Adam Caudill

Security Leader, Researcher, Developer, Writer, & Photographer

IIN (BIN) Database

An Issuer Identification Number (IIN, more commonly called a BIN) is the first 6 digits of a credit or debit card, and it identifies the bank that issued it – and if you want to know if a number is a real credit card or just a bunch or random digits, it’s a huge help. While credit card numbers do use the Luhn algorithm (mod 10 check) to see if the number is valid, it still produces a huge false-positive rate.

For an application like ccsrch, having this data available would be very handy to reduce false positives when scanning a large file system (scanning a large server produces a huge number of possible hits), but for what I would call fairly misguided reasons, the official registrar of these numbers (the ABA) doesn’t make this data publicly available. As a result many people have pulled together what data they could find and made it freely available.

So I’ll add my name to that list.

I’ve pulled data from many public sources (sorry, I didn’t keep very good notes as to the sources) and cleaned it up to a reasonable point. All told, I’ve probably spent 40 hours or more cleaning this data up and getting it to a usable state. It contains over 60,000 entries, including major credit cards (Visa, MasterCard, Amex, Discover) as well as a few merchant entries.

Each record contains the following:

  • IIN
  • Type (Mastercard, Visa, Visa Credit, etc.)
  • Name (Issuer name)
  • Length

Data Quality #

It’s not perfect. It’s from public sources so there may be errors, and there are some duplicates from cases where I wasn’t able to determine who the IIN actually belongs to. I’ve also updated for name changes and mergers where possible, but I’m sure I’ve missed a few and there are some where the assets were split, so I don’t know who the correct owner actually is (Washing Mutual being the leading example of this).

In general, I leaned to the side of caution – so if I didn’t know for sure, I left the duplicate in.

If you need absolutely correct data – contact the ABA, they are the only source that can give you the completely accurate listing. If you need to have a decent idea if a number is valid for most cases – I would say that this data is good enough.

Warranty #

Just to make it really, really, really clear: There is no guarantee that this data is accurate, that it won’t cause to lose your job, cause your house to burn down, or cause Rebecca Black’s Friday to get stuck in your head (yup, you’re welcome ;)).

Based on my understanding of US copyright law, it is my understanding that this data is not subject to copyright as it is a compilation of facts and doesn’t constitute an original expression. Thus, to the best of my knowledge, this data is in the public domain.

Download #

Here (zipped CSV)

Adam Caudill


Related Posts

  • Testing for SWEET32 with YAWAST

    Testing for SWEET32 isn’t simple – when the vulnerability was announced, some argued that the best solution was to assume that if a TLS server supported any of the 3DES cipher suites, consider it vulnerable. The problem is, it’s not that simple. On my employer’s corporate blog, I wrote about practical advice for dealing with SWEET32 – and pointed out that there are ways around the vulnerability, and some are quite simple.

  • Google Chrome Leaking Credit Card Data?

    While testing ccsrch I noticed a number that looked familiar – my debit card number. Now, being just a little paranoid, I don’t leave such information on my system unencrypted – so seeing it was a real surprise. But, here’s the real kicker: it was on my work PC, where it never should have been. But there it was, plain as day, in clear text. I spent a couple of minutes staring at the log trying to figure out why it would be there.

  • VICIDIAL: Multiple Vulnerabilities

    Update: The VICIDIAL team has publicly released a new version that, according to them, has corrected the issues I’ve pointed out here. Please make sure you are using the latest version available. If you aren’t sure if your instance is safe, contact your friendly local penetration tester to verify it’s secure as you expect it to be. Update: The SQL Injection vulnerability has been assigned CVE-2013-4467, and Command Injection assigned CVE-2013-4468.

  • You can’t fix stupid…

    For those outside of the IT field, developers are looked at as miracle workers – through us, business leaders think anything is possible (and they often see no reason why we can’t work our latest miracle by the next morning). In reality though, we do work miracles; we save companies vast amounts of money every year through increased worker efficiency and automation, we enable new lines of business that wouldn’t be possible otherwise, and reduce energy costs because we keep the office lights turned off.

  • From Outlook, to Gmail, to The Bat!

    Back in March, I switched from The Bat! to Outlook as a result of being annoyed with using two different clients (work & home)*. So today, I’m running The Bat again, thanks to Gmail. Moving to Gmail I had been thinking about moving to Gmail for a while, the other day I decided to bite the bullet and do it. There was some pain involved, but not as bad as I expected.