Bank cards follow a standard numbering pattern depending on the type of card. If you know the last 4, and have a few other details (such as other cards on the account) you might be able to reconstruct the card number yourself. For example, on a visa card, the first 6 digits will be common across cards issued by the same bank at a similar time. 7-15 is related to the account number and 16 is a checksum. Doesn't get you all the way but if you know 1-6 and 13-16 there's only 6 digits left to find, and knowing the check bit massively decreases the number of possible card numbers. It's all standardised in ISO/IEC 7812-1
That's probably the only way it's going to work... I can't be bothered to do the math right now, but I suspect that this way won't yield a small enough number of possible cards to guess the correct card number - which won't matter much in a murder/terrorism investigation (a judge might just authorize a "check all of those" order then) but that's unlikely here. The only other option is to check the tapes - the info will be in there somewhere, digging it up is likely a bit of a process, though.
Agreed, you might end up with too many results but you might get lucky. I just tried it with one of my cards, and the same number of missing digits and got 2 valid card numbers. Could be luck or could genuinely be that low
@@mattbeddw That's surprisingly few options... If that's true for all cards, then Wells Fargo should be able to dig up the records for those few and verify which one used to be associated with the customer account. They definitely have that information still in their backups.
The thing to do is likely to submit an LER to Wells Fargo requesting the card number ending in xxxx issued to $employee associated with account #yyyyyyyyyy in connection with a fraud investigation. You can use LER's to recover victim information, too. They have it. It just isn't in the customer service systems.
Bank employees are as dumb as the rest of the world. A bank wanted to argue a point with me that is 60 years old, the senior manager has been there 16 years. You have to know the answers because they sure don't. Nobody want's to pay good wages (I'm not arguing living wage which causes inflation) just higher wages for competent and skilled labor. Apparently loss is cheaper than labor.
@@DeviantOllam That is the right approach. They absolutely have that information, they are *required* to have it. The person you'd normally talk to on a call to the client center won't have access to that data under PCI DSS but they should be able to get a hold of someone who can and they should be able to get that info to you - or if they refuse, to the LE.
Wells Fargo is literally the worst bank in the world one employee tells you one thing the next employee contradicts it a third employee tells you something completely different from the other two
I never imagined what they have to go through and I have seen a lot of crazy crap from lazy and incompetent employees all over the place. Recent favorites are to blame some random contractor for something that might not exist, just to try not paying for the job. People small and large corporations don't want to pay their bills, and this was before COVID.
I can't imagine the audacity of a person who decides to defraud an organization made up of extremely well-connected hackers and security experts. Good luck continuing the investigation, Dev!
Although possible, only recurring billings are supposed to keep the card number. On a regular charge, the merchant is issued a transaction number, and they are NOT supposed to keep your card number, just the last 4 digits. This probably occurred after the WalMart employee in Superior, WI, (accounting office?) stole a large number of card numbers several years ago.
@@NoOne-xp1pe you are technically correct and as everyone know, that is the best kind of correct. I only wish merchants followed their self proclaimed PCI processes, but many legacy systems still store full data for orders taken over the phone, and are ok and complain as long as the system is not exposed as a website/API.
Hey Deviant! This video is about 20db too quiet by UA-cam standards and here's what to keep in mind next time. In technical terms videos on this platform should be at -14 LUFS, but this probably doesn't tell you anything so in practice it might be easier to upload a video as unlisted and right click on the video player and open "Stats for nerds". There you'll find all kinds of info including "Volume / Normalized 100% / 100% (content loudness -20.5dB)" - the content loudness is what you're looking for. If it's a negative value, your video is too quiet by that amount and will not be made louder by UA-camr (this means you should boost it in editing by that amount), but if it is a positive number, your video is too loud and UA-cam will make it quieter. This is something I myself learnt quite recently and has been a huge help when editing videos for UA-cam.
Honestly those cufflinks are almost enough to make me wear shirts with that style of sleeve all on their own. I love hidden tools like that - I'm still looking for the perfect "invisible" emergency jewelry/hair clip/other accessory set.
Sad to hear about the loss. I hope you can get the perp nailed and recover the funds. Very heartwarming to see the quick and generous community support for TOOOL, only wish I were able to have helped.
@@DeviantOllam should be in your email now, unless I miss typed it because UA-cam iOS won’t let me cut and paste!. Given what my friend used to do, I rather suspect this is a high enough contact to get you a definitive word on what’s possible.
@@smokerjim right! Just make sure you trust him/her/them (whatever gender/s you prefer). Nothing wrong with being handcuffed to a bed post/ wall/tree/sign post/elevator rail/etc by a/multiple fine ass partner/s. Just make sure you pick a safe word that you both/all can remember that you wouldn't otherwise use!
If you have the last 4 digits you should be able to reconstruct the number based on the card visa/mastercard and the bank account number. Should be very similar to the new card number.
You have the financial records of everything purchased using that card, if you can't get it through Amazon or WF, reach out to one of the other, smaller vendors that you had made purchases from ("the sticker company", "the t-shirt company", etc), and see if you can get someone there to dig up the card number. The smaller the company, the more likely it's a one-person operation, and possible they used legacy systems instead of Paypal or something where they don't actually see the full card number. It's like social engineering, except you're being fully honest about what you're looking for and why you need it! Another option is to poke around the computer of the employee who had the card, see if the CCN was stored somewhere, like in autocomplete forms or the like (old trick to find passwords that are saved but not viewable, chrome inspect element, change "password" field tag to anything else, to make it visible). Best of luck!
Billing will have that card number on the statement, it will be somewhere on the bottom or top of the page in an identifier string in a statement sent in the time the card was active.
So it seems Amazon is acting fairly responsibly - although it's a real pain in this case, making the system resistant to indiscriminate LE trawling is a good thing. I wonder, would getting a court order be the easiest way forward? They have the data, and they want to give it to you, they are just bound by policy which an order would overrule.
