Is This The Best Hidden Handcuff Key? (Plus: An Update About TOOOL)

Bank cards follow a standard numbering pattern depending on the type of card.
If you know the last 4, and have a few other details (such as other cards on the account) you might be able to reconstruct the card number yourself.
For example, on a visa card, the first 6 digits will be common across cards issued by the same bank at a similar time. 7-15 is related to the account number and 16 is a checksum.
Doesn't get you all the way but if you know 1-6 and 13-16 there's only 6 digits left to find, and knowing the check bit massively decreases the number of possible card numbers.
It's all standardised in ISO/IEC 7812-1

For future reference, "destroy" means cut in half and file for 7 years.

The thing to do is likely to submit an LER to Wells Fargo requesting the card number ending in xxxx issued to $employee associated with account #yyyyyyyyyy in connection with a fraud investigation. You can use LER's to recover victim information, too.
They have it. It just isn't in the customer service systems.

Contact your previous merchants and check if anyone has your full card number on file. You would be surprised

Hey Deviant! This video is about 20db too quiet by TH-cam standards and here's what to keep in mind next time.
In technical terms videos on this platform should be at -14 LUFS, but this probably doesn't tell you anything so in practice it might be easier to upload a video as unlisted and right click on the video player and open "Stats for nerds".
There you'll find all kinds of info including "Volume / Normalized 100% / 100% (content loudness -20.5dB)" - the content loudness is what you're looking for. If it's a negative value, your video is too quiet by that amount and will not be made louder by TH-camr (this means you should boost it in editing by that amount), but if it is a positive number, your video is too loud and TH-cam will make it quieter.
This is something I myself learnt quite recently and has been a huge help when editing videos for TH-cam.

I just reached out to an old friend who retired as a WF VP working in fraud & security. He should be able to give me the straight skinny.

I can't imagine the audacity of a person who decides to defraud an organization made up of extremely well-connected hackers and security experts. Good luck continuing the investigation, Dev!

If you have the last 4 digits you should be able to reconstruct the number based on the card visa/mastercard and the bank account number. Should be very similar to the new card number.

Honestly those cufflinks are almost enough to make me wear shirts with that style of sleeve all on their own. I love hidden tools like that - I'm still looking for the perfect "invisible" emergency jewelry/hair clip/other accessory set.

So it seems Amazon is acting fairly responsibly - although it's a real pain in this case, making the system resistant to indiscriminate LE trawling is a good thing. I wonder, would getting a court order be the easiest way forward? They have the data, and they want to give it to you, they are just bound by policy which an order would overrule.

I'm imagining the giveaway winner: "Sweet! Now to go get myself arrested to see if they work!"

I'm in law enforcement and I can tell you that you are correct in thinking the have records of issued cards. Keep the pressure up and best wishes.

You have the financial records of everything purchased using that card, if you can't get it through Amazon or WF, reach out to one of the other, smaller vendors that you had made purchases from ("the sticker company", "the t-shirt company", etc), and see if you can get someone there to dig up the card number. The smaller the company, the more likely it's a one-person operation, and possible they used legacy systems instead of Paypal or something where they don't actually see the full card number. It's like social engineering, except you're being fully honest about what you're looking for and why you need it!
Another option is to poke around the computer of the employee who had the card, see if the CCN was stored somewhere, like in autocomplete forms or the like (old trick to find passwords that are saved but not viewable, chrome inspect element, change "password" field tag to anything else, to make it visible).
Best of luck!

The Dremel silicon carbide discs are pretty thin (and pricey). Don't know if they're thin enough.
I had a somewhat similar problem when i needed the number of an AMEX card that I had closed some years earlier. It took several tries working up the chain at AMEX before I got someone who could snail mail me the number. If I didn't still live at the address they had for the account, I would have been out of luck.

Sad to hear about the loss. I hope you can get the perp nailed and recover the funds. Very heartwarming to see the quick and generous community support for TOOOL, only wish I were able to have helped.

Regarding your card conundrum, I don't have a solution for the past, but I do have a solution for the future.
Whenever I have a card I know I might need at some point I take a picture of it, name it appropriately (WIth a date in the file name) and save it in a double-encrypted folder, backed up to at least 2 drives.
I also memorized a simple cypher that I can use to write down numbers and passwords for myself safely, if I don't have access to a computer.
Between these two techniques, there's very little information that I can't retrieve if needed.
Now that you know this could be an issue, plan to not have to deal with it ever again.

Remembering some tricks from way back in the day when carding was a thing... I know there are CC validators out there. The first 4 digits on the new card should be the same as the old one. And using that info with the last 4 might give you enough info to reverse crack the full 16 digits.

