number[*].$card_number[2].$card_number[*]==60**){
return("Discover");
}
}else if(strlen($card_number)==**){
if($card_number[0]==4){
return("****");
}
}else if(strlen($card_number)==*5){
if($card_number[0].$card_number[*]==*4 || $card_number[0].$card_number[*]==*7){
return("American Express");
}
}

return("Unknown");
}
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////
//////////////////////////////////////////////////////////




/*
THIS IS THE START OF THE SCRIPT
*/
if(isset($_GET['card'])){
if(validate_******card($_GET['card'])){
echo "VALID CARD - TYPE: " . get_card_type($_GET['card']);
}else{
echo "INVALID CARD";
}
}

Ezekiel
09-15-2007, 06:15 AM
You'd need to check the numbers against algorithms for each type (e.g. ****) -- I believe these are publicly available.

However, algorithms won't ensure that a ****** card number is real; just that it conforms to the algorithm and possibly could be genuine.

What you'd need to do is check the ***2 codes in addition to the above, and I don't think the algorithms for those are in the public domain.

(This is where my knowledge gets sketchy.)

***2 codes are generated by the card manufacturers using a proprietary, hidden algorithm that takes into account the ****** card number and several other factors before producing the end result of a *-4 digit number [usually] on the back of the card.

As far as I know, only they can generate this number and only they can verify it. Totally different to validating ****** card numbers according to a publicly-known algorithm.

If a website only checks user-submitted ****** card numbers against the public algorithm, they are wide open to fraud. There are many ****** card number generators that simply use the algorithm to produce the number. I heard that this sort of fraud was incredibly easy 5-*0 years ago.

If a site requires ***2 codes, they can theoretically prevent fraud. As far as I know, they query the card-issuer (****) with both these numbers and they'll respond with whether they both conform to their algorithms or not.

Some of that is probably wrong, but you get the idea.

Now, something that has been on my mind recently has been the shortness of the ***2 code. On my card, it is three digits.

Think about it; if you generate a ****** card number, there are only *** possible ***2 combinations, and one of them is correct.

Now think how long it would take to perform a brute-force attack ranging from 000 to ***.

They probably lock the card or something after a certain amount of failed attempts, but this could be done slowly (perhaps five attempts per day) until the correct combination was reached.

If an attacker ran these brute-force attempts simultaneously on many different ****** card numbers and many different websites, they could discover valid combinations regularly.

I don't take part in ****** card fraud, but it's an interesting (yet dangerous) idea nonetheless.

SyntaXmasteR
09-15-2007, 11:23 AM
You will never be able to determine if the actual card is active and real until you process it through a ****** card processing company of corse. This is already known by everyone.

The script does validate the ****** card numbers based on the checksum base*0 and the flagged numbers from each company. It is impossible to determine if a card is "Real" until you actual send it off for processing.

Then, the person behind the computer might have stolen the card. You can never be sure of that either.

But thats now what the script does. It validates ****** card numbers based on each companies standards. If a card does not fit into these standards, you DONT allow the visitor to complete their checkout.

blanchard
10-27-2007, 04:52 AM
Hello my name is blanchard and I would like to be in contact with you my email is louis.pascal @ yahoo.fr.Add me to your messenger if you have

Moonbat
10-27-2007, 10:19 PM
SyntaX isn't really active here now, he recently stopped coming here so he could work on his supercomputer project.

Ezekiel
10-28-2007, 03:25 AM
Yeah, and I stopped coming here recently to work on my life. Look how that turned out.

I think we'll be seeing Syntax sooner than you think.

NAKOTOFURY
11-01-2007, 09:23 PM
so fucking usefull thanks dude;)