Hacking BlackHat WhiteHat - Hacking for Profit: Credit Card Fraud A Beginners Guide - Leak Information from SA E.J. Hilbert II, Federal Bureau of Investigation, Los Angeles Field Office, Santa Ana Resident Agency.
DEFINITIONS, CONCEPTS AND STATISTICS
Hacker knowledgeBelow is the “Beginning Carders Dictionary’” as posted online by the Russian hacker, KLYKVA on forum.carderplanet.com. It is presented in its original form to illustrate the level of knowledge from which these individuals are working.
A Credit Card (VISA) TransactionThere are two parts to every transaction. First, a customer presents a Visa product, usually a card, to a merchant, who needs immediate authorization of the transaction. Second, at the end of the day, the merchant needs to receive the funds for the transaction via its financial institution and ultimately from the customer’s issuer. The specifics will vary depending on transaction type, complexity, technology, and processing services but the typical flow is illustrated here.
How a Purchase is MadeAuthorization at the Point of Sale
How the Merchant Gets PaidClearing and Settlement
At the end of the day, ABC Stores delivers all its sales draft information (including Maria’s purchase) to DEF Merchant Services. Each draft will contain the credit card number and the merchant account number. DEF credits the merchant account of ABC Stores for the net amount of all its sales. This is how ABC Stores obtains its funds from Maria’s purchase.
Next, DEF’s processing center creates an electronic version of all drafts for all the merchants it supports, including ABC Stores. The electronic drafts, which may include transactions from numerous Visa account holders in various countries, are sent through VisaNet to one of Visa’s data centers.
Visa routes these drafts to the financial institutions of the Visa account holders, for instance, Maria’s transaction is sent to her issuing bank, GHI Bank. Visa consolidates all transactions for each issuer into an electronic file that includes currency conversions, fees, net settlement amounts, and required reporting information.
GHI’s processing center receives the file and prepares the transactions for posting to its cardholders’ accounts including Maria’s.
GHI Bank transfers all the funds owed that day by its cardholders, including Maria, to a settlement bank, which is responsible for delivering the funds to the merchant acquirers such as DEF Merchant Services. This is how DEF gets paid for the amount it paid ABC Stores in step #2.
StatisticsVisa annual worldwide sales volume exceeds US$2.4 trillion. There are 1.2 billion Visa, Visa Electron, Visa Cash, Interlink and PLUS cards worldwide. But only 49,413 legally issued cards in Central Europe, the Middle East and Africa.
Visa is accepted in more than 150 countries.
As of March 31, 2003, MasterCard’s gross dollar volume for credit and debit programs was US$285.7 billion, an increase of 7.31% over the same period in 2002.
MasterCard has 32 million acceptance locations; no payment card is more widely accepted globally.
Cardholders can obtain cash with the card at bank branches and at all ATMs in the global MasterCard/Maestro/Cirrus ATM Network, among the largest ATM networks in the world with more than 892,000 ATM locations worldwide on all seven continents.
Most Eastern European law enforcement officers do not own, use or understand a credit card. This is important when requesting information from certain parts of the world. All requests must be highly detailed and precise.
What to Steal
The truly skilled hackers have developed their own tools and place backdoors on systems such as, installing Telnet and secure shell daemons on high port numbers or creating their own user id’s and passwords after installing a sniffer to steal the root level passwords. These are the first things System Administrators should look for, as well as changing all root level passwords via face-to-face meetings with all root level users. Sending the change of passwords via email will be intercepted if a sniffer has been installed on the system.
Sometimes, the hack is automated through the use of a “bot” which makes it impossible for the System Administrators of the victimized networks to stop because they are physically not fast enough to fight the bot. The only way to stop the bot is to take the network offline.
Investigations thus far indicate the following items are being stolen for use in various schemes detailed later in this paper:
GETTING CREDIT CARDS
THE SCHEMESEach hacking and carding group try to develop their own original scheme to make money from the stolen data however, there are several primary schemes for converting stolen data into cash or product upon which all the others are based. Below, the primary schemes and a few widely used variations are detailed. It is important to note, the variations are only limited by the imagination and knowledge of the subjects.
