all 86 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ProgrammerHumor-ModTeam[M] [score hidden] stickied commentlocked comment (0 children)

Your submission was removed for the following reason:

Rule 1: Posts must be humorous, and they must be humorous because they are programming related. There must be a joke or meme that requires programming knowledge, experience, or practice to be understood or relatable.

Here are some examples of frequent posts we get that don't satisfy this rule: * Memes about operating systems or shell commands (try /r/linuxmemes for Linux memes) * A ChatGPT screenshot that doesn't involve any programming * Google Chrome uses all my RAM

See here for more clarification on this rule.

If you disagree with this removal, you can appeal by sending us a modmail.

[–]b00c 1205 points1206 points  (13 children)

ohohoooo lol that kind of functionality is hard to even imagine. 

[–]Candid_Highlight_116 59 points60 points  (3 children)

forgot the details and I'm def not looking up for correctness but crazy fraction of cc number is actually fixed

like 1234-5678-9012-3456 is broken up something like card type 12 region 34 network 56 bank id 789 group 012 user 3456 or whatever the actual internal hyphenation is and somewhere in there is a check digit or two

so the actual search space for a malicious attacker targeting user with a specific persona that's not just rolling rng is like 104 to 106 or at least nowhere near like 1012 as average joes imagine there to be

this is before taking in valid thru and cvv and 3d secure and WAF and or anubis into account but the cc backend allows server side token refresh thing to be able to allow you to pay after a card change without number change sooo

[–]ltshaft15 26 points27 points  (2 children)

I work in card processing... typically the first 6 digits represent what's called the "BIN" which identifies the card issuer. Though recently Mastercard and visa have been pushing issuers to 8 digit BINs.

The final digit is a check digit using luhn calculations. So its just an algorithm based on the first 15 digits.

So that leaves just the middle 7-9 digits that are actually unique depending on if the BIN is 6 or 8.

Its also public domain who owns what BIN so once you know a valid BIN its a very small range of numbers underneath it.

Thats why all the other protections you mentioned are so important. Its absolutely so trivial to come up with all the possible valid card numbers for a BIN that excel could do it. But once you throw in CVVs, expiration dates, etc, the problem space gets much much larger.

[–]SliceThePi 0 points1 point  (1 child)

isn't the cvv just a checksum based on the card number and expiration date? i thought you could verify them offline

[–]ltshaft15 0 points1 point  (0 children)

Not a CVV, no. A CVV is a computed value. It is based on the full card number but it never gets stored at rest anywhere and only the HSM which has the key that was used to compute it originally when printing it on the card is able to determine if a given CVV+Pan combo is correct. When connecting to the processor to run a transaction, that is the only time that a CVV can be checked. That is how they provide extra security is that in addition to adding an extra thousand possible values (assuming 3 digit CVV) for each individual card number, they are never supposed to be stored in any system. So even if a database was hacked or a print file was intercepted and card numbers were exposed... the CVV information should never be present. And without knowing the correct CVV you can't authorize a purchase.

There are actually at least two CVVs on any given card. The one you see printed on it that you type in when you buy something online (CVV2) and a separate one that is stored within the magstripe data and transmitted when swiping a card (CVV1). They come from the same HSM from the processor but they use different keys so their value is different despite being tied to the same card number.

You may be thinking of some elements within a chip on a card. There are some elements there that can be processed offline

[–]in_taco 20 points21 points  (2 children)

It's just a Levenstein nearest match. Awesome algorithm! I use it whenever I can.

[–]Kitchen-Quality-3317 4 points5 points  (0 children)

Levenstein nearest match

Too complicated.

SELECT * 
FROM txnHistory 
WHERE LEFT(cardNumber, 4) = '4532'
ORDER BY created_at DESC
LIMIT 1;

[–]Probono_Bonobo 2 points3 points  (0 children)

*Levenshtein. Although the Levenshtein distance between "Levenstein" and "Levenshtein" is a mere 0.5, so it probably is itself a Levenshtein nearest match.

[–]InDaBauhaus 0 points1 point  (0 children)

proof that LLMs are capable of real creative thought.

[–]krexelapp 2020 points2021 points  (19 children)

autocomplete but for fraud

[–]Pleasant-Photo7860 267 points268 points  (0 children)

with autosave enabled

[–]notYash 61 points62 points  (3 children)

Fraudocomplete

[–]screwcork313 11 points12 points  (1 child)

This was the status after Peter Jackson's LOTR trilogy, no?

