Predictable serial number attack

Content sourced from Wikipedia, licensed under CC BY-SA 3.0.

Predictable serial number attack: This is when someone figures out how serial numbers are created and uses that knowledge to misuse the system or block legitimate users.

Example: A phone-card system activates service by entering the card’s serial number. Alice buys a card with serial 0003. Mallory buys two cards with serials 0001 and 0002. After using 0001 and 0002, Mallory guesses the numbers follow a simple pattern and tries 0003. If accepted, she gets more service, while Alice’s card is drained and useless.

Prevention: Use cryptographic hashing to generate actual serial numbers. The issuer keeps a secret salt and a counter, combines them, and hashes the result (for example with SHA-2) to produce the serial number. The issuer must avoid issuing duplicate numbers (collisions).