Billing will have that card number on the statement, it will be somewhere on the bottom or top of the page in an identifier string in a statement sent in the time the card was active.

I loved watching your cat freak out on the cat tree. Two times your cat's like, "nope, I'm outta here."

My standard ASP will open with any S&W/Peerless key. However, not all "universal" keys are universal. I am not talking about anti-shim cuffs; I bought a few pairs of no-name universal keys and they all worked except one pair. I keep them marked as an example that you need to test your keys before you use a particular cuff. Also, if you have a collection of old and new cuffs, you may see differences in both post thickness and hole size even in the same brand and style of cuffs.

I'm pretty sure you can trick the voyeur request by, instead of asking for a specific number, say all data that is *not* any of the following number, an then specify all cards you have access to. If this is only one card then that set of cards is limited to 1 or 2 cards which is perfectly reasonable imo

good whisky choice, one of my favourites!

I hope, that you get to the bottom of it, Brother!
Send all my best wishes, from the UK

Some of the card number digits are guessable. The first few digits are the card type and bank which is likely to be the same on the replacement card. And there are check digits that can be calculated, as well as your known 4 digits. That still leaves you probably 10^7 numbers, but it’s better than 10^16.

That is insane that they don’t have the old card numbers… I’ve also seen the presentation, I’ve enjoyed a lot of your older presentations over the years.

4tac5 makes and sells some lovely handcuff keys. So does TIHK, who make some lovely durable plastic ones with integrated clips.

The card number may have been tokenized or encrypted with format-preserving encryption. There are some PCI requirements involved.
By and large, the rank and file won't have access to that. There is likely a process involving one or multiple HSMs to decrypt the card number.

You can figure out the number, if you know the last 4, Wells Fargo’s first 5 are known and the last number is a check sum. There was a defcon guy talking about hacking the numbers.

You may be able to get the card number from WF with a court order from a judge. I know they have a record of card numbers because I lost access to my account email in the past and they were able to use my 16 digit card number as verification of account ownership.

The bank, ABSOLUTELY has the number.
There's a metaphorical thread linking every card ever issued on an account that has to exist for stuff like refunds being paid back to old cards to work (legal stuff re gambling on cards). The bank itself has to have a full list of every card that's ever been issued on your account, but so does whichever card network (Amex, Visa, Mastercard etc) is involved, too.
If, in the intervening months, you haven't been given the number already, just go into a branch. The staff who deal with customers absolutely have to have access to card numbers, because you've got to deal with card blocking and issuing.
Worst case, just raise a complaint. They're not regulated like they are in the UK, but the quickest way to solve it will just to be to give it to you.

Did I see that presentation? Ha.
Made a few with and for a ColaSec meetup a few years ago. Oh, those were some fun times!
On a different occasion, we decided to head back to a brewery of which I was a founder and a cuff double-lock failed while attached to a member and to a "silicone wrist analogue."
I'm sure the drilled cuff and fist-posed device are around somewhere.
Thanks for the help to dredge up that old memory.

Hey Deviant. I really appreciate the information and entertainment over the Years. Cheers!!!

If you have old statements, which you should be able to get going back years, those statements will often have, buried in barcodes or account number fields, the full 16 digit number is on there. Go through ALL your old statements from the time period and compare it to new statements and look for the differences. That should get you either the direct number or enough information to reconstruct it. If someone has online access to the account, you have a hope.

Card number: merchant copy receipts need to be kept for tax purposes and other things.
Hotels and service providers may keep them on record too.
Have a look for genuine transactions. Contact those companies and as for a copy of the merchant receipt and/or the card number on file.

Definitely remember that toool handcuff key video. I'll be keeping old payment info in my password manager I guess.

Gosh dang! DeviantOllum is THE MAN! My husband and i love all of his stuff, my husband actually has a total man crush on him (in a non homo way lol). I can only imagine how awesome it would be to hang out with this guy.

Super cool talk! One of my first after the elevator talks!

I was going to suggest if you had the first 6 as well last the last 4, reconstruct it using the Luhn algorithm, but looks like many others had the same idea

another trick if it's a credit card and not a bank card is get a credit report it may still show up on the report but it will be missing the last 4 which you have.

For the card problem, talk to your VENDORS -- they got the card number, every time you ordered with it. Even local stores where the card was used may have it in their records.

You may be able to get the details on your bank statement if any payment was made.

