alt Hacker NewsPayment processors don't allow just brute forcing all card numbers a.k.a. card enumeration or card testing [1][2] and card schemes penalise merchants and payment processors heavily if they don't take measures against it [3].
1) https://stripe.com/newsroom/news/card-testing-surge
2) https://stripe.com/blog/the-ml-flywheel-how-we-continually-i...
3) https://docs.stripe.com/disputes/monitoring-programs#enumera...
Replies
opengrass • yesterday at 9:50 PM
Until 6 years ago Stripe didn't obfuscate card numbers in API logs at all.
➕ show 1 reply
The rate they try becomes very non frequent when they use multiple card validation apis. I'm not sure how it can be related when it's different pan numbers, different source ips etc.
Enumerating CVC2 with a single PAN is a different story.