Sell - The easiest and quickest method to make money from stolen cards is to simply sell them online. The sale of card data is called a “dump” in which the hacker/carder offers the data for trade or sale, often track 1 and 2. The going rate online is approximately $.35-$.50 for credit card numbers and expiration dates. Cards with full subscriber information and CVV2 numbers range in price from $2.00 to $4.50. Also cards are sold based on their verified credit line i.e., $100 for a card with an available credit line of $10,000.
Auction Fraud - Also an incredibly easy scheme, auction fraud has been somewhat limited by the establishment of online escrow companies. But note, fake online auction companies can easily be created as well. In this scheme, the subject simply posts a fake auction item and sells it to the highest bidder. The buyer sends the seller money or a credit card number but never receives the product.
A couple variations of this scheme are as follows:
- The hacker/carder uses the stolen credit card to make purchases of auction This can be done on a person-to- person sale or through the use of an escrow account. If an escrow account is involved, the hacker/carder will either open an escrow account based on the stolen information or will steal an escrow account and use whatever funds are in the account to make purchases. The purchases will be shipped to a drop and picked up later by either the subject or his associate to be re-packaged and shipped elsewhere, usually overseas. The use of a drop and an associate is called a trans-shipper. How trans-shippers are obtained is discussed later.
- The second variation is more sophisticated and forces the escrow account to serve as a money laundering The hacker/carder will open several escrow accounts, one based on a bank account controlled by the hacker/carder and the others based on stolen credit card or bank account information. Often times neither account is in the subject’s true name.
The auctions take place for a limited period of time and the hacker wins his own auctions using one of the fraudulent accounts. This fraudulent account is then used to pay the escrow company.
- The most common is to post on a hacker/carder forum the need of a partner and establish a working relationship with whoever answers the
- Drops can also be obtained by posting a job offer on Hotjobs.com or Monster.com for an individual to work at Individuals will be paid via Western Union to accept and repackage items and send them overseas. A skilled Social Engineer can convince people of the legality of accepting packages in this method and the newly hired employee is unaware they are facilitating a crime.
Others choose to pay their employees through Western Union. Still others act as if they are paying the employee by sending them a counterfeit check. The checks will be drawn for substantially higher amounts then are owed the new employee. When the employee comments regarding the value of the check, the employer states it was an oversight and asks the employee to simply wire the employer the remaining funds after the subtraction of the monies owed the employee plus a bonus for being honest. The employee sends the wire transfer overseas and two to three days later finds out the check is counterfeit. The employee is not only out their salary but additionally the amount wired overseas.
- The third variation is called COB (change of billing). Most credit card companies allow their customers online access to their With this online access, the customer can change billing addresses; telephone numbers, passwords and so on. The intriguing aspect is that most people do not activate their online access. When a hacker/carder steals a credit card with full information, they can then go online and change the billing address to match that of one of the drops they control. The COB is extremely useful when the company the items are being purchased from, will only ship to the billing address.
- If the drop is worried about having the packages shipped to their address, P.O. boxes are used and an ingenious method is to send the packages to vacant An individual can contact a local real estate agent to determine which homes are for sale and when the occupants plan on moving out. During the brief time the house is vacant, the drop can simply pick up the packages from the mailbox of the vacant house.
- A final variation involves some sophistication, but it limits the need for an When an item is fraudulently purchased, the hacker/carder has the package shipped to the credit card holder’s real address. A slow shipment method is requested as well as a fax or email of the scanned shipping bar code. When the hacker/carder receives a copy of the shipping bar code, they can utilize a bar code scanner to read the code. They then contact the shipping company, provide the information contained in the bar code and a change of the shipping location. The new cost for the shipment is billed to the defrauded company or can be charged to another stolen credit card.