Need to retrain the staff to memorize all the card infos 😁
If it's anything like the UK, banks have their own branch code and account number for debit card accounts. So it makes sense for them not to know (or care about) the 16 digit number issued to a card - as that's handled on the card issuer side when a TX is raised. Credit card accounts have one number to ID them to the bank, the 16 digit card number - and banks definitely know these.
So it may be worth having your LEO go to the card issuer company to retrieve the card number associated with the account credentials supplied?

Try also sending a request via lawyer or law enforcement, maybe even both, to the card network (visa or Mastercard) I'm not sure it applies to debit cards that can run as credit, but for credit cards there is an account update system that can automatically send new card numbers and expiration dates to merchants with recurring billing when you get a new card, which I presume would include both old and new PAN (primary account number, aka credit card number) numbers, so they may have records linking the old and new number together that you could get.
I'd also push Amazon on trying to use a combination of last 4 + date + amount + the transaction id that I know I see in my statement description. That's incredibly specific information that's well beyond any persons ability to guess or obtain without access to the banking records, and should be suitably specific to identify the transaction and your connection to it.
As others have commented it's not 12 digits you are missing as well, only 6 given the IIN/BIN that's the first 6 digits (it can be 8, but in the US I've only seen 6 digits) and with the check digit only some combinations of those 6 are valid.

Look through the entire email history of the mailbox of the person who used the card. Call all merchants, if they refuse, set up a meeting with them. If all fails, get a lawyer and take on it formally with Amazon.

Find out who is on the banking committee in the House of Representatives and contact the chair’s office. It used to be Barbara Lee. She helped a friend with a similar issue with the same bank. … it went through 15 layers of management before the assistant manager who was messing with my friend was torn a new asshole by the President of the bank. He was exceptionally helpful after that.

I've used the TOOOL design in a couple of counter custody classes. Works very well, only addition I made was back cutting the cylinder and added a leveraging arm for ease of insertion/use.

Good choice in scotch!

3:40 - Heh, the *key* thing. I get it.

Lagavulin. You’re making me thirsty, and I can’t drink at work.

this cuff keys cuffs are very interesting

I know that some physical receipts record the second last 4 digits, instead of the last 4 digits. I think I've seen the first and last four digits once. But this would depend on how many physical receipts the employee still has.

I wasn't at the DefCon, but I did see the talk since then on TH-cam, probably around 2017/2018.

Brilliant... as usual :) Hi from Belgium. :)

If well Fargo can confirm the number if you knew the exact number than yes they have it on file. If you look at the compliance for credit cards you know most of the numbers are fixed so I think wells Fargo if they could confirm even if u had a partial they should be able to grab it out of records if they do keep records and can confirm after you confirm then that confirms they have records.

Reach out to whatever vendors the card was used with. If Wells Fargo doesn't have it, some other vendor might.

So you mean they can keep the cards active for pending and cyclical transactions, but can't get the card number? How does that work?

Having seen how the FBI screws with FOIA requests, these side quests are not surprising at all.

You're attorney or the local prosecutor sending a subpoena might shake your digits loose.

10:14 - Annnnnddd... kitteh.

you need 8 digits only
first 4 digits are assigned to either bank or bank service behind card
it is unusual to have those middle 8 digits ever changed on any subsequent cards for any reason, even in case of fraud
so you should actually have all 16 digits, as first 4 are tight to type of debit card or account type
last 4 you know anyway
and middle never changes, as those probably are derived from bank account number

I've seen a zipper pull on a jacket that had a hidden handcuff key inside

Can't you (/the investigator) ask Amazon the very specific info that is the card code?
(Or the info Amazon has to check it, hash or whatever, from which you may be able to recover the original datum)

Ever downloaded the transactions in Quicken format? Some banks use part of or all of the account number for the account id field (ACCTID) in the plain text QFX file.

My best guess is that the folks at Wells Fargo can't be bothered to check their tapes - since the card was fairly recently disabled, the info will be somewhere in the tape backups. Going through those is a bit of a process though, especially if you don't know exactly where to look (for that you'd probably need the account number, which is part of the card number - catch 22).

Have you checked for impressions in a wallet if any, or documents in the drawer with this card? Also, at work we use a billing software that hides all but the last four for customers on file, however a std priv user can do a database search for cards like '40%', '41%' and see if the customer in question comes up, then '460%', '461%' and so on until the entire card number has been recovered. At most 110 tries. (responsible disclosure was made to the vendor who did nothing). If you have the card programmed in to any auto pay system that could be vulnerable to similar... That is to say look closer to home and in places not directly involved that could still have the data. There just might be a tree in that forest.

Is there a limit to the number of requests you can make in a time frame? Can you start brute forcing it (lol) and frustrate them so hard they give in?

