If you landed here, then you’re probably just like me: a curious engineer exploring how various things work. In this article, I will introduce you to how credit card information is generated. Moreover, the algorithms we’re going to use to generate credit cards are being used by banking institutions, such that the data generated is considered to be valid. The GitHub project associated with this article can be found here.
Why Generate Credit Card Information?
I created this NodeJS package in the first place, because I needed valid credit card numbers for a personal security research project. The research relies on these numbers to test if linear regression or AI algorithms can be used to predict missing information on a credit card, given that one only has access to some information. For example, a credit card is composed from three elements:
The card number (usually 16 digits long)
The expiry date
The CVV2 number (which is computed based on the previous two)
My assumption was that if one has access to a large set of data, they can train an AI system to predict the CVV2 number based on the card number and its expiry date, without having access to the encryption key. For example, the CVV2 number is made of 3 digits, starting with 001 and ending with 999. My original question is: can one train 1000 perceptrons, associated with values from 001 to 999, to predict if a given set of card number and expiry date falls into that particular category?
To this point, my lack of AI knowledge pushed this research and I haven’t implemented the actual training and testing. Moreover, coworkers specialised in ML have invalidated this idea from a theoretical perspective. So I don’t even know if or when I am going to come back to implementing the AI side of the project.
However, I chose to write this article hoping that readers might come up with suggestions, ideas or even pick up on this work and continue it.
How Credit Card Numbers Are Generated?
The maths behind generating credit card information is quite complex. It also implies some cryptology knowledge to successfully generate these numbers. In the following section, I am going to give you a highlighted overview of how it works:
#1: The Issues Identification Number
The first six digits of a credit card number are used to identify the institution that issued the card (i.e. Mastercard, VISA etc.). These are always static numbers and
#2: The Account Number
Next is a series of 9 digits (usually) that identify the credit card account issued by the bank. This is a unique series that identifies your credit card within the bank’s system.
#3: The Check Digit
The last digit of the 16-digits card number is a so-called check digit or checksum and it’s computed using Luhn's algorithm. On a high level, the way it works is to take all numbers in even places, multiply them by 2; sum everything up and add (the doubled numbers in even places and the numbers in odd places as they are). Lastly, you have to add the 16th digit to the result and if it is an even multiple of 10, then the credit card number is valid. Here is a programmatic implementation for you to better understand how it works.
#4: The Expiry Date
The expiry date is usually set by the issuer and its calculation is quite straightforward: adding three to five years to the current date. For example, given that when I published this article was November 2023, if I were to get a new credit card now, it would probably expire in November 2026 or November 2028.
#5: The CVV2
This is where things get a bit complicated and cryptography really comes into play. The actual algorithm that computes these numbers is called the Tripple-DES (3DES) algorithm. Again, on a high-level, it takes roughly 10 steps, which are described here and implemented in my package here.
How to Use The NodeJS Credit Card Generator
Using the package I’ve built will allow you to generate valid credit card numbers, with respect to the algorithms described previously. However, since the second algorithm especially implies some cryptographic keys (which are only known by the bank that issues the cards), you won’t be able to use this package to create real credit card numbers. Moreover, this is a research project and you should not use it for malicious purposes.
To use the package, you will first have to create a new NodeJS project and install it from NPM:
npm i @mihnea.dev/credit-card-generator
Once you have installed it, you can simply import it inside your file and generate data. You can either generate a single card, or a set of credit card numbers with the size of n, like so:
const { default: CreditCardGenerator } = require("@mihnea.dev/credit-card-generator");
/** Initialize new Credit Card Generator */
const carder = new CreditCardGenerator()
/** Create a single card */
const card = carder.generate_one()
/** Create a set of cards */
const set = carder.generate_set(2)
/** Log the results */
console.log(card, '\n', set)
More information on how to customise the output data can be found on GitHub, inside the README.md file. I highly recommend you to check out the source code as well and get to know the algorithms too, before jumping into using the package. Understanding how things work will truly help you!
Conclusions
Generating credit card numbers is not really difficult. There are mainly two algorithms involved in it: Luhn’s algorithm to generate the check number and the 3DES algorithm to generate the CVV2 number. However, even though this article is mainly focused on how to generate these numbers, the real question remains: is it possible to use AI to predict CVV2 numbers? If proven so, it would be a major security breach for the banking system. Though I highly doubt that current technology is able to achieve such goals, I challenge you to push its limits and prove the impossible!