Posted on 5 Comments

Lunn algorithm (credit card number check)

Andrew Dashin wrote about this. Basically, the function verifies whether a credit card number could be valid, using the number’s internal checksum algorithm.

I had the C code from long ago, and I think I even converted it to PHP at some point. It’s out there and it’s no secret (try googling for the Lunn algorithm). But, I don’t use it any more. Or to rephrase, you really don’t want to do this check.

From discussions with credit card experts a few years ago, I have learnt that they prefer you to feed pretty much any entered number to them, and then just act on what result they send back. This allows the banks and credit card gateways to better track fraud attempts.

This may sound odd, but it does make sense. It’s not so hard to generate numbers that pass the Lunn test. But if someone does an attack using a list of random or pre-generated numbers, the gateways can do better analysis and track the attempt if they get all the attempts, rather than just the ones that pass the check. If they don’t see all the attempts, they may not realise it’s an attempt….

I know, it’s a fine line here between user friendlyness (turnaround time to tell the user they’ve made a typo) and security. But this is credit cards we’re talking about… the less fraud the better. Please consider.

Posted on 5 Comments

5 thoughts on “Lunn algorithm (credit card number check)

  1. You know, you’re right, particulary.
    It is not hard to generate valid CC number. So this check just validates if the current number is a CC number or not, and not more.

  2. I know. Still, like I said, this is specifically something the credit card gateways don’t want you to filter, either.
    So I don’t go beyond checking checking that I have N digits.

  3. It’s practical to both provide immediate negative response to an end user and feed the invalid entry to the CC gateway.

    Sites should be wary of assuming that they will see successive attempts if random numbers are used, even if the numbers pass a Lunn check and are rejected by the CC processor. It’s not that hard to try 1,000 different numbers at 1,000 sites so each site sees just a single passing number. Hence one reason for the interest of CC payment processors in invalid numbers: only the site seeing the combined data can get the true picture.

    Gateways which are serious about this won’t charge per verification attempted, since doing so penalises vendors who do pass on unfiltered data.

  4. Well, it’s about two different purposes…

    Of course, the credit card company should not use this check to inform a web client to please retype their credit card number, and you should rely on a luhn verification to be a valid credit card number.

    However, I have worked in places (liquor store administration office in this case) where we’d receive a stack of credit card carbon copies, and we had to use those to calculate the expected amount of money we’d get back from the credit card company so we could add it to the result (turn over) for that month…We’d use a check to protect ourselves from typos. Such a check it great in those cases.

  5. If credit card companies want it done, they should put out a document to request that people not use the Lunn test.

Comments are closed.