" when your little app accidentally comes up with someone's REAL number, you'll be reimbursing them will you? "
Like what Andrew Bell said, the chance is exceedingly small. And if credit card companies were to get into the act by providing known false numbers for our fictional firefox extension, so much the better.
Hmm. Suppose these fakes were tripwires. Whenever a credit card company got these numbers, not only would it be denied, the response would be akin to the 'take card'-- "This guy's not a bad entry, it's one likely from a phishing site. Keep an eye on him."
Yes, some idjit will start using these for real, but here's where it gets better. Say John Joker starts using them on Amazon. Amazon gets the flags back from the credit card company, and shuts John Joker's account down. But the Jokers are a tiny minority of the credit cards processed.
Now Phisher.com starts getting credit cards. With a firefox extension like that, most of the cards will be tripwires. MasterCard at first will warn Phisher.com that the cards are invalid, so Phisher marks those off and knows which ones are legit. But after the first thousand or two where the majority of cards have been tripwires, MasterCard shuts down Phisher.com's account appropriately.
Issues remaining: The phishing checks would be by zombies, so IP tracing won't help. Phisher.com would most likely not check in the first place, or would go through a third party. And if they do check, they'd pepper the checks with enough known goods to possibly not trip Mastercard. Hmm.