This is dedicated to cumbajonny and other people who watch their backs closely. If you're that careful you will probably never be caught. The date in the topic will be changed whenever there is an update
How to start
You must have some money saved up in order to start in this business (or be really good at online carding). I assume you have some sort of transportation, a computer, and some brains. Let's take a look at a list of other things you will need (all costs are approximate):
Where can I get a card to use?
Kinds of dumps
So, what kind of dump should you use? It all depends on what you will be buying. If you plan on buying a lot of lower priced things (less than $500), go with Classic. They are the cheapest, but have the lowest limits. You can eat through a list of classic cards very quickly. If you plan on making larger purchases go with gold, platinum, or signature. I stick to Visa/Mastercard. Many stores require the CVN of an Amex card (number printed on front), and it will look strange when the computer says you used an Amex and you're holding a Visa/Mastercard.
Track 2 or 1 and 2?
I'm ready, now what?
So you have everything you need, or do you? How about software for your encoder? I use TheJerm's MSR206 program. You can download it at http://www.thejerm.0catch.com/. It's easy and it works great.
Now, before you encode your card you have to change the name. Put the name on it from your fake ID. If you look at the dump you'll see something like this:
It's not hard to figure out where the name goes. The numbers right after the name in track one and right after the = in track two is the exp date in YYMM format. This card would expire July 2003. The rest is the bank data, which we won't get into here.
So, change the name and encode. Now you're physically ready. Are you mentally ready?
Prepare your mind
COLLECTING THE MONEYOnce all the fraud is committed and the profits have been reaped, the hackers and carders need to convert the money to cash. The most common request is to have the money wired via Western Union (WU). For a small percent of the profit, WU clerks in Eastern Europe will look the other way if the recipients’ Id does not match the name of the individual retrieving the cash. If a passphrase is used, there is no need for an Id. Finally, WU transfers can be used to fund ATM cards, which then require no Id’s and no personal contact to obtain the funds.
All of the schemes allow the hackers and carders to convert the money into electronic credit that must be sent to a bank account or e-currency repository. These repositories can be as simple as an online bank account such as NetBank and INGDirect or normal bank accounts at banks that have less stringent banking requirements, i.e., off shore banks in Latvia, the Republic of Nauru or Cyprus.
The problem with these methods is the paper trail associated with keeping money in a bank.
With the advent of e-currency/online escrow accounts, came the advent of e-currency ATM cards, also known as pre-paid credit/debit cards. These cards can be purchased for a small fee and funded using any of the e-currencies currently available including, EVOCash, Egold, LogixPay, eBullion, GoldMoney, Pecunix and NetPay. The cards are in essence pre-paid ATM cards that are funded by sending money to the particular e-currency broker. The cash is then withdrawn at any ATM that accepts the respective ATM cards.
Providers of prepaid Debit cards or e-Currency ATM cards include, SwiftPay, WMcards, Ecount, Wired Plastic, Green Card, Citi Cash Card, Eufora, as well cards issued by the e-currency companies and hundreds of others.
Many enterprising subjects have set themselves up as middleman for the carders. These individuals set up online
businesses that handle the money-laundering and stolen property sales (“consignment shops”) aspects of the schemes for the carders. The sites will offer bank accounts, debit cards and drop addresses to the carders in exchange for a fee. The carders will then have the profits from extortions, Paypal fraud, Auction fraud or any of the other schemes deposited into the account or shipped to the address. However, no real bank account will be set up for the carders. The site owner will open one bank account and using an Excel type spreadsheet, assign accounts to each of his clients. When money is deposited into the bank account of the site owner, a special denotation will be required indicating into which client account the money is to be deposited. This denotation will mean nothing to the legitimate bank at which the site owner’s account resides. The site owner will deduct his percentage and denote the remaining amount on his spreadsheet as belonging to the specified client. The client can then have this money transferred to a bank account, a pre-paid debit card or use the money to purchase e- currency. Basically, the site owner has created their own bank without the regulations or oversight of a legitimate bank.