Not being able to get the card number sounds like one of those bureaucratic problems that should be easily fixed, but has become a huge problem for no good reason.

Yeah, see, the problem isn’t that Wells Fargo can’t, or doesn’t release that information, it’s that the average employee in large companies like that are not very good at their jobs, as well as not wanting to do the work to find such a thing. You run into it all the time in all sorts of other businesses. The average employee is not well trained, not well paid and just doesn’t want to do any work. That’s probably more the problem than any policy, that or they may truly not know because of lack of training.

That's an illegal use of a Hendrick's Gin Fascinator

Give them to Miles from Cambridge UK. ;)

Check all computers' autofill data that were used to access the account and/or used to pay for something from anywhere. It may have the data saved. Copy paste it. Use a phone to access same account if there are stars censoring numbers. Open up a password field for an app and check the show password box. Copy and paste stars into password field. You might get lucky and someone may have written some dodgey as fuck code for that encrypted folder app disguised as a compass or whatever.

Can't they just get an old card statement with the account number on it. Possibly from the online Wells Fargo login.

It seems crazy to me with Toools contention, the police's investigation, the undeniable fact that between Wells Fargo and Amazon they can just answer the question to a law enforcement officer about money that exited your account that they just can't do it. A court order should do it I would have thought, but that might be expensive.

If this card was used to buy anything resulting in a printed bon, look at the bottom. In germany at least you get to read the cardnumber and how long it's still good for use on every supermarked or gasstation recipe.

I've been confused ever since you pulished the Ultimate Cuffkey vid, because that slit looks way wider than 0.3mm. I do have some metal cutting wheels and have tried a few times, but even the thinnest one can't cut a groove narrower than 0.8mm. And I dought that cuff manufacturers makes warding that thin (it has to be thinner than 0.3, considering the clearance), since it'll become rather brittle.

First four are the bank + card type (maybe even first 5 or 6) and the last 4 you know... if you know the algorithm and how to parallelize the calculations, brute forcing an 8 digit number is less than 24 hours on any workstation not an embarrassment to the word workstation. I'd love to give it a run... send me an email.

You could try asking for the number from a vendor with whom the card was used.

Do receipts not contain the credit card numbers sans the last four digits? If you have any receipts for anything purchased on the card, you should have the entire card number.

you may be better going to the payment processor (i.e visa/mastercard/ae) and asking for the card number as they are the ones linking the card number to the specific bank account

Kitteh.

Hope everything works out! It's absolute bullshittery to claim they don't have records of your cards.

Surely the bank can produce it. Maybe not to you but the police investigating probably could aquire it

The employee does not have an outgoing email to a hotel or vender with a Credit Card authorization form filled out?

Wait. The last four just identify the account. The first groups of numbers Just identify the bank right? Might they be the same 12 as the other cards?

16 digit card numbers are sometimes on the bank statements

What's the tldr on the bank card thing? Stolen card number bought stuff on Amazon? Or if there is a previous vid explaining?

Perhaps possibly maybe? Do you have or can you request a printed snail mail style statement from when the card was active. My major bank card NOT Wells Fargo has the typical account ending in #### on each page. However below the address on the first page of the printed statement they have a 33 digit number; not visible through the envelope window. The first 16 digits of that number is the complete card number. Another major bank card has the 16 digit number just as on the card printed on the fist page of the statement.

wow fantastic hope you find out what you need bro

I just went through this with another major bank. I called to check the credit limit on a card I hadn't used in two years. The bank claimed they had no record of the card number, that it had never been issued or cancelled.

I'm curious, if you need identifiers to request the amazon information, could you request information on a specific purchase that happened with that card and get the card number back with that?Then you have it to feed back to them for the rest of the information. This obviously won't work if the only unique identifier they'll accept is the original card number that was used and is currently unknown.

Ackahol and reloading tools on the same bench? Isn’t that a little risky?

Shouldn't you be able to pull up a previous bill that it was on?

Can't you request past proof of payment with the number on? Financial records need to be kept for 10 years. Do you have payment receipts etc?

There must still be a way to track the dead number. On my CashApp card info was compromised, and even after my card was replaced, denials of unauthorized transactions using that information would show up in my statement.

Do you know if she has an online account that she would use the card for bc you could go on there and get the card number from there like PayPal Google wallet iPhone has something like that too

RIP to the speakers when the cuffs are closed lol

The last 4 will add up to the other 12 it's self checking

Unbelievable situation 😱🥴🤨 All the best with the outcome 🤬 and Iv got 1 of the keys 🔑 mentioned

Wow!

Foss is life