Regarding your card conundrum, I don't have a solution for the past, but I do have a solution for the future. Whenever I have a card I know I might need at some point I take a picture of it, name it appropriately (WIth a date in the file name) and save it in a double-encrypted folder, backed up to at least 2 drives. I also memorized a simple cypher that I can use to write down numbers and passwords for myself safely, if I don't have access to a computer. Between these two techniques, there's very little information that I can't retrieve if needed. Now that you know this could be an issue, plan to not have to deal with it ever again.
My standard ASP will open with any S&W/Peerless key. However, not all "universal" keys are universal. I am not talking about anti-shim cuffs; I bought a few pairs of no-name universal keys and they all worked except one pair. I keep them marked as an example that you need to test your keys before you use a particular cuff. Also, if you have a collection of old and new cuffs, you may see differences in both post thickness and hole size even in the same brand and style of cuffs.
I've used the TOOOL design in a couple of counter custody classes. Works very well, only addition I made was back cutting the cylinder and added a leveraging arm for ease of insertion/use.
@@NoOne-xp1pe best way to describe it without seeing a photo is opposite of the bitting the tube of the cylinder is ground down a bit at about a 45 degree angle. Primarily helps with inserting the key in odd positions.
@@Grappler130 Like the Delta Handcuff Key by Serepick? (This is my third try to ask the question properly, If I'm still wrong, would you pose the question to Grappler130 properly please?)
@@Grappler130 I can see how the back cut, wider center cut, and smaller bit would make insertion easier. But I would think that some type of handle would be required since the key hole is supposed to be away from your hands, and I think the key needs to be turned CCW first to unlock the double lock, then CW to unlock the cuff.
The Dremel silicon carbide discs are pretty thin (and pricey). Don't know if they're thin enough. I had a somewhat similar problem when i needed the number of an AMEX card that I had closed some years earlier. It took several tries working up the chain at AMEX before I got someone who could snail mail me the number. If I didn't still live at the address they had for the account, I would have been out of luck.
This does raise the question, even if you can’t get them to give you the number, can you request a replacement card “with the same number” (but obviously updated expiration and different CVV) to be sent to the mailing address on file?
Did I see that presentation? Ha. Made a few with and for a ColaSec meetup a few years ago. Oh, those were some fun times! On a different occasion, we decided to head back to a brewery of which I was a founder and a cuff double-lock failed while attached to a member and to a "silicone wrist analogue." I'm sure the drilled cuff and fist-posed device are around somewhere. Thanks for the help to dredge up that old memory.
Some of the card number digits are guessable. The first few digits are the card type and bank which is likely to be the same on the replacement card. And there are check digits that can be calculated, as well as your known 4 digits. That still leaves you probably 10^7 numbers, but it’s better than 10^16.
Gosh dang! DeviantOllum is THE MAN! My husband and i love all of his stuff, my husband actually has a total man crush on him (in a non homo way lol). I can only imagine how awesome it would be to hang out with this guy.
I'm pretty sure you can trick the voyeur request by, instead of asking for a specific number, say all data that is *not* any of the following number, an then specify all cards you have access to. If this is only one card then that set of cards is limited to 1 or 2 cards which is perfectly reasonable imo
The card number may have been tokenized or encrypted with format-preserving encryption. There are some PCI requirements involved. By and large, the rank and file won't have access to that. There is likely a process involving one or multiple HSMs to decrypt the card number.
You can figure out the number, if you know the last 4, Wells Fargo’s first 5 are known and the last number is a check sum. There was a defcon guy talking about hacking the numbers.
Try also sending a request via lawyer or law enforcement, maybe even both, to the card network (visa or Mastercard) I'm not sure it applies to debit cards that can run as credit, but for credit cards there is an account update system that can automatically send new card numbers and expiration dates to merchants with recurring billing when you get a new card, which I presume would include both old and new PAN (primary account number, aka credit card number) numbers, so they may have records linking the old and new number together that you could get. I'd also push Amazon on trying to use a combination of last 4 + date + amount + the transaction id that I know I see in my statement description. That's incredibly specific information that's well beyond any persons ability to guess or obtain without access to the banking records, and should be suitably specific to identify the transaction and your connection to it. As others have commented it's not 12 digits you are missing as well, only 6 given the IIN/BIN that's the first 6 digits (it can be 8, but in the US I've only seen 6 digits) and with the check digit only some combinations of those 6 are valid.
Remembering some tricks from way back in the day when carding was a thing... I know there are CC validators out there. The first 4 digits on the new card should be the same as the old one. And using that info with the last 4 might give you enough info to reverse crack the full 16 digits.
If you have old statements, which you should be able to get going back years, those statements will often have, buried in barcodes or account number fields, the full 16 digit number is on there. Go through ALL your old statements from the time period and compare it to new statements and look for the differences. That should get you either the direct number or enough information to reconstruct it. If someone has online access to the account, you have a hope.
In fact the return stub bottom portion, where you mail in your payment, often has the number (much longer than the actual 16 digit, but it's usually the first part of the number) at the top of that stub.
I know that some physical receipts record the second last 4 digits, instead of the last 4 digits. I think I've seen the first and last four digits once. But this would depend on how many physical receipts the employee still has.
Find out who is on the banking committee in the House of Representatives and contact the chair’s office. It used to be Barbara Lee. She helped a friend with a similar issue with the same bank. … it went through 15 layers of management before the assistant manager who was messing with my friend was torn a new asshole by the President of the bank. He was exceptionally helpful after that.
My best guess is that the folks at Wells Fargo can't be bothered to check their tapes - since the card was fairly recently disabled, the info will be somewhere in the tape backups. Going through those is a bit of a process though, especially if you don't know exactly where to look (for that you'd probably need the account number, which is part of the card number - catch 22).
@@ScottKenny1978 That's unlikely. The account number for the card isn't going to be the same as the account number of the associated checking account - it's specific to the card, digits 7-15 of the card number to be precise. The first six are specific to the issuer (which should be identical to the newly issued card, unless it changed due to bank mergers) and the last one is a checksum.
@@ScottKenny1978 It's an absolutely ancient system (the ancestors of modern credit cards are over 200 years old - bank trading itself is probably as old as humanity!) and it's not exactly made to be customer friendly... Let's leave it at that. I deal with the industry on a fairly regular basis, so I've gotten used to the madness.
