[tav]

Does this mean that those who hacked Target could have just added the card details to their own Stripe account and waited for Stripe to update the data once the banks got around to replacing the customer cards?

At least with my banks, when they send me updated cards, only a handful of the digits actually change and most of those changes have tended to be in the last 4 digits — which Stripe lets you see, along with the updated expiry month/year.

At this point, it's just a matter of brute forcing the remaining permutations. Am I misunderstanding something or are there countermeasures to protect against such attacks?

[SolarNet]

Well the brute forcing of it would be mighty suspicious: the number on the back has a 1,000 or 10,000 combinations. So that will be noticed, even if you got the first 12 numbers right on the first try. Also, theoretically, of the remaining 12 numbers, 6 should change with each new card, which is another 1,000,000 possibilities (and bigger banks may change more numbers than that)!

[mentat]

The number on the back is generated by an algorithm with secrets that are not very secret (though apparently "secret enough").

[kak9]

Seems like you could just have it not work until a card has been on system for certain amount of time. That way people couldn't just upload card they stole? Would also make easy to detect those who uploaded stolen cards