Credit card fraud - Internet Info

Credit card fraud - Internet Info

CREDIT CARD FRAUDS RASTISLAV TUREK Who am i Blogger (blog.synopsi.com) Slovak Independent security consultant (synopsi.com) Twitterholic (almost 6 500 tweets in year and half) Technologist Before we start little survey Do you know the differences between credit and debit card? Do you have one or two debit or credit cards? Do you have more than two cards? Do you know what credit card number means? Did somebody steal money from you card?

History of Credit Cards First credit card (1920 in US) Diners Club (1950) First modern credit card company American Express (1958) BankAmericard (1958) later Visa Everything Card (1967) later Master Charge (1969) later Master Card (1979) Card security improvements Personal Signing from 1920 Magnetic stripe from 1966 Pin from 1967

Chip and Pin from 2003 Internet CVV/CVV2/CSC/CVVC/CCV MasterCard from 1997 Visa from 2001 3D Secure from 2004 Verified By Visa MasterCard SecureCode

J/Secure Global PCI Security Standards Council (2006) Payment Application Data Security Standard Card types Debit Card [your money] Funds are withdrawn directly from customer's bank account Credit Card [bank money] Funds are withdrawn directly from bank's account loaned to the customer Widely used:

Classic Limit: $100 - $2 000 Gold Limit: $500 $15 000 Business Limit: $500 $25 000 Platinum Limit: $1000 - $100 000 Amex Black (Centurion) Limit: Unlimited (Airline, Charge, ) Limit: Depends on company Card number All magnetic stripe identification cards are generated in ISO/IEC 7812 Almost every issued card number can be validated with Luhn mod 10 algorithm You can check your card via IS (BIN) on http://bins.bankinfo.sk

Issuer Identification Number Previously Bank Identification Number (BIN) This number is used to identify: Country of issuer (Slovakia, UK, USA, ) Issued bank (HSBC, Citibank, Commerce AG, ) Exact card type (Credit Gold, Debit Business, ) Issuer phone number for card blocking Issuer Identifier CNL * Diners Club/Carte Blanche

300xxx - 305xxx, 36xxxx, 38xxxx 14 American Express 34xxxx, 37xxxx 15 Visa 4xxxxx 13, 16 MasterCard 51xxxx 55xxxx 16 Discover

6011xx 16 * Card Number Length Card security elements PIN 4 digit value, sometimes can be chosen/changed by user generated by encrypting PAN (Primary Account Number) with PGK (PIN Generation KEY) with 3DES and at the end decimalised. Sometimes can be added offset to original PIN CVV/CVV2/CVC/CVC2

Mostly 3 digit value, only AMEX has 4 digit, printed on the back side of card, AMEX on the front generated by encrypting PAN, service code and expiration date with CVK (Card Verification Key) and at the end decimalised. Card security elements Magnetic Stripe Track 1 B4888603170607238^Head/Potato^050510100000000001203191805191000000 Track 2 4888603170607238=05051011203191805191 Track 2 plus/se (Track 3) 014888603170607238==0401000000000000003000000000000007020===0= Track 2 can be generated manually from track 1 and vice versa. Also Track 3 can be generated from Track 1, but not vice versa. B

format code 4888603170607238 PAN (Primary account number) mostly credit card number ^ separator Head surname Potato first name 0505 card expiration date 101

service code (tells if card has chip verification, or not) 00000000001203191805191000000 generated for concrete card type from concrete issuer Card security elements Chip More secure than Magnetic stripe Same CHIP as in GSM SIM cards (not encryption) Encrypted data by 3DES or RSA Key set is usually loaded (DES) or generated (RSA) After decryption, there are similar tracks as in Magnetic stripe

Chip (Track 2) 4974101234567890=0810221xxxxxx4060000 4970891234567890=0909221xxxxxx3000000 Magnetic (Track 2) 4974101234567890=0810221xxxxxx0210000 4970891234567890=0909221xxxxxx3370000 Card security elements 3-D Secure XML based protocol Always using SSL connection

You are buying something from a merchant He will redirects you to payment processor page (encrypted) Youll enter card information (encrypted) Payment processor checks if you card is valid for VBV/MSC/JSC If its ok, it redirects you to card issuer website (your bank). Many banks are outsourcing this step, then you can be redirected to different website (encrypted) Youre prompted to fill up form (if youre there for first time), or fill up password (SMS code, etc.) (encrypted) If verification passed, you are redirected back to payment processor website which will check your supplied card data (encrypted) And at the last step you are redirected back to merchant website Card transactions ATM, POS and Internet payments works very similar, there are just little differences.