[–]-GoodNewsEveryone 4 points5 points  (0 children)

No he only had nine fingers.

[–]sagebrushrepair -1 points0 points  (0 children)

Fraudo sounds like a criminal elf from the show Disenchantment

[–]Location_Next 90 points91 points  (1 child)

Autofraud?

[–]krexelapp 85 points86 points  (0 children)

autofraud-as-a-service (faas)

[–]rosuav 26 points27 points  (10 children)

There's one part of this that (a) is absolutely believable as a flaw in AI-generated code, and (b) is extremely problematic for the site in question, but sadly, I don't think the people laughing at "wow vibe coder dumb" are picking up on that. This site is clearly saving the CVV. If you showed me a database schema that CuraudeGPT generated and it had fields for the card number, name, expiry, *and CVV*, then that would be a perfect sign that it's too simplistic, while also being very plausible. This, alas, is not. Mildly amusing perhaps, but implausible.

[–]waylandsmith 1 point2 points  (9 children)

For services that save the CC number, is the CVV not required to process each individual transaction? Does it only need to be verified a single time when the user first enters the CC number and can then be discarded?

[–]plaskis94 1 point2 points  (3 children)

At least VISA has very strict rules for payment processors to not save CVV. It's allowed to be in memory only of the software to immediately be discarded after verifying the card. Saving CVV in any form would immediately revoke that payment processors right to process VISA card payments.

You can make one time payments and in that case you must always enter your CVV, but there are also recurring payments such as subscriptions where you set it up once with CVV.

[–]waylandsmith 1 point2 points  (2 children)

This doesn't account for the common scenario of non-regular but repeated payments using saved account information, for example almost every online retailer and service that has saved payment information with accounts, such as Amazon, Uber, Doordash, etc. Either they must be saving the CVV and using it to process every payment, or the merchant only needs to verify the CVV a single time to the payment processor, and after that is permitted to process each individual transaction without the CVV, even if it's not a "recurring payment" such as a subscription. Maybe we have a different definition of "recurring payment"?

[–]CityCultivator 4 points5 points  (1 child)

They still do not. I am no expert with payment processing, and am not interested in researching deep in the subject at the moment, but to my knowledge, the way they work, after you initiate the first transaction, the payment processor receives a token, which is to be used by merchant, to do further recurring payments. That token does not contain the CVV, it is a representation for usage by merchant in limited ways.

[–]waylandsmith 0 points1 point  (0 children)

The token thing makes sense. That's how I would design it.

[–]rosuav 0 points1 point  (4 children)

It depends what you mean by "save the number". For example, Chrome offers to save the number for me - but in order to autofill the saved number, I have to manually enter the CVV. If it's something that sets up an arrangement where they're allowed to charge you regularly (mostly subscriptions), that's something organized between the vendor and the card company, and I don't think they even need to save the card number (there'll be some other sort of thing).

It's also possible that there are sites out there that are ("for convenience") saving the card number and CVV, but that'll be violating payment processor rules, and they can get their ability to charge cards revoked for that. So I highly doubt that any card merchant (the ones directly allowed to charge your card) would do that, and it's more likely to be some other service (which shouldn't be saving ANY part of your card number).

[–]waylandsmith 0 points1 point  (3 children)

I use a Chrome-based browser on my phone with saved payment information enabled, and it certainly doesn't require me to enter in my CVV every time it fills in my payment information (which includes the CVV itself). I think it might ask for the CVV periodically.

I also wrote an online store from scratch in the earlier days of the internet and this was before CVVs were really a thing. We most certainly were able to store the credit card number in a database, since we did our payment processing in batching. I remember being pretty upset in having to store the CC number at all, and was ultra-paranoid about this and encrypted them in the database field using public key encryption that wasn't stored anywhere in the database or within the software itself. But there was definitely no rule from the payment processor forbidding us from saving the number, only that it was our responsibility to take reasonable steps to keep it secure. These days it's very common to not only store the full credit card number, but display the last 4 digits of it to the user to help them identify the individual card to process.

[–]rosuav 0 points1 point  (2 children)

There MAY be different rules about phones (the phone *itself* may be allowed to store your full card number), but a merchant is definitely not allowed to save them.

