Online/Physical Carding Explained (Online Fraud Part 1)

Fraud is something I have been doing for many years, even before internet fraud was a thing. So it is safe to say I have vast knowledge and experience in this business. I have written this article with the intention of helping beginners and even advanced fraudsters take their operations to the absolute next level. Beginners who are just starting out in the online fraud business will also find this guide extremely helpful to kickstart their journey as many of the things I will go over are used every single day during different fraud operations and will be valid for many years to come.

Okay, Let me explain about most common keywords in online fraud.

FULLZ: This is someone’s entire data cluster and it’s what is used to create bank drop accounts, and for setting up payment processors on fake online stores. This could also be used for many different things such as conducting an ATO (AccountTake-Over) on someone’s bank account, opening new lines of credit under their name, and much more. Fullz is extremely valuable information to us and in fact a NECESSITY to be able to open bank drops. Fullz usually comprises of Background Checks, Credit Reports, Credit Scores, Full Names, Addresses, Social Security numbers (SSN), Date of Birth (DOB), Driver’s License Numbers, and more.

CVV: This can either be someone’s full credit card details, or someone’s full debit card details. CVV is simply a fraud slang for credit/debit card details, there’s not much to it. We can use these details to “card” information on someone online, such as background or credit reports that can be used for various purposes such as opening bank drops and conducting an ATO (Account-Take-Over) on the victim’s bank account, or we can use these CVV details to order physical/digital products that will be sent to a drop address.

CVV DUMPS: A credit card dump, is an unauthorized digital copy of all the information contained in the magnetic strip of an active credit card, created with the intention of illegally making a fake credit card that can be used by cybercriminals to make purchases. Credit card dumps are used by fraudsters to capture valuable card data such as the card number and expiration date. These can be obtained in a number of ways. The most popular method nowadays is “skimming”, a process in which an illegal card reader is used to copy the data from a credit card. Other methods include hacking into a retailer’s network or when a malware-infected point-of-sale device is unwittingly used by a retailer, sending the information to the criminals.

DUMPS SERVICE CODE: Many fraudsters think that there are only 2 types of dumps, 101 and 201. The truth is there are many other types of dumps. Carders usually work with either 101 or 201 but the majority will prefer 101. This is known as the SERVICE CODE of a dump. The service code contains 3 characters and you can find a dump service code just by looking at a dump, regardless of the fact if it has both TRACK1+TRACK2 or just TRACK2. For example, let’s say we’re looking at the dump 4256 746500930321=1402101700102054. The service code of this dump is 101, which is located right after the expiration date of the card, which in this case is 1402 (FEB 2014). The value of the service code determines where the cards are suitable to be used and in what way. Below is a detailed explanation of each service code available today.

The first digit (usage variables):
1xx: Worldwide use, usually doesn’t have a smart chip.
2xx: Worldwide use, does have a smart chip and is required to use a smart chip if the card reader reads the chip5xx: National use, a list of regions can be allowed by the bank (often called region locks).
6xx: National use, a list of regions can be allowed by the bank but required to use smart chip if the card reader reads the chip
7xx: Only useable according to what has been agreed with the bank

The second digit (authorization):
x0x: Normal authorization, normal usage.
x2x: Contact issuing bank.
x4x: Contact issuing bank, exceptions rules by the bank.

Third digit (services that the card can be used for):
xx0: Can be used for anything, require a PIN.
xx1: Can be used for anything without a PIN.
xx2: Can be used to buy goods or pay a service, cannot retrieve cash, PIN not
required.
xx3: ATM only, PIN required.
xx4: Cash only, PIN not required.
xx5: Can be used to buy goods or pay a service, cannot retrieve cash. PIN
required
xx6: No restrictions to use, will ask for a PIN when possible.
xx7: Can be used to buy goods or pay a service, cannot retrieve cash. PIN
required when possible.

TRACK1+TRACK2 DATA: There are up to three tracks on magnetic cards known as tracks 1, 2, and 3. Track 3 is virtually unused by the major worldwide networks and often isn’t even physically present on the card by virtue of a narrower magnetic stripe. Point-of-sale card readers almost always read track 1, or track 2, and sometimes both, in case one track is unreadable. The minimum cardholder account information needed to complete a transaction is present on both tracks. Track 1 has a higher bit density, is the only track that may contain alphabetic text, and hence is the only track that contains the cardholder’s name. The information on track 1 on financial cards is contained in several formats that go from A to M. The “A” is only used by the bank itself, so we do not need to pay much attention to it. The “B” is where the holder’s financial information is stored, the most important section of the magnetic stripe. C to M is used for the ANSI Subcommittee X3B10, and N to Z is the information that is available for use of individual card issuers. This is how track 1 looks like.