You give card to a merchant He puts it in to POS terminal POS terminal send important information to payment processor (encrypted) Payment processor checks who is a issuer and ask him if your card is ok, if you have enough money for this transaction (encrypted) Bank will send response (only YES, NO) to payment processor (encrypted) Payment processor sends response to your merchant (encrypted) If response is positive, youll get your stuff

Frauds There are many ways how to steal from people But there are just few ways how to cash money from stolen cards There is bran new business just for this In this part you will see business models of thieves You will see real life examples, from real businesses used by these people Stealing Your card can be stolen using many ways :

hacked website (eshop, ) hacked payment processor hacked bank hacked mall skimming phishing / vhishing stolen card malware / keylogger generated card http://www.ic3.gov/media/annualreports.aspx Business models

Universal business model to get cash from stolen credit cards Sometimes one person is able to serve several positions Position: Hacker His job is get credit card with all accessible information Middle dangerous position As a freelancer will get only approximately $1 for each working card In a group he gets smallest cut How he gets credit cards? SQLi on websites (mostly eShops)

Hacking payment processors (millions cards) Eavesdropping traffic in mall Hackers Pricelist Talking about freelancer Prices mostly depends on amount of information He can get much more, if he can provide information like balance of credit on the card, SSN, DOB, MMN, etc. Credit card country Credit card type Additional info (SSN, DOB, ) Price USA

Credit SSN +$2 - $10 | DOB +$2 - $10 | PIN +$10 - $30 $1 - $25 USA Debit SSN +$2 - $10 | DOB +$2 - $10 | PIN +$10 - $30 $0.3 - $15 UK Credit DOB +$5 - $25 | PIN +$10-$30 $3 - $50 UK

Debit DOB +$5 - $25 | PIN +$10-$30 $2 - $25 Others EU Credit DOB +$25 - $50 | PIN +$10-$30 $5 - $50 Others EU Debit DOB +$25 - $50 | PIN +$10-$30 $3 - $50

all cards are checked before selling Position: Skimmer His job is get cards information from Magnetic Stripe / Chip / RFID Very dangerous position As a freelancer will get approximately $25 for each working card Skimmers Pricelist Talking about freelancer Price depends on type of card, issued country and bank He can get much more, if he can provide information about balance Price also depends on source of card (Hotels have high value, restaurants

have low value, ) Credit card country Credit card type Price if balance is known Price USA Credit 3% 10% from balance $25 - $500 USA Debit 3% 10% from balance

$25 - $200 UK Credit 3% 15% from balance $50 - $500 UK Debit 3% 15% from balance $25 - $250 Others EU Credit

3% 15% from balance $50 - $500 Others EU Debit 3% 15% from balance $25 - $250 all cards are checked before selling Skimmer in work Position: Phisher/Vhisher

His job is to get information about cards by using social engineering Low dangerous position Success only in 0.001% from all sent emails (depends on quality of email and site) He mostly get all information about card and his owner (on black market known as Fullz, high valuable cards) In 65% he also get access to owners email and in 47% is the target site PayPal Vhishing is form of phishing but over the phone (much more successful) Phisers Pricelist Talking about freelancer High valuable cards Theyre mostly selling with cards PayPal, MoneyBookers, eBay, RapidShare, accounts. Declined Fullz can be used for shopping with Bill Me Later, PayPal Later,

Credit card country Credit card type With email Price USA Credit +$30 - $150 $50 - $500 USA

Debit +$30 - $150 $25 - $500 UK Credit +$30 - $150 $75 - $750 UK Debit +$30 - $150 $50 - $500 Others EU

Credit +$30 - $150 $75 - $750 Others EU Debit +$30 - $150 $50 - $500 all cards are checked before selling Talking about Fullz (SSN, DOB, MMN, PIN, ) Phisers Success Phisers Success Black Market

Black Markets allows verified people to exchange any valuable stuff, like credit cards, fullz, emails, phishing templates, They can be found on many places IRC [any-network #ccworld] Web (mostly forum) [mazafaka.cc, cardingzone.org,] SILC (most exclusive) [access only for invited people] Mail discussions [access only for invited people] To get access to private black markets you need to be invited

from 5 or more people and pay from $1 000 to $10 000 (ordinary) Black Market prices Black Market: How to pay Most popular was eGold until 2007 when the US government ordered e-gold administration to lock/block approximately 58 e-gold accounts, in 2008 was three directors plead guilty Now exist two very popular services with pretty good identification guarantee: WebMoney (Russian multifunctional payment service) Liberty Reserve (Very similar as eGold, but HQ is in Costa Rica)

