TechSpot - Hackers are brute-force guessing payment card numbers, and there's nothing you can do about it
 
“Facepalm: Criminals have several ways of getting their hands on credit and debit card information, but one attack method is particularly alarming as victims are virtually defenseless. Even if you do everything by the book and adhere to all safety precautions, there's still a chance that someone could outright guess your account details using brute force.
 
NordVPN recently partnered with independent cybersecurity researchers to analyze a database of nearly 4.5 million payment cards for sale on the dark web.
 
The VPN service provider found that the majority of cards – 1,561,739, to be exact – were from the US. In this region, Visa cards were the most common, followed by Mastercard and American Express. Worse yet, the average cost to buy the details of a US-based card was just $5.81.
 
Globally, debit cards were more common on the dark web than credit cards in the data the researchers surveyed. According to NordVPN, this is because hacked debit cards tend to have fewer protections in place to protect victims compared to credit cards.
 
Arguably even more alarming is how hackers are obtaining card details. Database breaches are still a viable route, but hackers are now able to brute force – or guess – payment card details. NordVPN notes that most systems limit the number of guesses that can be made in a short period of time, but adds that savvy hackers can get around this.
 
Most major payment cards have 16 digits, which may seem pretty secure length-wise. What you may not know is that there are standards for account numbers, and several digits on your card are identifiers that aren’t unique to your individual account. This means hackers have even fewer numbers they need to guess to find a “winning” combination.
 
Unfortunately, there’s not a whole lot consumers can do to protect themselves from a brute-force attack like this short of abstaining from card use entirely. NordVPN says your best line of defense is to remain vigilant and check your monthly statement for suspicious activity.”
 
My thoughts:  As always, payment (credit and debit) card fraud is expensive.  The US accounted for $266M in 2020 and worldwide the total was $28.65B in 2019.
 
Of course, we, the consumers, pay the bill for this.

I had a BIN attack like this happen multiple times on one of my credit cards, first time was a fraudulent charge that went though, then they got the number but not the expiry date so it showed up as "declined" on my online banking. Had to cancel the card and get a new one each time, pretty irritating. Thankfully the card company now sends texts for anything unusual.

I agree with Donta1979. Check your accounts as often as possible. 

Imagine when quantum computing becomes a thing, how would they stop brute forcing then? 

ty_ger07

Beowulfcav
Imagine when quantum computing becomes a thing, how would they stop brute forcing then? 

That's the thing...
If a true quantum computer is ever made, Shor's algorithm will break all of our existing encryption wide open. Until new ways to encrypt and validate data were discovered, a true quantum computer running Shor's algorithm would be a weapon of mass destruction and would become highly regulated; either by agreement or by force.
If Shor's algorithm running on a true quantum computer breaks encryption, they won't need to guess card numbers. They could log into any account of anyone's and do whatever they wanted, directly.

Banks are changing encryption methods quite regularly

rjohnson11

ty_ger07

Beowulfcav
Imagine when quantum computing becomes a thing, how would they stop brute forcing then? 

That's the thing...
If a true quantum computer is ever made, Shor's algorithm will break all of our existing encryption wide open. Until new ways to encrypt and validate data were discovered, a true quantum computer running Shor's algorithm would be a weapon of mass destruction and would become highly regulated; either by agreement or by force.
If Shor's algorithm running on a true quantum computer breaks encryption, they won't need to guess card numbers. They could log into any account of anyone's and do whatever they wanted, directly.

Banks are changing encryption methods quite regularly

Everything we have is based on factoring prime numbers. They aren't changing away from that. We don't know anything better at the moment. All they are changing is how they do it and the size of the numbers they use; the underlying way encryption is performed and the way the internet works would need a revolutionary change.

Hoggle
As for banks I think if we ever get a quantum computer working the government would work with banks for a secure encryption. The biggest target would be non-government backed like crypto that would be the biggest target. Billions could just be stolen or sealed off from access.

You're crazy. The biggest target would be the internet as a whole. Every httpS:// transaction we perform is protected by math which would be blown wide open. I don't think they would limit themselves to just cryptocurrency. Breaking every website, every account, every email, and knowing everything about everyone is way more valuable to a lot more people.

Passwords need an upper and lower case letter, and at least one special character, to make the number of guesses (ideally) extremely high, credit and debit cards just use numbers, so far fewer possible options, even with a longer number. Maybe they really need to push stuff like merchant ID card numbers, and chips in the physicals cards, and phase out regular numbers that work everywhere. No doubt a few other options that can be done as well, too.