Blog Archives

Validate Credit Card Numbers with Regular Expressions

Expressions below account for IIN numbers on CC’s of most major US issuers which includes validating starting character. These should be used in addition to Luhn Algorithm mod10 check.

These expressions can be used on clientside and codebehind to give your end users notification of invalid entry without wasting resources on a failed/invalid post. See snippet below. Expressions should technically be cross-platform.

Note: although very similar to those found on regular-expressions.info, there are some small differences which do not account for the old standards in my examples since these cards are no longer in circulation.

(C#)

string vs = @"((^4)[0-9]{15}$)|";
            string mc = @"((^5[1-5])[0-9]{14}$)|";
            string ax = @"((^3[4|7])[0-9]{14})$|";
            string ds = @"(^6(011|5[0-9]{2})[0-9]{12}$)";

string expirationmonth = @"((^[0-9]$)|(^[0-9][0-2]$))";

string ordertotalamount = @"((^[0-9]{1,5}$)|(^[0-9]{1,5}\.[0-9]{1,2}$))"; //does not account for currency symbols

System.Text.StringBuilder sbexp = new System.Text.StringBuilder();
            for (int i = 0; i <= 20; i++) //create list of years from now+20. same range amazon uses for card
            {
                sbexp.Append("(^" + (DateTime.Now.Year + i).ToString() + "$)|");
                if (i < 20) //don't append or on last
                {
                    sbexp.Append((DateTime.Now.Year + i).ToString());
                }
            }

            ((RegularExpressionValidator)validator).ValidationExpression = sbexp.ToString();

((RegularExpressionValidator)validator).ValidationExpression = vs+mc+ax+ds;

References
Wikipedia (IIN numbers), http://en.wikipedia.org/wiki/Bank_card_number
Wikipedia (Luhn Algorithm), http://en.wikipedia.org/wiki/Luhn_algorithm
RegularExpressions.info, http://www.regular-expressions.info/creditcard.html

Aldi Stores Credit Card Fraud

A recent article I came across from my Security Focus newsletter inspired my latest post regarding the recent Aldi Credit Card fraud that occurred across 31 states. (See entire article below)

To quote the article’s author:

“It looks like this was the work of a network of criminals who went into stores and somehow distracted store personnel long enough to take out PIN pads and swap them out with retrofitted devices…rogue PIN pads allowed the attackers to capture payment card data wirelessly from within the store itself or from a nearby location…tampering likely occurred over a period of several months…driving the trend is the easy and growing availability of sophisticated counterfeit payment terminal kits…rings of fraudsters, largely from Eastern Europe…same types of fraudsters are organized to attack multiple stores in multiple states simultaneously…”

These kind of high level crimes set a dangerous precedence if they increase in popularity. Our current civil authorities simply put do not have the level of sophistication required to stop these types of criminals.

A common police protocol in this type of situation might be to see the video types for individual stores for the last 6 months, however, most stores do not carry footage for this long and unless the devices themselves can be traced back to original manufacturing, not many leads could be extracted without the resources of federal investigative units.

This emphasizes the importance of security corporations and organizations to help and assist these government agencies in any way possible. Federal units are currently highly diversified, and with increased focus on countering violent terrorists, these other acts that are non-violent may get overlooked.

Even with federal and state-wide corporate assistance, their may still be needed political resources. Groups which organized crimes such as the Aldi Stores Fraud may have established rings outside of the country, and fly in trained professionals, either consultants or direct employees, most likely with fake identities, to commit the crimes and then fly back out, etc.

To stop this kind of international crime will require treaties and help of many government and corporate agencies, as this clearly indicates the need for international policy to combat all forms of terrorism, even these non-violent actions.

The defense and security of individual nations can only be a realized with international cooperation.

I’m sure these realizations and concerns are not mine alone, and can only hope this same thought is shared across the right people to truly make a difference.

References:
Jaikumar Vijayan. “Aldi data breach shows payment terminal holes”. Computerworld. http://www.computerworld.com/s/article/9189982

October Newsletter. Securityfocus. http://www.securityfocus.com/

Follow

Get every new post delivered to your Inbox.