For the card problem, talk to your VENDORS -- they got the card number, every time you ordered with it. Even local stores where the card was used may have it in their records.
I work for a company that sells industrial equipment, machinery, and parts. Our antiquated way of doing things results in us having a lot of our client's credit card numbers effectively "on file" whether they requested it or not because their number has been given to an employee who had to send it to a second employee to run it. You may have good luck with this route if you ensure them you will be *happy* to to know they have it in an email or spreadsheet or whatever as opposed to mad.
@@Spiker985Studios I like to use KeePass. They don't have a special field or record type for that kind of thing but it works great. These big services have such complex code and rely on so many vendors I find them hard to trust. It's nice to know where my data is hosted and that no one has my keys.
@@NoOne-xp1pe That's a good thought. Maybe I should keep encrypted pictures of the cards . I already do that with other important documents in case I lose them to something like a fire.
If well Fargo can confirm the number if you knew the exact number than yes they have it on file. If you look at the compliance for credit cards you know most of the numbers are fixed so I think wells Fargo if they could confirm even if u had a partial they should be able to grab it out of records if they do keep records and can confirm after you confirm then that confirms they have records.
Need to retrain the staff to memorize all the card infos 😁 If it's anything like the UK, banks have their own branch code and account number for debit card accounts. So it makes sense for them not to know (or care about) the 16 digit number issued to a card - as that's handled on the card issuer side when a TX is raised. Credit card accounts have one number to ID them to the bank, the 16 digit card number - and banks definitely know these. So it may be worth having your LEO go to the card issuer company to retrieve the card number associated with the account credentials supplied?
I was going to suggest if you had the first 6 as well last the last 4, reconstruct it using the Luhn algorithm, but looks like many others had the same idea
That is insane that they don’t have the old card numbers… I’ve also seen the presentation, I’ve enjoyed a lot of your older presentations over the years.
My bank, US Bank, somehow didn't renew my ATM/Visa. When I called they had no record of me having any cards including the one in my wallet. I don't know if it was an accident of person or computer. They had my checking going back through 2 bank mergers.
Speaking from experience, it's likely completely invisible to the bank's front line branch/support staff and they imagine if they can't see it on their screen it's been *deleted* ; when in fact it's sitting in a database table somewhere flagged as inactive. You'd likely need someone in the frontline staff who understands database concepts and knows a database administrator on the backend who understands and has the access to query the data. That said, I currently use enterprise software that incredulously does actually delete key data instead of marking it inactive - much to the detriment of the analytical work I need to undertake.
@@Thermalions Doh! (forehead slap). That makes perfect sense. 🙂I get so aggravated with the stupidity, that once my problem is solved I don't look back. The complete morons who make our world work is astounding. I work in hardware. HP Printers has acknowledged to me that their parts books are full of numbering errors. I have no idea how they send the right part on the 2nd or 3rd repair trip. The insane part is that their "parts books" haven't been printed for ages, they are digital only. Yet when I, or someone else reports an error, which has cost them at least $300, they can't be bothered to fix the error. Minnesota bought a new License Plate computer a couple years ago. The database had no column for Jr., II, III, IV, etc. People had to wait up to 9 months to get tags. I quit when every job I was getting had been worked on by up to 5 "technicians", yes 5, before I was called, because I'm expensive. One of the idiots is so bad that he has to service the same machines every month, but that is better than my doing it once a year, as the machines are designed.
@@Thermalions You don't need to manually dig in the database. The right person who knows the system would find the card very soon but the PAN must be stored encrypted anyway. What you need is an employee with the right access rights. From "Card Ops" or a similar department. They'll have access to all this information, even with proper UI.
Card number: merchant copy receipts need to be kept for tax purposes and other things. Hotels and service providers may keep them on record too. Have a look for genuine transactions. Contact those companies and as for a copy of the merchant receipt and/or the card number on file.
You may be able to get the card number from WF with a court order from a judge. I know they have a record of card numbers because I lost access to my account email in the past and they were able to use my 16 digit card number as verification of account ownership.
The claim is that they don't keep expired/retired card numbers on file. Of course, that claim is also utter bullshit, as I've had recurring payments continue on a fraud-deactivated card for 3 years until that card expired.
Ever downloaded the transactions in Quicken format? Some banks use part of or all of the account number for the account id field (ACCTID) in the plain text QFX file.
The bank, ABSOLUTELY has the number. There's a metaphorical thread linking every card ever issued on an account that has to exist for stuff like refunds being paid back to old cards to work (legal stuff re gambling on cards). The bank itself has to have a full list of every card that's ever been issued on your account, but so does whichever card network (Amex, Visa, Mastercard etc) is involved, too. If, in the intervening months, you haven't been given the number already, just go into a branch. The staff who deal with customers absolutely have to have access to card numbers, because you've got to deal with card blocking and issuing. Worst case, just raise a complaint. They're not regulated like they are in the UK, but the quickest way to solve it will just to be to give it to you.
Look through the entire email history of the mailbox of the person who used the card. Call all merchants, if they refuse, set up a meeting with them. If all fails, get a lawyer and take on it formally with Amazon.
another trick if it's a credit card and not a bank card is get a credit report it may still show up on the report but it will be missing the last 4 which you have.
I've been confused ever since you pulished the Ultimate Cuffkey vid, because that slit looks way wider than 0.3mm. I do have some metal cutting wheels and have tried a few times, but even the thinnest one can't cut a groove narrower than 0.8mm. And I dought that cuff manufacturers makes warding that thin (it has to be thinner than 0.3, considering the clearance), since it'll become rather brittle.
