Opinion: At the airport, an ID theft takes flight

Computerworld - No one around me batted an eye as the well-dressed woman dug through the airport cafe waste container, pulling out shopping bags, lunch trays and paper -- credit card receipts, to be specific. At first I thought she was looking for one she had accidentally discarded, but I doubt she'd done that much shopping between flights.

The woman assembled a neat little stack of 50 or more slips before noticing me, then tucked them away in her purse with a few other little bundles. As I installed my newly purchased privacy screen on my ancient ThinkPad, she eyed me, came to an unspoken understanding of where we each stood and moved along.

Most people are socially conditioned to look away from someone rummaging in the trash, but she was clean and meticulous, avoiding both making a mess and raising any questions. Credit card fraud is a lucrative business in any case, and this particular method of gathering the requisite data is relatively low-risk.

One hundred twenty years ago, when Edward Bellamy first coined the term "credit card" in Looking Backward, I doubt this is what he had in mind. Then again, the original notion of the credit card was to ease the exchange of goods in a cooperative quasi-socialist society "in which war, poverty and malice do not exist."

Instead, today almost a trillion dollars in unsecured debt is riding on Americans' credit card accounts, rising at a rate of more than 11% and worrying more than a few analysts. The last thing the current economy needs is an increasing tide of fraud as a result of weak security controls.

Discredited

Why is a handful of credit receipts a problem? In my wallet full of receipts from U.S. merchants, almost all redact the first 12 digits of the 16-digit credit card number on a receipt. However, in this European airport, some masked the first four and the last single digit. Now the first digit specifies the type of card, and the following five the bank ID. The last digit is a checksum, computed from the preceding nine. Visa Inc. and MasterCard Inc.'s cards are by far the most common, so the first digit is probably "4" or "5," and the last two digits of the bank ID have been given away. A major bank -- the most likely issuer of a credit card -- probably has a low bank ID number, so it's a good bet the second digit is a zero. That leaves just two digits unknown.

Statistically, my delicate dumpster-diving friend only needs to collect 50 receipts for a random guess to produce a usable number. Anyone who has compared birthdays in a classroom knows that it often takes surprisingly few tries to find a valid match in a group. All this was from a physical collection scheme without resorting to credit card number generation or validation methods. There is little trace of her actions; just a handful of easily discarded evidence. If I had to venture a guess, I'd say she gathered two to four valid numbers an hour.