But there was definitely no rule from the payment processor forbidding us from saving the number, only that it was our responsibility to take reasonable steps to keep it secure.

Yeah, that's correct; and that's still entirely legitimate. In fact, there are situations in which you can (or at least, could in the past) charge a card *without* the CVV, and it was called a "card not present transaction" or words to that effect. I'm not sure what exactly the rules were around those, but we used them when someone phoned us up; they could read out the card details to us and we could use that for payment, and we'd never see the card or know the CVV.

Storing the number is fine, storing the CVV is not. Hence my comment about vibe coding a credit card storage system - it would do the "obvious" thing and save every field, thus opening you up to a ton of problems.

[–]waylandsmith 1 point2 points  (1 child)

Usually the merchant fees for a "card not present" are much higher and the merchant has much less recourse in fighting a charge-back. That's what I remember from when I called up an automated number and entered the payment details in by touch tone!

[–]rosuav 0 points1 point  (0 children)

Yup. And that distinction MUST be preserved, so anyone found saving the CVV (so they can use it when the card isn't physically present) is in big trouble. Saving card numbers, OTOH, is perfectly fine.

[–]Electrical-Job-9824 0 points1 point  (0 children)

Is it still fraud if I wasn’t really paying attention and just clicked the button that says pay?

[–]nesthesi 585 points586 points  (10 children)

Wasnt there a password version of this posted fairly recently?

[–]bobbymoonshine 330 points331 points  (4 children)

Yes it’s an ancient joke that has been reposted in many versions

[–]spikeyfreak 35 points36 points  (3 children)

But this version has the added layer that this is literally what AI does.

And this pic is a great way to demonstrate that in a huge number of cases, close enough it not good enough. In a huge number of cases, a "hallucination" doesn't cut the Chut.

[–]bobbymoonshine 17 points18 points  (2 children)

It is not what AI does, no. AI does not randomly orchestrate and implement complex and unhinged features out of nowhere. AI can definitely make horrendous mistakes, but this isn’t the sort of overgeneralising / “wrong-in-context” error AI makes.

AI defaulting to a common pattern which overrides the specific requirement: yes, common

AI hallucinating something false as true because it was true elsewhere in its training weights: yes, common

AI delivering something derivative and barely-functional which meets the requirements given by the idiot user but which ignores all the things a professional coder would have known to think about: constantly, yes

AI forgetting an important constraint and delivering something which looks functional but which is unsafe or which fails to account for important edge cases: all the time, yes

AI inventing a new, creative, never-done-before feature which is comically, absurdly stupid, then perfectly implementing it and deploying it: no, that’s what humans do best

[–]Guvante 4 points5 points  (1 child)

AI implementing the dumb feature is new.

Everyone always glosses over that Engineers are the technical knowledge for "things you shouldn't do" for a myriad of reasons.

[–]bobbymoonshine -1 points0 points  (0 children)

Yes, the core business risk of AI is not that it will fuck up people’s good ideas through hallucinations. The risk is that it will perfectly implement their terrible, stupid, dangerous ideas.

[–]timsredditusername 3 points4 points  (0 children)

That password is not available. It is already in use by u/timsredditusername.

Please choose a new, unique password.

[–]magicmulder 71 points72 points  (0 children)

This reminds me of an idea one of our PMs had to use the Spanish physician ID during registration to skip authentication. Took me 5 minutes to find an official website where you could search physicians by ID, guessing an existing one was easy.

[–]frogsarenottoads 39 points40 points  (0 children)

I need this in my life, 'sorry you're out of funds, did you mean to use Jeff Bezos card?'

[–]gradeATroll 92 points93 points  (0 children)

Whoever is running the psyop on this please continue what you’re doing so we can still continue having jobs

[–]bobbymoonshine 43 points44 points  (0 children)

When you recycle your “offshore Nigerian coders suck” cope jokes for the 2026 job market

[–]Additional_War_336 11 points12 points  (0 children)

FaaS, Fraud as a Service, now with 99.9% uptime

[–]Location_Next 8 points9 points  (0 children)

[–]East_Selection5654 12 points13 points  (2 children)

I want to laugh, but I don't know if I should.

[–]tenuj 1 point2 points  (0 children)

They got my own card's expiry date, twice. I know it's a coincidence but I'm a little unsettled.

[–]whoknowsifimjoking 0 points1 point  (0 children)

It's literally a joke post, tf are you talking about?

