cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On 01-Mar-12 14:59, Adam H. Kerman wrote:
Stephen Sprunk wrote:
Also note that many consumers today have _valid_ cards with little/no
available credit, so it's not sufficient anyway if a merchant wants to
ensure their transaction will be accepted.

No one would care on suburban/commuter railway, since the discussion
drifted back on topic, where the only concern is if fare collection in
aggregate is improved and cost of fare collection is lowered.

How long do you think it would take enterprising folks to figure out
that a $5 prepaid card from the convenience store will allow them to
ride _forever_?

Somehow, I doubt that "no one would care" about a vulnerability so large
you could drive an entire fleet of trains through it.

In intercity train travel, well, you assume that the traveler has
available credit, as it's difficult to travel without credit cards.

It may come as a surprise to some, but many people have more than one card.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

Stephen Sprunk wrote:
On 01-Mar-12 14:59, Adam H. Kerman wrote:
Stephen Sprunk wrote:

Also note that many consumers today have _valid_ cards with little/no
available credit, so it's not sufficient anyway if a merchant wants to
ensure their transaction will be accepted.

No one would care on suburban/commuter railway, since the discussion
drifted back on topic, where the only concern is if fare collection in
aggregate is improved and cost of fare collection is lowered.

How long do you think it would take enterprising folks to figure out
that a $5 prepaid card from the convenience store will allow them to
ride _forever_?

That's not a credit card. Also, I asked about loading bad account
numbers into the devices.

In intercity train travel, well, you assume that the traveler has
available credit, as it's difficult to travel without credit cards.

It may come as a surprise to some, but many people have more than one card.

And everyone commits deliberate fraud.

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On 01-Mar-12 15:33, Adam H. Kerman wrote:
Stephen Sprunk wrote:
On 01-Mar-12 14:59, Adam H. Kerman wrote:
Stephen Sprunk wrote:

Also note that many consumers today have _valid_ cards with little/no
available credit, so it's not sufficient anyway if a merchant wants to
ensure their transaction will be accepted.

No one would care on suburban/commuter railway, since the discussion
drifted back on topic, where the only concern is if fare collection in
aggregate is improved and cost of fare collection is lowered.

How long do you think it would take enterprising folks to figure out
that a $5 prepaid card from the convenience store will allow them to
ride _forever_?

That's not a credit card.

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

Also, I asked about loading bad account numbers into the devices.

It's not a "bad" account number, i.e. invalid or canceled; it just
doesn't have sufficient funds available for that particular transaction
to post. Discovering such a status is, of course, the point of
authorization.

In intercity train travel, well, you assume that the traveler has
available credit, as it's difficult to travel without credit cards.

It may come as a surprise to some, but many people have more than one card.

And everyone commits deliberate fraud.

Not everyone, but a non-trivial fraction of the population will do so if
they believe it's easy and low-risk. As the saying goes, "locks keep
honest people honest."

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

Stephen Sprunk wrote:

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

Someone else can continue to argue with you. I'm bored.

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On 01-Mar-12 17:51, Adam H. Kerman wrote:
Stephen Sprunk wrote:

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

The first digit or two identifies the network; the next several digits
identify the issuing bank. Nowhere in the number is encoded whether it
is a credit, debit or charge card. Even if some issuing banks choose to
encode that in the remaining digits, there is no guarantee they will all
do so--or in the same way.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On Thu, 01 Mar 2012 19:05:59 -0600, Stephen Sprunk
wrote:

On 01-Mar-12 17:51, Adam H. Kerman wrote:
Stephen Sprunk wrote:

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

The first digit or two identifies the network; the next several digits
identify the issuing bank. Nowhere in the number is encoded whether it
is a credit, debit or charge card. Even if some issuing banks choose to
encode that in the remaining digits, there is no guarantee they will all
do so--or in the same way.

http://bin-iin.com/visa-BIN-range.html
for some VISA listings.

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

Charles Ellson wrote:
On Thu, 01 Mar 2012 19:05:59 -0600, Stephen Sprunk wrote:
On 01-Mar-12 17:51, Adam H. Kerman wrote:
Stephen Sprunk wrote:

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

The first digit or two identifies the network; the next several digits
identify the issuing bank. Nowhere in the number is encoded whether it
is a credit, debit or charge card. Even if some issuing banks choose to
encode that in the remaining digits, there is no guarantee they will all
do so--or in the same way.

http://bin-iin.com/visa-BIN-range.html
for some VISA listings.

