The power of distributed attacks. Of course they can only guess a random correct credit card + exp + code not yours. Given the relative limited number of codes for each bank, I wonder what the odds are for them to wind up with yours.
It's like winning the lottery --- someone always wins, even if it's not you. If guessing is free and you get an effectively unlimited number of guesses in parallel, it's pretty obvious that you will win quite easily.
...for every valid/correct credit card? The answer is a ratio of 1:x_1, where x_1 is every correct cc. And each correct cc is a ratio to the total number of cc vulnerable to the system of attack, 1:x_2; and this is in turn a ratio of 1:x_3, for all the currently valid cc, etc.etc. Right? But what's more concerning is all of the successful fraudulant activity is adding to the loss those banks are adding to their books, which in turn will be passed on to customers as bank fees and other costs.
There is no loss to the banks, assuming the fraudulent purchases are "card not present". The loss goes to the selling merchant. Your point of it being collectively passed on to the consumer is still true, of course.
Acceptable storage is usually first 6 and last 4 [1]. I wonder if this would make it easier to go through some Luhn checked generated numbers to target an individual.
