[giaour]

There may be inferences you can make from the sum that aren't immediately obvious. If cards can end in four zeros, the sum and the last four digits contain equivalent information, but you would also confirm that three of the digits are zeros if the sum was 1. It's something that, if I were a bank, I would want someone with a background in number theory to weigh in on. If I were a paranoid bank exec, I wouldn't trust the low-wage customer support reps I had on staff to vet customer questions for how much information they might leak and would instead have blanket prohibitions on answering questions from customers until after the authentication phase of the call.

Questions like "is the sum even?" trade a lower opportunity for information leakage for a greater opportunity for a random guess to be correct.

[gnicholas]

I understand the perspective of the paranoid bank exec! But if the alternative is that their customers are trained to give out personal information whenever someone calls and says they're from the bank, that's quite possibly worse.

It would be nice if when someone called me from an institution, they gave me a code that I could enter after calling the number on the back of my card. That way I would have confidence I'm talking to the bank and would feel comfortable giving out verification information.

In the past, it has always been a headache to find my way back to the department that called me.

[jrochkind1]

Don't forget the last digit is a checksum digit too. Which I still can't give you an attack, but I also agree that I definitely can't say I'm sure there isn't one.

[hunter2_]

That does reduce the number of possibilities greatly, which might matter for some attack scenarios, but usually not IMHO as rate limits should thwart any online brute force.

I'd be interested to know how greatly, if someone has the equation for that.