OBFUSCATE
Automatically changes sensible data with random values in interchange files.
Syntax
$ cardak help obfuscate
usage: cardak obfuscate [<flags>] <files>...
Obfuscate files by replacing PAN values with random values, keeping the original BIN
Flags:
--help Show context-sensitive help (also try --help-long and --help-man).
-v, --verbose Add more information displayed on some commands.
--mono Supress color on output.
--ignore Try to ignore some errors and continue processing the file
-W, --width Ignore small terminal width check and force execution
-z, --silent Suppress all output (banner, headers, summary) except the results. Specially useful for DESCRIBE command piped to a search
utility like fzf
-6, --bin6 Force BIN length to 6
-8, --bin8 Force BIN length to 8
-b, --binlength=BINLENGTH Keep these number of leading characters as the BIN. Value must be greater than 1
-R, --records=RECORDS List of record numbers to be Searched. Values are separated by comma (,) and ranges are indicated by the starting and ending
record separated by a hyphen (-)
-l, --last Use the record numbers returned on the last GREP command
Args:
<files> File names to search and replace
Description
This command (alias pci) can be used to protect sensible data in interchange files by modifying the value where the PAN (Primary Account Number) is stored. The value is replaced with random values but preserving the original BIN (Bank Identification Number).
Objective
This command is escencial for these reasons:
- Data privacy: Changes real values of credit card numbers with random values to be used in testing or development environments
- Compliance: Complies with PCI-DSS requirements to handle sensible information
- Security: Creates copies of production files that can be used securely for testing or analysis
- Demo files: Can create secure files for demonstrations
Usage
Basic functions
- Read the contents of IPM (MasterCard Interchange Messages) files
- Identify PAN values in field DE002 (Primary Account Number)
- Keeps the original BIN (first characters of the PAN that is used to identify the Issuer)
- Replaces the next digits with random values
- Keeps the checksum values in the trailer
- Generates a new file with suffix
_OBFUSCATED.ipm
Logic to preserve the BIN
The BIN (Bank Identification Number) is preserved to keep:
- Card network identification (Visa, MasterCard, etc.)
- Information about the Issuer
- Characteristics of the card
- Routing and processing rules
Automatic detection of the BIN length:
- 16-digit PANs: The first 6 digits of the PAN are preserved
- 19-digit PANs: The first 8 digits of the PAN are preserved
This command is designed to operate only on field DE002 (PAN).
Contents of the generated file
The obfuscated file contains:
- ✅ The same structure and format as the original
- ✅ The same number of records
- ✅ The same fields as the original (only DE002 changes)
- ✅ Keeps the correct values of the checksums in the file trailer
- ✅ BIN values are preserved
- ✅ Remaining PAN characters are replaced with random values
Output file not created
If no changes are performed (no PAN values are present), the output file is automatically deleted to avoid leaving duplicate files.
Examples
For this example we will take a file that contains a few records to simplify the output on screen. For that same reason we will only see the contents of a few fields.
As you can see, the PAN values used here are not real ones, but for demostration purposes we can use them to see how the fool changes their values.
Now we will obfuscate the values of field DE002 containing the PAN
We see that 4 records have been replaced (this is correct because both the header and the trailer don't contain that field). So let's check how these values have been changed
Take into account that commands are not destructive, so it does not change the original file, and instead generates a new copy appending "_OBFUSCATED.ipm" to the original file name