By Charles Miller
A few weeks back, I received a phone call from a gang of fraudsters pretending to be Amazon.com when they called me to confirm my credit card number, expiration date, and CVC. I knew immediately that a scam was in the offing, so I toyed with the caller intending to waste as much of his time as I possibly could. Over and over again, I gave the crook the wrong credit card numbers. The exchange went something like this:
Me: “The number is four seven five…”
Scammer: “Wait. There’s no letters. You said B. Is that B really an eight?”
Me: “No, it’s B as in Bunko.” Even then, the dimwit crook persisted in trying to get a credit card number, and I continued frustrating him for almost a half hour before he hung up on me.
Something about that call that annoyed me was the way the crook was able to instantly tell when I had given him a wrong credit card number. I had hoped to waste more of his time with a fake credit card number, but no. The reason for this is something called a “checksum.”
In computer-speak, a checksum is a value embedded within a set of data to give a quick way to determine whether errors have been introduced into that data set during storage or transmission. For example, if a data set is “1236,” the data could be “123” and the checksum 6 (1+2+3). Credit cards contain a single-digit checksum that allows a computer, or anyone familiar with the formula involved, to read the 16 digits and instantly determine with a high degree of accuracy if the number is valid.
One simple way to generate a checksum is the following: Step 1: Double the value of alternate digits of the account number beginning with the second digit from the right. Step 2: Add the individual digits comprising the products obtained in Step 1 to each of the unaffected digits in the original number. The total obtained in Step 2 must be a number ending in zero (30, 40, 50, etc.). Credit card issuers use a more complex mathematical formula called the Luhn algorithm, the real purpose of which is to protect against accidental errors, not malicious attacks. This is why when you use your credit card online, you might have noticed that if you accidentally enter a wrong digit, the computer tells you instantly that the number is not valid. When you do enter the credit card number correctly, it takes longer as you wait for the computer to connect to your bank to verify your account standing, credit limit, name, address, etc. Then, after all that, it returns you to the web page where you are making your purchase. The checksum saves both you and the bank the time that would have been wasted looking up a mistyped account number.
In my case, I wanted to waste as much of the scammer’s time as possible, but the checksum kept warning the crook I was not giving him the correct number. I had to fall back on pretending to be a bumbling idiot: “Wait, I think that number I just read was my Public Library card number. Hold on while I look around here for a magnifying glass.”
Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981, and now practically a full-time resident. He may be contacted at 415 101 8528 or email FAQ8@SMAguru.com.