Exchange service can be used to cover much more identity, which will transfer money from one service to another in few seconds for big fees (5% - 25%, depends on services). There exists more than 500 Exchange services, and 95% are from China, Russia, Costa Rica, Belize, Seychelles, etc. Many rippers (frauders) on ordinary black markets Black Market Examples Forum Black Market Examples IRC Position: Buyer / Cashier His job is use cards for buying stuff to safe drop Low dangerous position Must have very good skills, know security of payment gateways and eShops Many times he need to confirm orders by additional information about card owner, like background, SSN, MMN, DOB

Sometimes he need to confirm orders by phone conversation Buyers have mostly very good access to all information from 3rd party services They have access to high valuable proxys, which can be chosen by country and city and are also high anonymous (not sending any proxy identificators) If are they independent, they are asking for 10% - 25% from goods price If theyre working in group, they get 30% - 60% from sold prices Position: Drop His job is pick-up money or ordered goods

Very dangerous position Safe drops for money are used for wire transfers, or WesterUnion orders Many times is drop for WesterUnion WU Agent in country like Thailand, Indonesia, India, etc. Good drops often use homeless or asocial people for picking goods from UPS, Fedex, or Post Independent drops takes 20% - 50% from goods or money In group they takes 20% - 40% from goods selling price or money Theyre also cashing skimmed cards Mostly in countries like Thailand or Italy, because of countries block (Many US, AU, CA, cards are blocked for countries like Germany, Slovakia, Russia, etc. Card owner can withdraw money from card in a bank with assistance of bankers) How to Real life examples

How to get cards Most ordinary way is to hack eShop Most popular technique is SQLi How to check card validity Most ordinary way is to use Donate us form on any foundation website to make payment on small amount ($0.1 - $15) Much more sophisticated is to use three step payment processors, which can tell in first step, if a card is valid, in second will check AVS (adress verification system), if address and zip are same as in card

and in third will try to make payment An hacker can stop this in first or second step and not make payment on card Bigger chance not loose this card How to get SSN, DOB, In US, UK, DE, etc. law enforcements, firemen, doctors in hospitals, employments in social security and lawyers, have access to this information There are always people, who wants make more money How to get balance information

Balance information is highly valuable, because cashier will not attract attention to himself This is mostly most expensive service provided by 3rd party groups There are two very nice and simply ways how to get it in USA Call to free number in biggest bank in US +18004321000 (Bank of America) a robot voice will request credit card number and for verification SSN Good payment processor, which can check card validity with paying amount in first single request. Then an hacker need to send few request to know approximately amount Example of such a request: Paying amount: $4500 Paying amount:

$1500 Paying amount: $3500 Paying amount: $3000 Paying amount: $3200 How to bypass 3-D secure This depends on implementation, but 90% of 3-D secure websites are outsourced by big payment processors (FirstData [achex], etc.) https://www.achex.com/RequestDispatcher/ Issuer3DSecureResponse;AchexSession=DCXzGW9GQT7ZTgrFpnTCy75ZvXm0QJgyBRH jz1L8WNTBL1jCVYvz!1061590781 This bug was really simple. They have forgotten to add expiration/destroy to

response session, then every card can be verified by 3D-Secure with this old URL In a real world, you not need much to validate yourself as owner of card in 3-D secure, because every password can be changed online by adding few information about card, mostly SSN, DOB, ZIP, CVV2, EXP date. If the owner of a credit card didnt use fill up information on 3-D secure register form, you can always push No Thanks and pay without 3-D secure Anyone can check, if a card is in Verified by Visa, or MasterCard Secure Code program just by visiting this sites and put there card number https://verified.visa.com/aam/data/vdc/landing.aam?partner=vdc&resize= https://enrollment.securecode.com/vpas/cuets-en.html How to get proxy for exact city

Every buyer/carder needs good proxy for exact city in exact country/state as is his stolen credit card. Many eShops and payment processors are using GeoIP localization Anyone can buy proxies from specialized russian service, which is using botnet to provide socks 5 proxies. They can be ordered by country, state, city and speed Theyre offering approximately 250 000 working proxies from almost every country in the World How to get cash from cards There exist few ways how to get money from credit cards Use virtual POS terminal Virtual POS terminal will transfer money to bank account in next day. This technique require real working shop, which accept orders daily, and cash only few stolen cards per day to not

attract attention. Affiliate Very popular technique is to open an affiliate account, mostly on porn sites and order customer accounts through this affiliate accounts with stolen cards. This will cost every card $25 - $50 for a month and affiliate will get $10 - $50 for each customer. How to get cash from cards Western Union