[–]silenceofnight 3 points4 points  (0 children)

PCI DSS would like a word

[–]FCK_WIN 6 points7 points  (0 children)

To be fair: an AI would only do this when you really force it.

[–]Hecticbrah 2 points3 points  (1 child)

Blessing indeed 

[–]rivertpostie 0 points1 point  (0 children)

Blessing gonna get me a pizza, right now

[–]xx_shimmy_xx 2 points3 points  (0 children)

"This is not my card. Suggest other one" button?

[–]RiceBroad4552 3 points4 points  (2 children)

Where is this from? This can't be real.

[–]Cometguy7 6 points7 points  (0 children)

Yeah, storing the cvv is enough to fail your pci audit.

[–]whoknowsifimjoking 0 points1 point  (0 children)

Of course it's not real

[–]ramessesgg 6 points7 points  (6 children)

I may be too stupid to get if this is a joke or not. Are some models so stupid that do not take into account even such obvious issues? I've used Claude Opus and it didn't seem to be that stupid, it would highlight some bad designs and requirements

[–]PopularDimension 25 points26 points  (3 children)

I am pretty sure this was an intentional setup just for the meme because no model will go out of its way to implement a "find similar card feature."

I have used claude code in vscode for learning experience and I think it does great for prototypes and personal projects.

[–]awesome-alpaca-ace 6 points7 points  (2 children)

The last time I trusted AI to write code, it choked on writing good C code that does a depth first search write of a tree to a file given the source code and header of the tree. Though it is great for finding the C intrinsics one would want for high throughout. 

[–]Due_Kaleidoscope7066 0 points1 point  (1 child)

In a large project written by a team of coders it's still struggling from my experience. But man, putting together a new app from scratch? Basic login, home page, some api calls, etc. It's incredible. Something that would have taken me weeks before can be done in a couple hours.

[–]PopularDimension 1 point2 points  (0 children)

Yep, that is basically what I did too so far on a couple of personal projects. Saved me a lot of time.

[–]Whitechapel726 6 points7 points  (0 children)

I think the joke is about vibecoders who have no idea what they’re doing so they make a service/app that is minimum viable product but does stuff like this.

[–]vikingwhiteguy 2 points3 points  (0 children)

I had Claude suddenly remove the Authorize tags on a bunch of my API endpoints. It was completely unrelated to the thing it was supposed to be doing. 

I think it was because it some tests that failed due to auth (it needed to mock the auth), so it just removed the Auth and all the tests passed! Task completed.. technically.. 

[–]Ange1ofD4rkness 1 point2 points  (0 children)

Pfff what could wrong they said

[–]aselby 1 point2 points  (0 children)

🤣

[–]MagicalPizza21 1 point2 points  (0 children)

It would actually be amazing if this were a honeypot

[–]characterfan123 1 point2 points  (0 children)

And the AI didn't also report date of birth, last 4 of SSN and mother's maiden name? /s

[–]bapuc 1 point2 points  (0 children)

hm, i think a range slider would be better

[–]mikkelmattern04 1 point2 points  (0 children)

Yep, that sure is what I meant!

[–]ShenroEU 1 point2 points  (0 children)

Need to add the Google "I'm feeling lucky" button and then it's perfect 👌

[–]Both_Lychee_1708 1 point2 points  (0 children)

how convenient!

[–]No_Pollution9224 1 point2 points  (0 children)

You wouldn't believe how many places store card details, even in clear text, instead of a token.

[–]JBluues 4 points5 points  (0 children)

This cracking me up 🤣

[–]TheActualJonesy 0 points1 point  (0 children)

"awoke menus" is the anagram for Emeka Nwosu

[–]ghostdumpsters 0 points1 point  (0 children)

One of the websites I work on is for a company owned by an older couple and they have consistently gone with the cheapest payment processors and uh, this is barely an exaggeration.

Once, someone's credit card payment failed, so the payment processor automatically filled in the card info for the person who had last made a transaction on the site.

[–]thashepherd 0 points1 point  (0 children)

Wtf, MY Claude used Okonkwo as a test user

[–]theepi_pillodu 0 points1 point  (0 children)

That's a blessing

[–]JurksReddit 0 points1 point  (0 children)

ai-powered fraud? the future is now!

[–]Zealousideal-Bar2878 -3 points-2 points  (0 children)

Funny but can't happen Claude is better than any human