Superconductor

Last week, I heard something interesting about credit card numbers. Someone that I was talking to claimed that a recent study showed that over 95 percent of people can be tricked into thinking an email is actually from their bank if the email includes the first four digits of their credit card number. We're used to seeing the last four digits being used this way, and that makes some sense, but the first four digits really aren't suitable for being used this way. 

In a 16-digit credit card number, the first six digits form the issuer identification number (IIN) that identifies the bank that issued the card. The next ninedigits are the account number, and the last digit is a checksum that's calculated from the previous 15 digits. In most cases, it's fairly easy to guess the IIN. There's a list of known prefixes to IINs here, and some of these are very easy to guess. In some cases, the first four digits are actually the same for fairly broad categories of cards.

I haven't been able to find the paper that this discussion was based on, but I wouldn't be surprised if it does exist. People in the payments industry know the structure of card numbers and know that the first four digits of a card number isn't a good way to authenticate someone. The average guy on the street probably doesn't know that, however, but that might need to change. Apparently, it's becoming necessary for people to learn more about payments processing than they really want to know.