Do receipts not contain the credit card numbers sans the last four digits? If you have any receipts for anything purchased on the card, you should have the entire card number.
you need 8 digits only first 4 digits are assigned to either bank or bank service behind card it is unusual to have those middle 8 digits ever changed on any subsequent cards for any reason, even in case of fraud so you should actually have all 16 digits, as first 4 are tight to type of debit card or account type last 4 you know anyway and middle never changes, as those probably are derived from bank account number
Have you checked for impressions in a wallet if any, or documents in the drawer with this card? Also, at work we use a billing software that hides all but the last four for customers on file, however a std priv user can do a database search for cards like '40%', '41%' and see if the customer in question comes up, then '460%', '461%' and so on until the entire card number has been recovered. At most 110 tries. (responsible disclosure was made to the vendor who did nothing). If you have the card programmed in to any auto pay system that could be vulnerable to similar... That is to say look closer to home and in places not directly involved that could still have the data. There just might be a tree in that forest.
If this card was used to buy anything resulting in a printed bon, look at the bottom. In germany at least you get to read the cardnumber and how long it's still good for use on every supermarked or gasstation recipe.
I'm curious, if you need identifiers to request the amazon information, could you request information on a specific purchase that happened with that card and get the card number back with that?Then you have it to feed back to them for the rest of the information. This obviously won't work if the only unique identifier they'll accept is the original card number that was used and is currently unknown.
Can't you (/the investigator) ask Amazon the very specific info that is the card code? (Or the info Amazon has to check it, hash or whatever, from which you may be able to recover the original datum)
Do you know if she has an online account that she would use the card for bc you could go on there and get the card number from there like PayPal Google wallet iPhone has something like that too
you may be better going to the payment processor (i.e visa/mastercard/ae) and asking for the card number as they are the ones linking the card number to the specific bank account
Do you have receipts for the card? Maybe the card number is on there? At least in EU the ordering code of the card is on the receipt. And if it is a matercard/visa card which can be used online, wouldn't it be stored in phones/apps/browsers for easy checkout.
I just went through this with another major bank. I called to check the credit limit on a card I hadn't used in two years. The bank claimed they had no record of the card number, that it had never been issued or cancelled.
My bank, US Bank, claimed that I had never had any card including the expired one in my wallet. My checking records went back through 2 bank mergers. A software/database person said that the person you are talking too can't see it, not that it doesn't still exist somewhere. The person with authorization can't be bothered with your problem, seems to be today's standard.
Not being able to get the card number sounds like one of those bureaucratic problems that should be easily fixed, but has become a huge problem for no good reason.
There must still be a way to track the dead number. On my CashApp card info was compromised, and even after my card was replaced, denials of unauthorized transactions using that information would show up in my statement.
Not quite. The first six digits identify the company that's backing the card (Industry identifier + 5 digit bank number). That part can probably be reconstructed (it's probably the same for all cards issued by the same bank/branch). Then comes the crucial bit - the eight digit account number. That part is unknown. The last digit is the checksum. Given all previous parts it's easy to figure out (Luhn algorithm), but the process can't be reversed to yield the original card number.
First four are the bank + card type (maybe even first 5 or 6) and the last 4 you know... if you know the algorithm and how to parallelize the calculations, brute forcing an 8 digit number is less than 24 hours on any workstation not an embarrassment to the word workstation. I'd love to give it a run... send me an email.
Bank cards follow a standard numbering pattern depending on the type of card.
If you know the last 4, and have a few other details (such as other cards on the account) you might be able to reconstruct the card number yourself.
For example, on a visa card, the first 6 digits will be common across cards issued by the same bank at a similar time. 7-15 is related to the account number and 16 is a checksum.
Doesn't get you all the way but if you know 1-6 and 13-16 there's only 6 digits left to find, and knowing the check bit massively decreases the number of possible card numbers.
It's all standardised in ISO/IEC 7812-1
That's probably the only way it's going to work... I can't be bothered to do the math right now, but I suspect that this way won't yield a small enough number of possible cards to guess the correct card number - which won't matter much in a murder/terrorism investigation (a judge might just authorize a "check all of those" order then) but that's unlikely here. The only other option is to check the tapes - the info will be in there somewhere, digging it up is likely a bit of a process, though.
Agreed, you might end up with too many results but you might get lucky.
I just tried it with one of my cards, and the same number of missing digits and got 2 valid card numbers. Could be luck or could genuinely be that low
@@mattbeddw That's surprisingly few options... If that's true for all cards, then Wells Fargo should be able to dig up the records for those few and verify which one used to be associated with the customer account. They definitely have that information still in their backups.
that's still 100,000 different cards, would be one million normally but the check digit invalidates 90% of those
@@DeeSnow97 That's not how checksums work. The equations are very deliberately chosen to not be as simple as "divide possibilities by ten".
The thing to do is likely to submit an LER to Wells Fargo requesting the card number ending in xxxx issued to $employee associated with account #yyyyyyyyyy in connection with a fraud investigation. You can use LER's to recover victim information, too.
They have it. It just isn't in the customer service systems.
We're going to try that next
Bank employees are as dumb as the rest of the world. A bank wanted to argue a point with me that is 60 years old, the senior manager has been there 16 years. You have to know the answers because they sure don't. Nobody want's to pay good wages (I'm not arguing living wage which causes inflation) just higher wages for competent and skilled labor. Apparently loss is cheaper than labor.
@@DeviantOllam That is the right approach. They absolutely have that information, they are *required* to have it. The person you'd normally talk to on a call to the client center won't have access to that data under PCI DSS but they should be able to get a hold of someone who can and they should be able to get that info to you - or if they refuse, to the LE.
Wells Fargo is literally the worst bank in the world one employee tells you one thing the next employee contradicts it a third employee tells you something completely different from the other two
@@DeviantOllam contact Samy Kamkar hes known for MagSpoof. he may be able figure out the card number in question.
For future reference, "destroy" means cut in half and file for 7 years.
I never imagined what they have to go through and I have seen a lot of crazy crap from lazy and incompetent employees all over the place. Recent favorites are to blame some random contractor for something that might not exist, just to try not paying for the job. People small and large corporations don't want to pay their bills, and this was before COVID.
I can't imagine the audacity of a person who decides to defraud an organization made up of extremely well-connected hackers and security experts. Good luck continuing the investigation, Dev!
I'm in law enforcement and I can tell you that you are correct in thinking the have records of issued cards. Keep the pressure up and best wishes.
