60,000 Credit Cards Numbers Stolen Online

robl writes "140,000 credit card numbers were tested for validity yielding about 62,000 valid credit card numbers and $300,000 of fraudulent charges. A good quote: "There wasn't a system in place to say, 'you've generated 140,000 charges, that's more than your normal volume.'" As Schneier-heads would say, it's a brittle system -- when the security fails, it fails badly."

Re:Use one-time use numbers

[aaarrrgggh]

This still doesn't help you with the fact that your primary number is easy enough to guess... a 16-digit credit card number only has a maximum of 11 digits for a given bank (4-digit bank code, and at least one checksum digit).

When a merchant is hacked like this, even brute-force number generation can be done with a little bit of information to yield a good number of valid credit card numbers.

The problem is that the credit card companies are allowed to make their money back (from fraud) on interest, so they have no real incentive to reduce the fraud imposed by the lack of numberspace. The "one-time numbers" are just something to make people feel more comfortable about spending money online.