Great idea.. I could definitely see myself using this in e-commerce testing.
However, some of the wording seems a little vague to me. It says "they are completely fake" and calls them "fake credit card numbers," but I do not see any mention of (what seems to me) the inevitable possibility that the algorithm might pop out a legitimate number. I have no idea what are the odds of that happening (possibly very low), but if it's possible, can you really call them "fake"?
Even if an in-use credit card number is generated, you would still need the name, expiration date and cvv2 to complete most online purchases. Depending on the vendor, you may also require the billing address of the cardholder.
It's somewhat unlikely that this tool will generate many "real" account numbers, as the Bank Identification Number field is being randomly generated as well. These account numbers only satisfy the Luhn check for validity.
You might find these links interesting, they explain credit card data in depth:
Hey there, I made this. I'm not good with words, I'll definitely give you that. What I tried to say on the page is that you can't/shouldn't (someone has since told me there could be a shady website that might try to charge a card with only a number - this seems unlikely because anyone can generate these as the algorithm is in the public domain but yeah) use these for anything because you just have a random number which happens to validate. You will need more in order to buy anything. I've learnt that the expiration date together with the number can be sufficient, but you usually need a 3 or 4 digit sequence as a confirmation code as well.
As stated there (although as you said, poorly worded), the other use case by "normals" is for things like finding out how much it would cost to ship something from amazon before you actually want to buy etc.
Thanks, I know you need other information to process a number, and you made that very clear. I'm also not really sure how to word it better. I was mainly just thinking of the chance (probably extremely low) of someone seeing their real number on there and thinking, 'hey, they have my real number in there', and getting really angry/upset...
Worse than that, I can imagine a testing scenario where someone actually tries to authorize transactions against these numbers, expecting failure. If at some point a number succeeds, then you have just committed fraud.
If it were that easy to abuse a credit card number on its own, then credit card fraud would be much, much higher than it is.
That's because the format of the credit card number is well known[1] and conforms to an ISO standard[2]. Numbers generated using publicly known issuer identifiers can then (usually) be checked for potential validity by running it through a standard checksum called the Luhn algorithm.[3] The Wikipedia article for the algorithm even helpfully provides a working Python script to do the work for you.
This is all well known stuff, and I seem to recall there being a joke file of "hacked" credit card numbers in the late 90s which I believe was just a list of numbers generated this way.
If the code on darkcoding helped you build your project (we have the exact same card issuers), could you give attribution?
It would also be very cool if you open-sourced that site. The code on darkcoding is GPL, not AGPL, so you're not required to. Would still be cool of you :-)
I'll clean it up and open-source it when I have a bit of time! I used your prefixes and based my code on yours for what I did, I've already put you in the footer, but heroku's git server is acting up, as soon as I can it'll be online with a link back to you!
"If you've ever found yourself trying to try a product online which required a credit card, even when you just want to take a look, you know why we made this. "
Could I get an example? Off the top of my head I can't think of any sites that require a credit card, but don't authorize or charge it.
If you're not american, this can also come in handy when you want to register a new App Store account and are tired of having to trick the UI every time because of stupid country limitations.
If the App Store requires a valid credit card, I'm surprised they don't try to do a preauth for $1.00 or something similar to validate your information. (I'm unfamiliar if this is actually the case as I don't generally use OS X / iOS.)
http://www.tech-faq.com/test-credit-card-numbers.html