I doubt there is such a thing as "numbers which cannot be hacked", unless you go the cryptographic route.

You start with a UUID and a checksumm over it and then code both with a secure cryptographic method of which only you know the key.

It would be next to impossible to change a few numbers and end up with a valid UUID and checksum.

If you combine that with a maximum number of tries before your log-in is locked-out and you have a pretty secure way of providing such "cards".