• Our team is working to address issues posting quotes or media to the forums. Please bear with us as we get this sorted out.

[SOLVED] Virtual Cards Privacy card app

JDMStanced

Honorable
Nov 22, 2014
94
0
10,630
0
I'm wondering how these virtual cards work in depth. Privacy Card is one of companies that offer virtual cards that give you randomly numbered debit cards.


1) Are the randomly assigned virtual cards created within the app, and somehow these cards are approved by the bank to make transaction?
Or, are these virtual cards actually randomly assigned by the bank or VISA and gives them to Privacy app?

2)How are the virtual cards created instantly and ready to be used instantly?

Let me know what you guys think.
 
They use what is known as a re-mapping

Let's say your credit card number is 1234-5678-9012-3456
Let's say they give you a virtual CC# that is:4444-1111-2222-3333

This virtual number comes from a pool of credit card numbers that are not in use and they own.

Once you use the card, the number is tied to a specific merchant for a specific time period. So even if the merchant is compromised, the # is likely to be useless. Usually it's limited to one purchase. There are other security measures put into place, but I'm not going to discuss them. This isn't a pentest group.

So when you type in the virtual credit card number, that gets handed to the processing company. The processing company then takes that number and re-maps it back to your original. So the CC Clearing house gets 4444-1111-2222-3333 and they go, "Oh we assigned that to REAL CC# 1234-5678-9012-3456. So we'll bill that real CC number"

Only the clearing house that handles that range of numbers knows what your real CC # is. To be honest with you it's almost hack proof and I'm surprised more banks don't make it mandatory as part of their security given the number of breeches of CC databases. Clearing houses get a % or flat commission for each CC transaction they clear. So that's how they make their money.

I had a chase card back in 2005 that had a virtual wallet system that worked the same way. I was never compromised.
 

Wolfshadw

Titan
Moderator
Think of it like a VPN for your credit/debit card. The outside world doesn't know the details of where the money is coming from (your actual account), but anyone with access to the VPN knows everything.

They're just placing another layer of "protection" between your money and those who might try to steal your account information, but as with all information, the more you put out there, the more likely it is to be stolen.

They don't share or sell your information, but it is another point of attack for hackers. They're no better than your actual bank/credit card company. Slap on a fresh coat of paint and call it, "Extra Security".

-Wolf sends
 

JDMStanced

Honorable
Nov 22, 2014
94
0
10,630
0
Think of it like a VPN for your credit/debit card. The outside world doesn't know the details of where the money is coming from (your actual account), but anyone with access to the VPN knows everything.

They're just placing another layer of "protection" between your money and those who might try to steal your account information, but as with all information, the more you put out there, the more likely it is to be stolen.

They don't share or sell your information, but it is another point of attack for hackers. They're no better than your actual bank/credit card company. Slap on a fresh coat of paint and call it, "Extra Security".

-Wolf sends
I get this part. I'm more curious to know how it all actually works in back end.
 

Wolfshadw

Titan
Moderator
They issue you a bogus card number that's only good for a set amount of time. If a purchase comes across using that account number, they then charge your regular bank account/credit card.

I'm guessing the app generates the card number. That number is sent, with your login credentials, to the home service. When a purchase with that card number arrives, the charge is then sent to your actual bank/credit card..

Of course, if you really want exact details, you should probably contact PrivacyHQ themselves.

-Wolf sends
 
They use what is known as a re-mapping

Let's say your credit card number is 1234-5678-9012-3456
Let's say they give you a virtual CC# that is:4444-1111-2222-3333

This virtual number comes from a pool of credit card numbers that are not in use and they own.

Once you use the card, the number is tied to a specific merchant for a specific time period. So even if the merchant is compromised, the # is likely to be useless. Usually it's limited to one purchase. There are other security measures put into place, but I'm not going to discuss them. This isn't a pentest group.

So when you type in the virtual credit card number, that gets handed to the processing company. The processing company then takes that number and re-maps it back to your original. So the CC Clearing house gets 4444-1111-2222-3333 and they go, "Oh we assigned that to REAL CC# 1234-5678-9012-3456. So we'll bill that real CC number"

Only the clearing house that handles that range of numbers knows what your real CC # is. To be honest with you it's almost hack proof and I'm surprised more banks don't make it mandatory as part of their security given the number of breeches of CC databases. Clearing houses get a % or flat commission for each CC transaction they clear. So that's how they make their money.

I had a chase card back in 2005 that had a virtual wallet system that worked the same way. I was never compromised.
 

JDMStanced

Honorable
Nov 22, 2014
94
0
10,630
0
They use what is known as a re-mapping

Let's say your credit card number is 1234-5678-9012-3456
Let's say they give you a virtual CC# that is:4444-1111-2222-3333

This virtual number comes from a pool of credit card numbers that are not in use and they own.

Once you use the card, the number is tied to a specific merchant for a specific time period. So even if the merchant is compromised, the # is likely to be useless. Usually it's limited to one purchase. There are other security measures put into place, but I'm not going to discuss them. This isn't a pentest group.

So when you type in the virtual credit card number, that gets handed to the processing company. The processing company then takes that number and re-maps it back to your original. So the CC Clearing house gets 4444-1111-2222-3333 and they go, "Oh we assigned that to REAL CC# 1234-5678-9012-3456. So we'll bill that real CC number"

Only the clearing house that handles that range of numbers knows what your real CC # is. To be honest with you it's almost hack proof and I'm surprised more banks don't make it mandatory as part of their security given the number of breeches of CC databases. Clearing houses get a % or flat commission for each CC transaction they clear. So that's how they make their money.

I had a chase card back in 2005 that had a virtual wallet system that worked the same way. I was never compromised.
Thanks. This is interesting.
How does this process go "Instantly"?
Typing card number->Goes to Processing company->re-maps the numbers (1 set of numbers out of 60 sets, if an individual can have this many sets)back to the original (i think there's about 1 million transactions a month?)->charging the real card.

Does Privacy generate random numbers or Clearing house?
If Clearing house is the only one that knows the real card info, then i would think they generate the random numbers as well.

I've seen a few financial institutions used virtual credit card and then stopped the service. I would assume they stopped because it cost too much money to maintain?
 
Thanks. This is interesting.
How does this process go "Instantly"?
Typing card number->Goes to Processing company->re-maps the numbers (1 set of numbers out of 60 sets, if an individual can have this many sets)back to the original (i think there's about 1 million transactions a month?)->charging the real card.

Does Privacy generate random numbers or Clearing house?
If Clearing house is the only one that knows the real card info, then i would think they generate the random numbers as well.

I've seen a few financial institutions used virtual credit card and then stopped the service. I would assume they stopped because it cost too much money to maintain?
Using something called "Mapping" based on very large prime number's is a very trivial math operation to retrieve the location of the real CC #. It's what's known as O(1) in computer speak. A single linear math operation and you are done. It's effective till the map is about 2/3'rd the way full of the prime number. After that collisions reduce effectiveness.

The company that issues the #'s is the clearing house. They own the virtual numbers in question.
 

ASK THE COMMUNITY