Contact your previous merchants and check if anyone has your full card number on file. You would be surprised
This
Although possible, only recurring billings are supposed to keep the card number.
On a regular charge, the merchant is issued a transaction number, and they are NOT supposed to keep your card number, just the last 4 digits.
This probably occurred after the WalMart employee in Superior, WI, (accounting office?) stole a large number of card numbers several years ago.
@@NoOne-xp1pe you are technically correct and as everyone know, that is the best kind of correct. I only wish merchants followed their self proclaimed PCI processes, but many legacy systems still store full data for orders taken over the phone, and are ok and complain as long as the system is not exposed as a website/API.
Hey Deviant! This video is about 20db too quiet by UA-cam standards and here's what to keep in mind next time.
In technical terms videos on this platform should be at -14 LUFS, but this probably doesn't tell you anything so in practice it might be easier to upload a video as unlisted and right click on the video player and open "Stats for nerds".
There you'll find all kinds of info including "Volume / Normalized 100% / 100% (content loudness -20.5dB)" - the content loudness is what you're looking for. If it's a negative value, your video is too quiet by that amount and will not be made louder by UA-camr (this means you should boost it in editing by that amount), but if it is a positive number, your video is too loud and UA-cam will make it quieter.
This is something I myself learnt quite recently and has been a huge help when editing videos for UA-cam.
that is an extremely helpful tip thank you
@@hipu No problem! I've been making UA-cam videos off and on for almost 10 years, but found out about this just a few months ago.
So make everything loud.
This is gold, thanks.
Honestly those cufflinks are almost enough to make me wear shirts with that style of sleeve all on their own. I love hidden tools like that - I'm still looking for the perfect "invisible" emergency jewelry/hair clip/other accessory set.
Sad to hear about the loss. I hope you can get the perp nailed and recover the funds. Very heartwarming to see the quick and generous community support for TOOOL, only wish I were able to have helped.
I just reached out to an old friend who retired as a WF VP working in fraud & security. He should be able to give me the straight skinny.
Thank you! Please feel free to ping me if you get any hope from them! deviant.ollam@toool.us
@@DeviantOllam should be in your email now, unless I miss typed it because UA-cam iOS won’t let me cut and paste!. Given what my friend used to do, I rather suspect this is a high enough contact to get you a definitive word on what’s possible.
I'm imagining the giveaway winner: "Sweet! Now to go get myself arrested to see if they work!"
I'd rather find a dominatrix - I like having a clean criminal record (and I'm not averse to some mild to moderate punishment 😈)
@@smokerjim right! Just make sure you trust him/her/them (whatever gender/s you prefer). Nothing wrong with being handcuffed to a bed post/ wall/tree/sign post/elevator rail/etc by a/multiple fine ass partner/s. Just make sure you pick a safe word that you both/all can remember that you wouldn't otherwise use!
If you have the last 4 digits you should be able to reconstruct the number based on the card visa/mastercard and the bank account number. Should be very similar to the new card number.
You have the financial records of everything purchased using that card, if you can't get it through Amazon or WF, reach out to one of the other, smaller vendors that you had made purchases from ("the sticker company", "the t-shirt company", etc), and see if you can get someone there to dig up the card number. The smaller the company, the more likely it's a one-person operation, and possible they used legacy systems instead of Paypal or something where they don't actually see the full card number. It's like social engineering, except you're being fully honest about what you're looking for and why you need it!
Another option is to poke around the computer of the employee who had the card, see if the CCN was stored somewhere, like in autocomplete forms or the like (old trick to find passwords that are saved but not viewable, chrome inspect element, change "password" field tag to anything else, to make it visible).
Best of luck!
I loved watching your cat freak out on the cat tree. Two times your cat's like, "nope, I'm outta here."
I hope, that you get to the bottom of it, Brother!
Send all my best wishes, from the UK
Billing will have that card number on the statement, it will be somewhere on the bottom or top of the page in an identifier string in a statement sent in the time the card was active.
Hey Deviant. I really appreciate the information and entertainment over the Years. Cheers!!!
So it seems Amazon is acting fairly responsibly - although it's a real pain in this case, making the system resistant to indiscriminate LE trawling is a good thing. I wonder, would getting a court order be the easiest way forward? They have the data, and they want to give it to you, they are just bound by policy which an order would overrule.
Security VS convenience. Always seems to be the same trade-off.
@@ChrisBigBad exactly the reason for bad passwords and sticky notes for more secure passwords.
good whisky choice, one of my favourites!
Regarding your card conundrum, I don't have a solution for the past, but I do have a solution for the future.
Whenever I have a card I know I might need at some point I take a picture of it, name it appropriately (WIth a date in the file name) and save it in a double-encrypted folder, backed up to at least 2 drives.
I also memorized a simple cypher that I can use to write down numbers and passwords for myself safely, if I don't have access to a computer.
Between these two techniques, there's very little information that I can't retrieve if needed.
Now that you know this could be an issue, plan to not have to deal with it ever again.
Super cool talk! One of my first after the elevator talks!
My standard ASP will open with any S&W/Peerless key. However, not all "universal" keys are universal. I am not talking about anti-shim cuffs; I bought a few pairs of no-name universal keys and they all worked except one pair. I keep them marked as an example that you need to test your keys before you use a particular cuff. Also, if you have a collection of old and new cuffs, you may see differences in both post thickness and hole size even in the same brand and style of cuffs.
I've used the TOOOL design in a couple of counter custody classes. Works very well, only addition I made was back cutting the cylinder and added a leveraging arm for ease of insertion/use.
When you say 'back cutting' are you referring to the angled cut on the back of a Chinese key I saw somewhere?
@@NoOne-xp1pe best way to describe it without seeing a photo is opposite of the bitting the tube of the cylinder is ground down a bit at about a 45 degree angle. Primarily helps with inserting the key in odd positions.
@@Grappler130 Like the Delta Handcuff Key by Serepick? (This is my third try to ask the question properly, If I'm still wrong, would you pose the question to Grappler130 properly please?)
@@NoOne-xp1pe Yep very similar to the delta key just not as quite of a severe angle.
