[notwedtm]

From my understanding CVV/CVCs are a function of the PAN, expiry, and some DES encryption. Does this mean that the target bank had a weak DES key or was some other vulnerability discovered?

[dataflow]

I don't think it's like that? At least in the US, you can have literally the same card number, expiry, and name, with only the CVC being different.

[colejohnson66]

The Apple Card has this feature. You can generate a new CVC at any time, but your card number stays the same (unless you report fraud, obviously).

[gus_massa]

My guess is that he discovered a method to break the Luhn check https://en.wikipedia.org/wiki/Luhn_algorithm that is not a strong check. It's only useful to avoid typos. That's probably enough to make the "send" button happy.

I guess he didn't discover how to break the secret code of the card, and the transactions were flagged by the server immediately. Some servers flag the card secretly, so credit card thieves have more problems to validate the stolen cards.

The press article claims it was something impressive, but my guess is that it's just a bad report by the police or by the journalists.

[ankaAr]

i was thinking about the same algorithm when i saw the 4 and 14 multiplications

[acidoverride]

There exists no algorithm to calculate CVV from card number. The article also does not claim this.

> In other notes, he had left a record of how he had managed to obtain the security codes of the credit cards