Credit (or debit) cards have been well-known ways of payment in the traditional retail system since what seems like forever. Still, the general public doesn’t seem to be familiar enough with the basic notions and the payment process via credit/debit cards. The intention of this text is to rectify that by explaining the important steps in the traditional way of using credit/debit cards.

HARDWARE

Anyone can make a credit card and take money off of it today. All that it takes is a machine able to write data onto magnetic stripes. Its name is MSR206, a device which can write, read and erase magnetic stripes. Of course, it’s far from being the only one; MSR200, MSR100 and MSR120 are very similar and the differences consist of minor details in functionality most of the time.

This device costs around 600 dollars, and fraudulent users have been known to make more than 100.000 dollars off of them! When the device is ordered, the software used to write, erase and read magnetic stripes is delivered along with it. This machine can only manufacture the simplest bank cards (with nothing but a magnetic stripe on the back), but that’s enough to perform frauds.

Something much better and more interesting (to fraudulent users trying to acquire funds illegally) are ordinary blank cards, pieces of white plastic, which can be transformed into a bona-fide copy of any bank card. The name of the device used for this purpose is DTC550, containing both the laminator and the embosser. Just like the previous device we’ve described, this one also comes with software and all required components to make bank cards. This one is much more expensive, though, with the price varying between 3000 and 5000 euros, and it can be legally obtained in a number of countries. As we’ve already said, it can be used to make functional copies of any ordinary bank card, all that it takes is for a name to be embossed into it. It can be used in absolutely the same way as the original, for instance, for taking money at ATMs or shopping.

…AND DATA

Manufacturing functional fake bank cards takes more than just the required device. The data also has to be correctly read from the original and written to the copy. This data is usually referred to by hackers as “dumps” and “track1-track2”. This is what a dump looks like:

4980004091018042=09091010000040000000

The first section (4980004091018042) is the credit card number, containing 16 digits. For instance, all VISA cards start with 4, MasterCard ones with 5, and American Express ones with 6. The first six digits (in our case, 498000) are what hackers refer to as “bin”. This data yields the name of the issuing bank. In our case, 498000 is the bin of Sumitomo Mitsui Card Company Limited, located in Japan.

The second part of the number (09091010000040000000) is an algorithm or key used to verify the card through banking systems, whether the transaction is performed through an ATM, POS terminal or in some other way. The first four digits (0909) are the expiry date. In our case, that would be September 2009.

Here’s an example of what track1 and track2 look like:

4417123041582296=080110110978642?;B4417123041582296^ORLOFF/LANCE^0801101109781100000000642000000?

Track1 is mostly the same as the dump, while track2 is similar, but with the name of the cardholder encrypted into it. Most of the time, only track1 is recorded onto the card, with track2 and track3 possibly present as well, but not at all mandatory.

HOW TO GET DUMPS?

Dumps are usually found at places where hackers and “carders” (a particular type of malicious users dealing with card frauds) gather, with IRC servers being a major source as well. Many forums also contain users willing to sell dumps. Of course, we can’t provide the info as to the locations where you could obtain such data, we’ll just give you an idea of the prices involved, according to the price list of one of the best sellers of this type of info in the world, a Russian hacker who’s been dealing in this business for nearly a decade. Standard EU cards are worth 20 dollars, European Gold/Platinum cards are 50, Corporate/Business cards are 80, while Infinity cards dumps are estimated at 250 dollars. American, Australian and Asian card dumps go for around 15 dollars.

Another way of collecting info is “skimmed dumps”. This info is always the best since it’s the freshest and 100% functional. Skimmed dumps can be collected in a few ways, one of which is by using a skimmer. Skimmers are small devices installed onto ATMs, usually imperceptibly. This is how the original dump is collected. Skimmers exist in two versions, with older generations stealing only the dumps, while the newer variants also memorise the PIN code entered for card activation. These dumps are 100% current, and suffice to say that they exist even in portable versions no larger than a lighter, able to memorise up to 2000 skims.

The cheapest, but hardly the safest way is collecting data on the users themselves. One can find data on ordinary Visa, MasterCard or American Express users for three to five dollars. The purchased data includes the name of the cardholder, his/her address, phone number, e-mail address, credit card number, expiry date and the verification number, called CVV2. This is approximately half the dump; the only thing missing is the algorithm. The algorithm itself is the key of banking systems, whether for ATMs or POS terminals in stores.

These are generally difficult to acquire, since algorithms are changed on a monthly basis. The “problem” is solved by buying algorithms which determine the algorithm according to the CVV2 data from a particular card.