Oh, look: 4416 69 Visa Gift Card

Any number of the ranges are for debit cards. I assume ranges not
listed are for Master and other card brands. ATM cards would be
in their own ranges, separate from other debit cards.

All this stuff is known. The whole list is for sale for under $200
on that Web page.

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On 01-Mar-12 19:56, Adam H. Kerman wrote:
Charles Ellson wrote:
On Thu, 01 Mar 2012 19:05:59 -0600, Stephen Sprunk wrote:
On 01-Mar-12 17:51, Adam H. Kerman wrote:
Stephen Sprunk wrote:
There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

The first digit or two identifies the network; the next several digits
identify the issuing bank. Nowhere in the number is encoded whether it
is a credit, debit or charge card. Even if some issuing banks choose to
encode that in the remaining digits, there is no guarantee they will all
do so--or in the same way.

http://bin-iin.com/visa-BIN-range.html
for some VISA listings.

Oh, look: 4416 69 Visa Gift Card

Any number of the ranges are for debit cards. I assume ranges not
listed are for Master and other card brands. ATM cards would be
in their own ranges, separate from other debit cards.

All this stuff is known. The whole list is for sale for under $200
on that Web page.

My primary bank issues both debit and credit cards using the same BIN.
Even for issuing banks with multiple BINs, it's not like there is a
fixed digit in the number that will tell you; you would need to download
and store the entire database (and keep it updated) to be able to deduce
whether a given card number was debit or credit. I'm not aware of any
_terminal_ that does that. They simply doesn't need to know; they
submit the authorization to the card processor (which presumably _does_
maintain that database), and the card processor lets the terminal know
if it needs to collect a PIN, EMV signature, etc. to proceed. Or
perhaps the card processors don't need to know either and such
instructions, if applicable, come from the issuing bank.

S

--
Stephen Sprunk "God does not play dice." --Albert Einstein
CCIE #3723 "God is an inveterate gambler, and He throws the
K5SSS dice at every possible opportunity." --Stephen Hawking

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

On Fri, 2 Mar 2012 01:56:58 +0000 (UTC), "Adam H. Kerman"
wrote:

Charles Ellson wrote:
On Thu, 01 Mar 2012 19:05:59 -0600, Stephen Sprunk wrote:
On 01-Mar-12 17:51, Adam H. Kerman wrote:
Stephen Sprunk wrote:

There is no way for the terminal to know whether the Visa/MC/etc. number
presented is a credit, debit or charge card. A card processor _may_ be
able to deduce it from other information, but only the issuing bank
knows for sure.

I have no idea how you come up with this stuff, but the type of card,
not to mention who issued it, is built into the number range itself.

The first digit or two identifies the network; the next several digits
identify the issuing bank. Nowhere in the number is encoded whether it
is a credit, debit or charge card. Even if some issuing banks choose to
encode that in the remaining digits, there is no guarantee they will all
do so--or in the same way.

http://bin-iin.com/visa-BIN-range.html
for some VISA listings.

Oh, look: 4416 69 Visa Gift Card

Any number of the ranges are for debit cards. I assume ranges not
listed are for Master

Frayed Knot, Mastercard begin with 5XXX :-
http://bin-iin.com/MasterCard-BIN-List.html

and other card brands. ATM cards would be
in their own ranges, separate from other debit cards.

ATM cards don't necessarily have a (visible?) number (apart from the
account name or number) if they are neither credit nor debit cards.

Wonkypaedia covers a wider spread across the number ranges :-
http://en.wikipedia.org/wiki/List_of...cation_Numbers

All this stuff is known. The whole list is for sale for under $200
on that Web page.

cards, was E-ZPass, was CharlieCards v.v. Oyster (and Octopus?)
 

In message , at 01:32:59 on
Fri, 2 Mar 2012, Charles Ellson remarked:
http://bin-iin.com/visa-BIN-range.html
for some VISA listings.

I've just received a replacement Barclaycard 'Platinum' and it's made
from plain white plastic. What's that all about? Maybe they are sulking
because it's a Mastercard not VISA?

(Note to USA subscribers: for a generation, Barclaycard and VISA were
synonymous in the UK.)
--
Roland Perry