Luhn Checksum Explained

GovernmentSecurity.org > The Archives > Exploit Articles

what

Aug 3 2004, 12:10 AM

Now, I realize that this is a computer information security site, and that the relevance of this may be questioned, but through different pursuits in the computer hacking world, we come across many different areas. This may be a little "off topic", but the information is what I think is important, and hopefully will help and at the same time be harmless.

If you're coming into this to figure out how to create credit card numbers for profit and general anarchy, its time you leave, because this tutorial is not here to teach you how, nor will it teach you to steal.

The Luhn Checksum is an algorithem (if you could even really call it that) which is used to generate and validate credit card numbers. The main concept in a sentence is "you take the first number, multiply by two, if greater than ten, subtract nine, and at the end and a number that would make the sum of the entire string equal to fifty." Got that? Well, if not, lets break it down a little further.

We start with this valid credit card number: 4461317377382017. You can try to use it all you want, it won't work. You need a name, telephone number, and it this case since it is a visa platinum card number, you need a four digit security code on the back of it. Now, say we want to validate this as a credit card number.

4(2)=8| 4 |6(2)=12-9| 1 |3(2)=6| 1 |7(2)=14-9| 3 |7(2)=14-9| 7 |3(2)=6| 8 |2(2)=4| 0 |1(2)=2| 7 |

Now take a look at the equation above. We multiply every other number by two. If that number is greater than ten, we subtract nine. Lets take a look at the number after all of that has been completed.

8+4+3+1+6+1+5+3+5+7+6+8+4+0+2+7

In this case, the seven on the end is our checksum. It is used to make sure that the credit card number is equal to fifty. For the example number that we are using here, it is equal to seventy, which still meets the Luhn checksum rules, but not the credit card company's.

Anyways, the reason this is so easy to do is because a mass amount of numbers had to be able to be created, and making a too far advanced algorithem would take too much time. So security was loosened for profit, and now identity theft is costing credit card companies millions, if not billions of dollars a year. I wrote some POC code below that can generate REAL credit card numbers (visa only). Just showing that an eighteen year old kid with enough time and effort can figure out way too much.

CODE

Private Sub Command1_Click()
Dim CCnumber As Integer
Dim Validate As Variant
Dim CC2 As Integer
Dim CC3 As Integer
Dim CC4 As Integer
Dim CC5 As Integer
Dim CC6 As Integer
Dim CC7 As Integer
Dim CC8 As Integer
Dim CC9 As Integer
Dim CC10 As Integer
Dim CC11 As Integer
Dim CC12 As Integer
Dim CC13 As Integer
Dim CC14 As Integer
Dim CC15 As Integer
Dim CC16 As Integer
Dim Checksum As Variant
Dim Finalnumber As Variant
Again:
'Visa, length 16
'Mastercard, length 16
'Discover, length 16
'Amex, length 15
'DinersClub, length 14
If Mastercard.Value = True Then CCnumber = Random(51, 55)
If Discover.Value = True Then CCnumber = 6011
If Amex.Value = True Then CCnumber = Random(34, 37) 'Different, 15
If DinerClub.Value = True Then CCnumber = Random(300, 305) 'Different, 14
If Visa.Value = True Then CCnumber = 4
CC2 = 0
CC3 = 0
CC4 = 0
CC5 = 0
CC6 = 0
CC7 = 0
CC8 = 0
CC9 = 0
CC10 = 0
CC11 = 0
CC12 = 0
CC13 = 0
CC14 = 0
CC15 = 0
Finalnumber = 0
Checksum = 0
Validate = 0
CC2 = Random(0, 9)
CC3 = Random(0, 9)
CC4 = Random(0, 9)
CC5 = Random(0, 9)
CC6 = Random(0, 9)
CC7 = Random(0, 9)
CC8 = Random(0, 9)
CC9 = Random(0, 9)
CC10 = Random(0, 9)
CC11 = Random(0, 9)
CC12 = Random(0, 9)
CC13 = Random(0, 9)
CC14 = Random(0, 9)
CC15 = Random(0, 9)
CC16 = Random(0, 9)
Finalnumber = 0
Finalnumber = CCnumber & CC2 & CC3 & CC4 & CC5 & CC6 & CC7 & CC8 & CC9 & CC10 & CC11 & CC12 & CC13 & CC14 & CC15
CCnumber = CCnumber * 2
CC3 = CC3 * 2
CC5 = CC5 * 2
CC7 = CC7 * 2
CC9 = CC9 * 2
CC11 = CC11 * 2
CC13 = CC13 * 2
CC15 = CC15 * 2
Checksum = 0
If CC3 >= 10 Then CC3 = CC3 - 9
If CCnumber >= 10 Then CCnumber = CCnumber - 9
If CC5 >= 10 Then CC5 = CC5 - 9
If CC7 >= 10 Then CC7 = CC7 - 9
If CC9 >= 10 Then CC9 = CC9 - 9
If CC11 >= 10 Then CC11 = CC11 - 9
If CC13 >= 10 Then CC13 = CC13 - 9
If CC15 >= 10 Then CC15 = CC15 - 9
Validate = 0
Validate = CCnumber + CC2 + CC3 + CC4 + CC5 + CC6 + CC7 + CC8 + CC9 + CC10 + CC11 + CC12 + CC13 + CC14 + CC15
If Validate > 50 Then GoTo Again
If Validate = 50 Then GoTo Done
If Validate < 50 Then GoTo Try
If Validate > 50 Then GoTo Try2
Do
Checksum = Checksum + 1
Validate = Validate + 1
Loop While Validate <> 50
Finalnumber = Finalnumber & Checksum
GoTo Done
Try:
Do
Checksum = Checksum + 1
Validate = Validate + 1
Loop While Validate <> 50
GoTo Done
Try2:
Do
Checksum = Checksum - 1
Validate = Validate - 1
Loop While Validate <> 50
Done:
Finalnumber = Finalnumber & Checksum
If IsValid(Finalnumber) = True Then CredCard.BackColor = vbGreen
If IsValid(Finalnumber) = False Then CredCard.BackColor = vbRed
If IsValid(Finalnumber) = True Then CredCard.Text = Finalnumber
End Sub

Yes I know it's written in VB, yes I know its the worse language EVER, but for educational reasons, it is probably the best code to read and actually understand. It is only incomplete because of a few missing commands in the Form_Load area, but if you're smart you can figure it out. No, I will not post a compiled version. I actually turned this code into an mIRC bot, guess I just became bored and had way too much time on my hands. Anyways, this is more of a "just if you were wondering" tutorial, instead of the hyped up "how to hack into every computer" tutorial. I like ideas such as this, and getting them down to a process (as in a program) is always a challenge I like. Again, I hope this helps some people, and don't be STUPID and try to use it. You will get caught, and I hope you do.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.