%B5XXXXXXXXXXXXXX2^GEORGENULL/MAX^1103101000000001000000003000000?;

• % for Start Sentinel
• B for Bank Type Credit Card
• 5XXXXXXXXXXXXXX2 is the Primary Account Number, which in most cases is
• the number printed on the front of the card, but not always.
• ^ is the separator
• GEORGENULL is the card holder’s last name
• / is the separator
• MAX is the card holder’s first name
• ^ another separator
• 11 expiration year, 03 expiration month
• 101 SERVICE CODE
• 0000000010000000003000000 is the discretionary data
• ? is the end

So now that you’ve seen the information that is stored in track 1 and the letter containers, you should have already figured out that credit card dumps are mainly the first 2 tracks.

Track 2 data is used by ATMs, physical payment processors, and in any online website. There are a lot of components in this track, the layout is shown below.

| START SENTINEL | PRIMARY ACCOUNT NUMBER | FIELD SEPARATOR | ADDITIONAL DATA | END SENTINEL | LONGITUDE REDUNDANCY CHECK |

With a more in-depth examination of the data, you can see how a credit card number and holder’s main information is stored in the track 2 data.

5XXXXXXXXXXXXXX2=1103200XXXX00000000?* ^^ ^^ ^ ^ ^^ ||_ CARD NUMBER || | |_ ENCRYPTED||_ LRC |_ START SENTINEL|| | PIN*** |_ END SENTINEL || |_ SERVICE CODE FIELD SEPARATOR || EXPIRATION

Now let’s break it down.

• ; : Start Sentinel
• 5XXXXXXXXXXXXXX2: Primary account number, the PAN. This would be the
the credit card number you always see printed on the front of the plastic.
• 1103: Expiry Date. Always year first then a month.
• 200: Service code.
• XXXX00000000: Discretionary data, which includes the PIN verification, the
card verification value and the last 3 digits on the back of the card aka the
CSC/CVV2 code.
• ?: The End Sentinel
• With ^^ ^^ ^ ^ ^^ begins the track 3 data, which as said previously is
completely useless.

Most carders and hackers will only seek out the TR1 and TR2 data. That’s where the term CVV dumps come from.

WEB/ONLINE WALLETS: This is a program or web service that allows users to store and control their online shopping information, like logins, passwords, shipping address, and credit card/bank details, in one central place. It also provides a convenient and technologically quick method for consumers to purchase products from any person or store across the globe. Such examples of web wallets are PayPal, Google Wallet, and Venmo. We can use such wallets for many purposes that will be discussed in further guides.

SKIMMER: This is a device made to be affixed to the mouth of an ATM and secretly swipe credit and debit card information when bank customers slip their cards into the machines to pull out money. Skimmers have been around for years, of course, but fraudsters are constantly improving them. Card skimming accounts for more than 80 percent of ATM fraud. Some sophisticated skimmers are even able to transmit stolen data via text message.

EMBOSSER: A device that stamps the cards to produce the raised lettering where the CVV holder’s name is, card number, etc…

TIPPER: A device that adds gold/silver accents to the embossed characters.

MSR (MAGNETIC STRIPE READER/WRITER): Used by fraudsters to write dumps into actual physical blank cards or gift cards (and driver’s licenses, student IDs, etc..). If you want to use blank white cards, you will need a printer for the card template, embosser, and tipper, which can be pretty expensive, however, it is worth it if you know how to correctly use these things.

POS (POINT-OF-SALE) SYSTEM: This is the time and place where a retail transaction is completed. At the point of sale, the merchant calculates the amount owed by the customer, indicates that amount, may prepare an invoice for the customer (which may be a cash register printout), and indicates the options for the customer to make payment. It is also the point at which a customer makes a payment to the merchant in exchange for goods or after the provision of a service. After receiving payment, the merchant may issue a receipt for the transaction.

ACH: This stands for Automated Clearing House, which is an electronic network for financial transactions in the United States. ACH processes large volumes of credit and debit transactions in batches. ACH credit transfers include direct deposit, payroll and vendor payments. Moving money and information from one bank account to another is done through Direct Deposit or via ACH transactions, credit or debit. This is used a lot by fraudsters to siphon money out of the bank accounts of unsuspecting victims, which is extremely easy.

Part 2: Read Now…

Akalanka Ekanayakehttps://akalanka.uk
Security Researcher & Explorer

Related Stories

Advertisement

Discover

Learn How To Manage Your Stress Using 10 Tips!

These days it is hard not to be weighed down once in a while....

Online Fraud Keywords Explained (Part 2)

Hey, Before reading this please read my first article about this title. (Part 1)PAYMENT...

Online/Physical Carding Explained (Online Fraud Part 1)

Fraud is something I have been doing for many years, even before internet fraud...

Exploiting DOM Based Cross-site Scripting (XSS) [location.href]

I just recently found exploitable DOM Based XSS vulnerability because of Vulnerable JavaScript dependency(Jquery).Okay,...

Downloading music from Spotify without DRM protection.

DRM, short for Digital Rights Management, is created to protect copyrights and restrict the...

The drugs that improve your sexual life.

This might be an interesting article for all of you. There are so many...

Popular Categories

Comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here