@@Grappler130 I can see how the back cut, wider center cut, and smaller bit would make insertion easier. But I would think that some type of handle would be required since the key hole is supposed to be away from your hands, and I think the key needs to be turned CCW first to unlock the double lock, then CW to unlock the cuff.
The Dremel silicon carbide discs are pretty thin (and pricey). Don't know if they're thin enough.
I had a somewhat similar problem when i needed the number of an AMEX card that I had closed some years earlier. It took several tries working up the chain at AMEX before I got someone who could snail mail me the number. If I didn't still live at the address they had for the account, I would have been out of luck.
This does raise the question, even if you can’t get them to give you the number, can you request a replacement card “with the same number” (but obviously updated expiration and different CVV) to be sent to the mailing address on file?
Did I see that presentation? Ha.
Made a few with and for a ColaSec meetup a few years ago. Oh, those were some fun times!
On a different occasion, we decided to head back to a brewery of which I was a founder and a cuff double-lock failed while attached to a member and to a "silicone wrist analogue."
I'm sure the drilled cuff and fist-posed device are around somewhere.
Thanks for the help to dredge up that old memory.
Some of the card number digits are guessable. The first few digits are the card type and bank which is likely to be the same on the replacement card. And there are check digits that can be calculated, as well as your known 4 digits. That still leaves you probably 10^7 numbers, but it’s better than 10^16.
4tac5 makes and sells some lovely handcuff keys. So does TIHK, who make some lovely durable plastic ones with integrated clips.
Gosh dang! DeviantOllum is THE MAN! My husband and i love all of his stuff, my husband actually has a total man crush on him (in a non homo way lol). I can only imagine how awesome it would be to hang out with this guy.
I'm pretty sure you can trick the voyeur request by, instead of asking for a specific number, say all data that is *not* any of the following number, an then specify all cards you have access to. If this is only one card then that set of cards is limited to 1 or 2 cards which is perfectly reasonable imo
Brilliant... as usual :) Hi from Belgium. :)
The card number may have been tokenized or encrypted with format-preserving encryption. There are some PCI requirements involved.
By and large, the rank and file won't have access to that. There is likely a process involving one or multiple HSMs to decrypt the card number.
You can figure out the number, if you know the last 4, Wells Fargo’s first 5 are known and the last number is a check sum. There was a defcon guy talking about hacking the numbers.
Try also sending a request via lawyer or law enforcement, maybe even both, to the card network (visa or Mastercard) I'm not sure it applies to debit cards that can run as credit, but for credit cards there is an account update system that can automatically send new card numbers and expiration dates to merchants with recurring billing when you get a new card, which I presume would include both old and new PAN (primary account number, aka credit card number) numbers, so they may have records linking the old and new number together that you could get.
I'd also push Amazon on trying to use a combination of last 4 + date + amount + the transaction id that I know I see in my statement description. That's incredibly specific information that's well beyond any persons ability to guess or obtain without access to the banking records, and should be suitably specific to identify the transaction and your connection to it.
As others have commented it's not 12 digits you are missing as well, only 6 given the IIN/BIN that's the first 6 digits (it can be 8, but in the US I've only seen 6 digits) and with the check digit only some combinations of those 6 are valid.
I wasn't at the DefCon, but I did see the talk since then on UA-cam, probably around 2017/2018.
Remembering some tricks from way back in the day when carding was a thing... I know there are CC validators out there. The first 4 digits on the new card should be the same as the old one. And using that info with the last 4 might give you enough info to reverse crack the full 16 digits.
If you have old statements, which you should be able to get going back years, those statements will often have, buried in barcodes or account number fields, the full 16 digit number is on there. Go through ALL your old statements from the time period and compare it to new statements and look for the differences. That should get you either the direct number or enough information to reconstruct it. If someone has online access to the account, you have a hope.
In fact the return stub bottom portion, where you mail in your payment, often has the number (much longer than the actual 16 digit, but it's usually the first part of the number) at the top of that stub.
I know that some physical receipts record the second last 4 digits, instead of the last 4 digits. I think I've seen the first and last four digits once. But this would depend on how many physical receipts the employee still has.
Find out who is on the banking committee in the House of Representatives and contact the chair’s office. It used to be Barbara Lee. She helped a friend with a similar issue with the same bank. … it went through 15 layers of management before the assistant manager who was messing with my friend was torn a new asshole by the President of the bank. He was exceptionally helpful after that.
My best guess is that the folks at Wells Fargo can't be bothered to check their tapes - since the card was fairly recently disabled, the info will be somewhere in the tape backups. Going through those is a bit of a process though, especially if you don't know exactly where to look (for that you'd probably need the account number, which is part of the card number - catch 22).
Except that Dev should have the account number in hand.
@@ScottKenny1978 That's unlikely. The account number for the card isn't going to be the same as the account number of the associated checking account - it's specific to the card, digits 7-15 of the card number to be precise. The first six are specific to the issuer (which should be identical to the newly issued card, unless it changed due to bank mergers) and the last one is a checksum.
@@jandl1jph766 ah, gotcha.
Have I mentioned I hate dealing with banks?
@@ScottKenny1978 It's an absolutely ancient system (the ancestors of modern credit cards are over 200 years old - bank trading itself is probably as old as humanity!) and it's not exactly made to be customer friendly... Let's leave it at that. I deal with the industry on a fairly regular basis, so I've gotten used to the madness.
@@jandl1jph766 if we ever meet face to face, first adult beverage is on me. 🍻
For the card problem, talk to your VENDORS -- they got the card number, every time you ordered with it. Even local stores where the card was used may have it in their records.
This is the path I took a couple minutes after setting the video to upload. I have strong thoughts the results will be promising.
@@DeviantOllam The sheer number of times that the number has been passed around gives you a good shot at it.
I work for a company that sells industrial equipment, machinery, and parts. Our antiquated way of doing things results in us having a lot of our client's credit card numbers effectively "on file" whether they requested it or not because their number has been given to an employee who had to send it to a second employee to run it.
You may have good luck with this route if you ensure them you will be *happy* to to know they have it in an email or spreadsheet or whatever as opposed to mad.