WU is pretty complicated, because needs a lot assets to make successfully order. WU allows people from few countries (US, CA, AU, NZ, ) to make online order with their Visa or MasterCard. Theyre using 3-D secure and every order must be confirmed online via phone. Phone number must be same as in credit card file in the issuer database and theyre asking for background information (if its available). Cashier need to have access to good VoIP service to change displayed number, good information about card owner (including background) and also there must be very good drop, to receive this money. Many times is drop original Western Union Agent in countries like Thailand, India, China, etc. Good cashier can make daily $15 000 - $150 000 Malware in ATM Opt Function Description 0

Restore Logs Restore the log files 1 Uninstall Uninstall malware and clean all files 2 Display Stats Creates and displays a window presenting statistics (numbers of transactions, cards, keys) 3 Delete Logs Deletes the harvesting log files

4 Reboot ATM Forces a full system reboot. 5 Test Printer ATMs receipt printer will print Hello and 123456789. 6 Print Collected Data Print the harvested data, in an encrypted format, via the ATM receipt printer. 7 Secondary

Menu This option will present the user with a window displaying a challenge and wait for the correspondingresponse to be entered 8 Supply Manager Information The malware tries to access the ATM-vendor-softwares user interface 9 Writing to a smart card Transfer the harvested data directly to a card injected into acompromised ATM. and if you are asking yourself: Why would somebody risk

long jailtime? here is the answer Thank you Rastislav Turek [email protected] +1 (615) SYN-OPSI

Recently Viewed Presentations

  • Types of Families - Fort Thomas Independent Schools

    Types of Families - Fort Thomas Independent Schools

    Types of Families Mrs. Wagner Parenting/Child Development Family Two or more persons related by birth, marriage, or adoption who reside in the same household - or - a group who love and care for each other Role - Parts one...
  • cnis - OASIS Events

    cnis - OASIS Events

    全国电子业务标准化技术委员会. 对口联络. iso/tc154 " 行政、商业和运输业中的过程、数据元和单证" un/cefact " 联合国贸易程序简化与电子业务中心"
  • Church Planter Network

    Church Planter Network

    ACTS 1:8 Growth Workshop UNIT 3 WHERE DOES GOD WANT US TO GO FROM HERE?
  • Presentación de PowerPoint

    Presentación de PowerPoint

    Marxism analyses and combat the modern industrial Capitalism, a system which allows the exploitation of the man for another man, or the exploitation of a social class for another. ... Classical Streams: Insists on the need for art to be...
  • The Politics of Pay Reform - GSDRC

    The Politics of Pay Reform - GSDRC

    Corporatism Tactics and Techniques Models Predominantly driven by political pressures/exigencies Politically reactive (PRE) Measured consideration to political factors (explicit or implicit) Primacy of egalitarian concerns Politically rational (PRA) Neo-liberal economics and/or HRM orientation (ideal) Largely impervious to political pressures ...
  • Snímek 1 - rac.cz

    Snímek 1 - rac.cz

    Náplň přednášky Terminologie Mezinárodní normy ISO IRGC Národní normy AS/NZS BSI AIRMIC & ALARM & IRM NIST Normy/standardy řízení rizik Sjednocení terminologie Sjednocení procesu řízení rizik Stanovení měřitelných cílů řízení rizik Sjednocení cílů řízení rizik ...
  • Parts of a Research Paper Four Parts of

    Parts of a Research Paper Four Parts of

    between the hook and the thesis statement. Example of Bridge. Here is an example of an introductory paragraph on a paper about building a fire: For anyone fortunate enough to have a wood-burning fireplace, sitting in front of a healthy...
  • Forefront Client Security Ronald Beekelaar Beekelaar Consultancy ronald@beekelaar.com

    Forefront Client Security Ronald Beekelaar Beekelaar Consultancy [email protected]

    Contains mpasbase.vdm, mpasdlta.vdm, mpavbase.vdm, mpavdlta.vdm, mpsigstub.exe. Size < 0.5M Scans Quick scan Full scan Custom scan Not: Removable disk Network disk Single folder Engine Real-time protection Uses kernel-mode mini-filter Static analysis Emulation Executes in sandbox - to unpack ...