Payment card numbers such as those on debit cards, credit cards, or store cards, used to be typed-in and quoted. This led to mistakes, though these days it happens only occasionally. To minimize this and avoid the complications that would follow if money was paid to the wrong account or ended up lost in the system, 16-digit card numbers are far from being the random numbers they appear to be. The numbers have a pattern and that pattern is verified using a single check digit.
We know we should never reveal our bank account details over the phone or in emails. Every once in a while though someone will fall for a phishing email and send off their card number. Software can be used to scan email traffic to identify bank account numbers in emails and thus reduce the chances of fraud. Also fictitious card numbers used to be generated by crooks unaware that the numbers are not random, and the software could identify these numbers.
What is the pattern in bank account numbers and how are errors spotted? The software makes use of an algorithm, which is a set of mathematical instructions performed in a prescribed sequence to achieve a goal, in this case a mistake in the pattern of numbers. Here’s how it works.
Take out a bank card and write down the long number on the front on a piece of paper and follow these steps (you don’t really have to do this of course).
1 Starting from the right, double the value of each alternate digit beginning with the second digit from the right (not the first digit)
2 Add the individual digits of the numbers obtained in step 1 together. If the number has two digits treat them as separate numbers and add them together ie. the number 14 becomes 5
3 Add together each of the unaffected digits in the original number
4 Add together these two totals together (the totals in 2 and 3)
If the final total is a number ending in zero (30, 40, 50, 60, 70 etc) then the card number is validated.
Here is an example using the card number 4556 7375 8689 9855
Card Number | 4 | 5 | 5 | 6 | 7 | 3 | 7 | 5 | 8 | 6 | 8 | 9 | 9 | 8 | 5 | 5 | |
Double every other number | 8 | 10 | 14 | 14 | 16 | 16 | 18 | 10 | |||||||||
Sum of digits | 8 | 5 | 1 | 6 | 5 | 3 | 5 | 5 | 7 | 6 | 7 | 9 | 9 | 8 | 1 | 5 | 90 |
The sum of all the digits is 90 which is divisible by 10, and therefore the card number is validated. If say the first two numbers had been switched around by mistake, the sum of the digits in the first two columns of the 3rd row would have been 1 and 4, instead of 8 and 5, and the total sum would have been 82. This is not divisible by 10, and the card number would not have been validated.
This algorithm, know as the Luhn algorithm after the IBM scientist Hans Peter Luhn who created it in 1954, is also known as the ‘modulus 10’ or ‘mod 10’ algorithm. It doesn’t have any significant security function, criminals are much more sophisticated, but the algorithm is in the public domain and is still in wide use today serving its original purpose of spotting accidental errors.
Incidentally the first digit of a card number identifies the category of the sector of the card issuer. For example American Express and Diner’s Club are classified as being in the entertainment sector; Visa, Mastercard as being in the banking sector. The next five numbers identify the individual card issuer eg. Co-operative, Nationwide, Santander. The nine numbers after that are the individual account number. The final 16th digit is the check digit, in the example above it is 5, and this is mathematically determined based on all the other digits in order to ensure that the algorithm produces a total divisible by 10. To put it another way, when card numbers are produced the check digit is worked out after the first 15 digits have been determined. It is not done beforehand as otherwise one or more of the other 15 digits would have to be fixed to so as to produce the required check digit.
The Luhn algorithm can detect any single-digit error, as well as almost all switching of adjacent digits, errors which can easily be made when card numbers are typed in, though that’s not very common nowadays. But it can’t detect transpositions, or swapping, of 09 or 90, nor 22 and 55, 33 and 66 or 44 and 77.
And here’s a far-fetched connection between the algorithm and science fiction. Luhn programmed his algorithm on an IMB704 computer. This computer and a synthetic speech synthesiser were used by a John L Kelly in 1962 to recreate, with a musical accompaniment, the song A Bicycle Made For Two. Arthur C Clarke saw a demonstration of the song, and he incorporated it into his novel and screenplay for the film 2001: A Space Odyssey directed by Stanley Kubrick. In a climatic scene towards the end of the film, the HAL9000 computer sings the song whilst it is switched off by astronaut Dave Bowman. And film devotees will know that the next letter alphabetically after each letter in HAL spells IBM.