Definitely remember that toool handcuff key video. I'll be keeping old payment info in my password manager I guess.
Bitwarden specifically has a "Card" record type for various credit/debit cards
@@Spiker985Studios I like to use KeePass. They don't have a special field or record type for that kind of thing but it works great. These big services have such complex code and rely on so many vendors I find them hard to trust. It's nice to know where my data is hosted and that no one has my keys.
Good point. Add the 800 number to call if lost or stolen.
@@NoOne-xp1pe That's a good thought. Maybe I should keep encrypted pictures of the cards . I already do that with other important documents in case I lose them to something like a fire.
If well Fargo can confirm the number if you knew the exact number than yes they have it on file. If you look at the compliance for credit cards you know most of the numbers are fixed so I think wells Fargo if they could confirm even if u had a partial they should be able to grab it out of records if they do keep records and can confirm after you confirm then that confirms they have records.
Need to retrain the staff to memorize all the card infos 😁
If it's anything like the UK, banks have their own branch code and account number for debit card accounts. So it makes sense for them not to know (or care about) the 16 digit number issued to a card - as that's handled on the card issuer side when a TX is raised. Credit card accounts have one number to ID them to the bank, the 16 digit card number - and banks definitely know these.
So it may be worth having your LEO go to the card issuer company to retrieve the card number associated with the account credentials supplied?
I was going to suggest if you had the first 6 as well last the last 4, reconstruct it using the Luhn algorithm, but looks like many others had the same idea
That is insane that they don’t have the old card numbers… I’ve also seen the presentation, I’ve enjoyed a lot of your older presentations over the years.
My bank, US Bank, somehow didn't renew my ATM/Visa. When I called they had no record of me having any cards including the one in my wallet. I don't know if it was an accident of person or computer. They had my checking going back through 2 bank mergers.
Speaking from experience, it's likely completely invisible to the bank's front line branch/support staff and they imagine if they can't see it on their screen it's been *deleted* ; when in fact it's sitting in a database table somewhere flagged as inactive. You'd likely need someone in the frontline staff who understands database concepts and knows a database administrator on the backend who understands and has the access to query the data.
That said, I currently use enterprise software that incredulously does actually delete key data instead of marking it inactive - much to the detriment of the analytical work I need to undertake.
@@Thermalions Doh! (forehead slap). That makes perfect sense. 🙂I get so aggravated with the stupidity, that once my problem is solved I don't look back. The complete morons who make our world work is astounding. I work in hardware. HP Printers has acknowledged to me that their parts books are full of numbering errors. I have no idea how they send the right part on the 2nd or 3rd repair trip. The insane part is that their "parts books" haven't been printed for ages, they are digital only. Yet when I, or someone else reports an error, which has cost them at least $300, they can't be bothered to fix the error. Minnesota bought a new License Plate computer a couple years ago. The database had no column for Jr., II, III, IV, etc. People had to wait up to 9 months to get tags. I quit when every job I was getting had been worked on by up to 5 "technicians", yes 5, before I was called, because I'm expensive. One of the idiots is so bad that he has to service the same machines every month, but that is better than my doing it once a year, as the machines are designed.
@@Thermalions You don't need to manually dig in the database. The right person who knows the system would find the card very soon but the PAN must be stored encrypted anyway. What you need is an employee with the right access rights. From "Card Ops" or a similar department. They'll have access to all this information, even with proper UI.
Card number: merchant copy receipts need to be kept for tax purposes and other things.
Hotels and service providers may keep them on record too.
Have a look for genuine transactions. Contact those companies and as for a copy of the merchant receipt and/or the card number on file.
You may be able to get the card number from WF with a court order from a judge. I know they have a record of card numbers because I lost access to my account email in the past and they were able to use my 16 digit card number as verification of account ownership.
The claim is that they don't keep expired/retired card numbers on file. Of course, that claim is also utter bullshit, as I've had recurring payments continue on a fraud-deactivated card for 3 years until that card expired.
Good choice in scotch!
this cuff keys cuffs are very interesting
wow fantastic hope you find out what you need bro
Ever downloaded the transactions in Quicken format? Some banks use part of or all of the account number for the account id field (ACCTID) in the plain text QFX file.
The bank, ABSOLUTELY has the number.
There's a metaphorical thread linking every card ever issued on an account that has to exist for stuff like refunds being paid back to old cards to work (legal stuff re gambling on cards). The bank itself has to have a full list of every card that's ever been issued on your account, but so does whichever card network (Amex, Visa, Mastercard etc) is involved, too.
If, in the intervening months, you haven't been given the number already, just go into a branch. The staff who deal with customers absolutely have to have access to card numbers, because you've got to deal with card blocking and issuing.
Worst case, just raise a complaint. They're not regulated like they are in the UK, but the quickest way to solve it will just to be to give it to you.
Wow!
What's the tldr on the bank card thing? Stolen card number bought stuff on Amazon? Or if there is a previous vid explaining?
Thanks for the video 🔒
So you mean they can keep the cards active for pending and cyclical transactions, but can't get the card number? How does that work?
3:40 - Heh, the *key* thing. I get it.
Look through the entire email history of the mailbox of the person who used the card. Call all merchants, if they refuse, set up a meeting with them. If all fails, get a lawyer and take on it formally with Amazon.
another trick if it's a credit card and not a bank card is get a credit report it may still show up on the report but it will be missing the last 4 which you have.
I've seen a zipper pull on a jacket that had a hidden handcuff key inside
quick question about training..........do you ever have safe manipulation classes in tucson, arizona? thanks
We don't right now but we will hopefully later this year, etc
Ackahol and reloading tools on the same bench? Isn’t that a little risky?
Lagavulin. You’re making me thirsty, and I can’t drink at work.
Are there any conventions or other sites that would have processed payment? Knucklebuster records, Square?
I've been confused ever since you pulished the Ultimate Cuffkey vid, because that slit looks way wider than 0.3mm. I do have some metal cutting wheels and have tried a few times, but even the thinnest one can't cut a groove narrower than 0.8mm. And I dought that cuff manufacturers makes warding that thin (it has to be thinner than 0.3, considering the clearance), since it'll become rather brittle.
