Skip to content

Ashley Madison : The Danger of The Last 4 Numbers

K

I am sure that everyone has heard that the popular dating website that specialized in marriage infidelity was hacked a few weeks ago. The brazen hackers have essentially open-sourced the entire AshleyMadison.com website and released several massive database dumps containing customer profiles, customer details (name, address, email address, phone number) and a limited amount of payment information including the last 4 digits of the credit card number. Several people I have spoken to in person do not see this as a threat as you would need the entire card number (and CVV2) before you can use the card for fraud. I have to disagree as it is fairly trivial to turn the last 4 digits of the credit card number into the entire credit card number using nothing more then a phone and a bit of charisma.

Before I begin I need to add a small disclaimer. This post will NOT contain any data from the real AshleyMadison Database, we will be using a completely fictitious customer with fake details. I will not tell anyone where to obtain this dump and do not advise anyone actually try to download this dump as there are a lot of fake dumps that contain malware. This post is also for educational purposes only, actually doing any of the actions I use in this demonstration is a federal crime. There is a lesson that I hope everyone learns by the end of this post as I will also include information you can use to protect yourself against this form of social engineering.

Turning the last 4 digits of a credit card number into the entire credit card number is actually very simple and it starts with obtaining a very small amount ofpersonal information about your victim. Fortunately we can obtain everything we need from the Ashley Madison Database Dump.

Entry NameEntry Value
First NameRonald
Last NameLump
Address Ln11234 Anywhere Street
Address Ln2Apt 201
Zip Code99929
StateVA
Phone Number(111)-867-5309
Last 4 Digits of Card8874
Card TypeVISA
Exp Date11/2022

With the information above, we have almost everything we need to go on a spending spree. Ideally you would want to choose a local victim as it will take longer to set off any red-alarms at the bank. If you spend $500 at an out of state electronics store, it will set off some red flags but if you take that same $500 and spend it at a local store to the victim, it will likely go through unnoticed. We only need the full credit card number and the remaining credit card digits so we only need to pick up a phone and nicely ask … the victim… to provide the missing information. This may sound insane and hard but if you read this script, you will see exactly how easy it is to do.

Hello, This is Roger Irobya from the Visa Card Services Fraud Prevention Service. We are calling you this afternoon to let you know that we have reason to suspect that your credit card ending in 8874 may have been compromised and I would like to take a moment to read back a few charges that were done recently to ensure that they were made my you. Before I can discuss any further details with you, I do need to verify that I am indeed speaking to Mr Ronald Lump by asking you a few security questions. Do you currently have your Visa Card ending in 8874 in your possession?

Would you please provide me the card number so I can verify that I am indeed speaking to Mr Lump?

Thank You and for your security, would you please turn your card around and provide me with the 3 digit code you see on the back.

Thank you, I have verified your identity. We noticed and blocked an attempted charge for $1,833.23 to purchase a BMX mountain bike in Mexico City, Mexico as it looked suspicious. Can you advise if this purchase was attempted from you?

Great, we have already declined this transaction and no funds were charged to your account. We will be sending you a new card in the next several days to be on the safe side. We will also continue to monitor your card to keep an eye out for anything abnormal while your new card is being sent. Feel free to continue using your card and activate the replacement once it comes in the mail.

No, thank you very much Mr Lump.

It is that simple, you can essentially read the script above and most people will willingly provide you with all of the information you need to go on a shopping spree on their dime thanks to the perception that you are calling from their bank. They let their guard down as they feel that you are looking out for their best interest. The key is to sound confident, like you have been making these calls for years. This is a very effective strategy for Social Engineering and like magic, it has the power to transform the last 4 digits of a credit card number into the entire number and CVV2. Fortunately with a small amount of education, you do not have to fall victim to this.

Remediation

This section will cover three simple tipsthat will greatly minimize your risk from being a victim in these types of attacks.

  1. Keep Up to date with the news to learn about websites and stores that may have had their member database compromised. The frequency of these attacks are only increasing. If you have used your credit card at any of these places, you should call your bank and have your card re-issued. Most banks will willingly do this as it also limits their risk as well, just make sure that you have other cards that you can use or cash. Aside from AshleyMadison.com, many other brick and mortar sites have also been compromised including HomeDepot and Target.
  2. Watch your bank statements and report any suspicious charges immediately
  3. Beware of calls from your bank that ask you for a large amount of personal information. When the bank calls you, they already have your account details on the screen so they will not need to ask you for your entire card number and you will NEVER be asked for the 3 digits on the back or your ATM PIN. At most, they will ask you to verify the last 4 of your social and your mailing address. Most banks will also have some sort of a security question as well. You will also never be asked for your online banking username or password. Your bank will also never call from a Blocked Number. Another red flag is to look out for overly generic terms like “VISA Fraud Services” or “Mastercard Fraud Services”, your bank will always use their name “Bank of America Fraud Prevention Services”. When you are in doubt, pretend you are having phone issues and call the bank back ONLY on the number listed on the back of your card, never a number given over the phone. When you call your bank, describe the call you got and they will advise you if it was indeed from them, if it was not ask for your card to be re-issued.