The term “card tumbling” actually refers to the ﬁrst step in a larger process. The culprits are usually skilled programmers—people who write code for computer programs—looking to make money at your expense. But it’s not personal. In fact, the ﬁrst step of credit card tumbling doesn’t involve you at all.
In a credit card tumbling scam, programmers write algorithms, or a set of instructions, to create thousands of possible credit and debit card numbers from scratch. Because hackers don’t need information from you or your business to create these fake numbers, your credit card number is targeted completely by chance. Then they write another series of scripts to “test” these cards on websites—and this is where you come in.
When these hackers determine that their fake credit card numbers have bank accounts to match, they can begin making purchases or selling your information to the highest bidder. This makes credit card tumbling a rare type of identity theft—one that requires very little identifying information.
But how is this even possible to begin with?
Your credit and debit card numbers aren’t random–instead, they are generated according to a set of mathematical rules.
The ﬁrst few digits of your card are called the Issuer Identiﬁcation Number, or IIN. These numbers are speciﬁc to your ﬁnancial institution, like your bank or credit card company, and they vary slightly from customer to customer. The rest of the numbers in the sequence are set according to a standard algorithm, and the ﬁnal number, called a “check digit,” is added for extra security.
These rules are just about the same for everyone, and this is because ﬁnancial institutions use a standard process to validate credit card numbers. This process is called Luhn’s Formula, an algorithm designed by Hans Peter Luhn in the 1960s. The formula was created in response to countless credit and debit card errors, which provoked complaints from ﬁnancial institutions and the consumers who used them. Today, all debit and credit cards are validated with Luhn’s Formula. With fewer possible variations in card numbers, it’s easier to prevent errors and make ﬁnancial transactions secure.
But Luhn’s Formula wasn’t meant to prevent targeted, malicious fraud. And because the rules used to generate debit and credit card numbers aren’t random, they’re easier for hackers to mimic. Card tumbling is that mimicry in action.
Picture a thief in a high stakes heist movie, his ear pressed against a safe, carefully turning the dial and listening for the tumblers locking in place. This is credit card tumbling in a nutshell–except in this case, the thief’s stethoscope and gloves are intricately designed lines of code, created with the purpose of generating and testing thousands of possible combinations at once.
A hacker can write code that takes both Luhn’s Formula and your ﬁnancial institution’s card-creation rules into account. In this high-tech guessing game, hackers can create thousands of accurate credit card numbers with just a few clicks of the keyboard.
As you can probably imagine, card tumbling alone can’t be very useful. Even if hackers can come up with these incredibly complex algorithms, this can create thousands upon thousands of possible credit card numbers. In reality, there are about 30 quadrillion diﬀerent combinations of a single 15-digit sequence. Even with the aid of computers, this number is too high and cybercriminals would have to individually test every single possible card number for their scheme to work. So before they can sell your credit card number to anyone, they have to verify that it belongs to an actual person.
This is why there’s another step to card tumbling–where scammers test fake card numbers on unsuspecting businesses.