The cuff in question has a piece of sheet metal in the middle of the sandwich to keep standard keys from working. Longevity isn't really an issue.
@@NoOne-xp1pe I see. Maybe that's why the modded key still works even the slit is cut wider than 0.3, since it has enough clearance.
Reach out to whatever vendors the card was used with. If Wells Fargo doesn't have it, some other vendor might.
The employee does not have an outgoing email to a hotel or vender with a Credit Card authorization form filled out?
Do receipts not contain the credit card numbers sans the last four digits? If you have any receipts for anything purchased on the card, you should have the entire card number.
You could try asking for the number from a vendor with whom the card was used.
10:14 - Annnnnddd... kitteh.
you need 8 digits only
first 4 digits are assigned to either bank or bank service behind card
it is unusual to have those middle 8 digits ever changed on any subsequent cards for any reason, even in case of fraud
so you should actually have all 16 digits, as first 4 are tight to type of debit card or account type
last 4 you know anyway
and middle never changes, as those probably are derived from bank account number
Have you checked for impressions in a wallet if any, or documents in the drawer with this card? Also, at work we use a billing software that hides all but the last four for customers on file, however a std priv user can do a database search for cards like '40%', '41%' and see if the customer in question comes up, then '460%', '461%' and so on until the entire card number has been recovered. At most 110 tries. (responsible disclosure was made to the vendor who did nothing). If you have the card programmed in to any auto pay system that could be vulnerable to similar... That is to say look closer to home and in places not directly involved that could still have the data. There just might be a tree in that forest.
If this card was used to buy anything resulting in a printed bon, look at the bottom. In germany at least you get to read the cardnumber and how long it's still good for use on every supermarked or gasstation recipe.
No way! You must be very careful with receipts over there!
In the US, the receipt says "card ending in xxxx", so only last 4 digits, first 6 are bank.
I'm curious, if you need identifiers to request the amazon information, could you request information on a specific purchase that happened with that card and get the card number back with that?Then you have it to feed back to them for the rest of the information. This obviously won't work if the only unique identifier they'll accept is the original card number that was used and is currently unknown.
Having seen how the FBI screws with FOIA requests, these side quests are not surprising at all.
Can't you request past proof of payment with the number on? Financial records need to be kept for 10 years. Do you have payment receipts etc?
was the card saved on google or any other platform for auto pay that you can get the card number from?
Can't you (/the investigator) ask Amazon the very specific info that is the card code?
(Or the info Amazon has to check it, hash or whatever, from which you may be able to recover the original datum)
Wait. The last four just identify the account. The first groups of numbers Just identify the bank right? Might they be the same 12 as the other cards?
Do you know if she has an online account that she would use the card for bc you could go on there and get the card number from there like PayPal Google wallet iPhone has something like that too
16 digit card numbers are sometimes on the bank statements
For credit cards on the detach and pay portion I am not sure about debit cards though
You may be able to get the details on your bank statement if any payment was made.
usually only the last four numbers. In case your mail is intercepted. That way nobody can you the number with the address info
Shouldn't you be able to pull up a previous bill that it was on?
You're attorney or the local prosecutor sending a subpoena might shake your digits loose.
you may be better going to the payment processor (i.e visa/mastercard/ae) and asking for the card number as they are the ones linking the card number to the specific bank account
Unbelievable situation 😱🥴🤨 All the best with the outcome 🤬 and Iv got 1 of the keys 🔑 mentioned
Do you have receipts for the card? Maybe the card number is on there? At least in EU the ordering code of the card is on the receipt.
And if it is a matercard/visa card which can be used online, wouldn't it be stored in phones/apps/browsers for easy checkout.
Depends on the age of the receipts or the bank statements from WF.
Older ones might have the full card number, but newer ones probably won't.
Is there a limit to the number of requests you can make in a time frame? Can you start brute forcing it (lol) and frustrate them so hard they give in?
I just went through this with another major bank. I called to check the credit limit on a card I hadn't used in two years. The bank claimed they had no record of the card number, that it had never been issued or cancelled.
My bank, US Bank, claimed that I had never had any card including the expired one in my wallet. My checking records went back through 2 bank mergers. A software/database person said that the person you are talking too can't see it, not that it doesn't still exist somewhere. The person with authorization can't be bothered with your problem, seems to be today's standard.
Not being able to get the card number sounds like one of those bureaucratic problems that should be easily fixed, but has become a huge problem for no good reason.
It serves someone’s needs for it to be difficult.
It's all for security! You've seen the kind of damage that can happen if the wrong person gets one of those numbers...
There must still be a way to track the dead number. On my CashApp card info was compromised, and even after my card was replaced, denials of unauthorized transactions using that information would show up in my statement.
The last 4 will add up to the other 12 it's self checking
The first 6 are also based on the bank. So you just have to figure out the other 6?
@@lathiat Yeah not really possible then you could just put all 16 digits on everything
Not quite. The first six digits identify the company that's backing the card (Industry identifier + 5 digit bank number). That part can probably be reconstructed (it's probably the same for all cards issued by the same bank/branch). Then comes the crucial bit - the eight digit account number. That part is unknown. The last digit is the checksum. Given all previous parts it's easy to figure out (Luhn algorithm), but the process can't be reversed to yield the original card number.
Kitteh.
why is there no cat related design toools? need a covert dual use kitty comb/decoder card
@@frogz Deshed and Decode.
😸
Give them to Miles from Cambridge UK. ;)
Not saved in chrome or something anywhere?
Foss is life
Can't they just get an old card statement with the account number on it. Possibly from the online Wells Fargo login.
Didn't you make a video a while back showing how to modify the key?
First four are the bank + card type (maybe even first 5 or 6) and the last 4 you know... if you know the algorithm and how to parallelize the calculations, brute forcing an 8 digit number is less than 24 hours on any workstation not an embarrassment to the word workstation. I'd love to give it a run... send me an email.
Hope everything works out! It's absolute bullshittery to claim they don't have records of your cards.