2. Who am i Blogger (blog.synopsi.com) Slovak Independent security consultant (synopsi.com) Twitterholic (almost 6 500 tweets in year and half) Technologist
3. Before we start … little survey Do you know the differences between credit and debit card? Do you have one or two debit or credit cards? Do you have more than two cards? Do you know what credit card number means? Did somebody steal money from you card?
4. History of Credit Cards First credit card (1920” in US) Diners Club (1950) First modern credit card company American Express (1958) BankAmericard (1958) later Visa Everything Card (1967) later Master Charge (1969) later Master Card (1979)
16. Card number All magnetic stripe identification cards are generated in ISO/IEC 7812 Almost every issued card number can be validated with Luhn “mod 10” algorithm You can check your card via IS (BIN) on http://bins.bankinfo.sk
23. Card security elements Magnetic Stripe Track 1B4888603170607238^Head/Potato^050510100000000001203191805191000000 Track 24888603170607238=05051011203191805191 Track 2 plus/se (Track 3)014888603170607238==0401000000000000003000000000000007020===0= Track 2 can be generated manually from track 1 and vice versa. Also Track 3 can be generated from Track 1, but not vice versa.
24. Card security elements Chip More secure than Magnetic stripe Same CHIP as in GSM SIM cards (not encryption) Encrypted data by 3DES or RSA Key set is usually loaded (DES) or generated (RSA) After decryption, there are similar tracks as in Magnetic stripe Chip (Track 2)4974101234567890=0810221xxxxxx40600004970891234567890=0909221xxxxxx3000000 Magnetic (Track 2)4974101234567890=0810221xxxxxx02100004970891234567890=0909221xxxxxx3370000
25. 3-D Secure XML based protocol Always using SSL connection You are buying something from a merchant He will redirects you to payment processor page (encrypted) You’ll enter card information (encrypted) Payment processor checks if you card is valid for VBV/MSC/JSC If it’s ok, it redirects you to card issuer website (your bank). Many banks are outsourcing this step, then you can be redirected to different website (encrypted) You’re prompted to fill up form (if you’re there for first time), or fill up password (SMS code, etc.) (encrypted) If verification passed, you are redirected back to payment processor website which will check your supplied card data (encrypted) And at the last step you are redirected back to merchant website Card security elements
26. Card transactions ATM, POS and Internet payments works very similar, there are just little differences. You give card to a merchant He puts it in to POS terminal POS terminal send important information to payment processor (encrypted) Payment processor checks who is a issuer and ask him if your card is ok, if you have enough money for this transaction (encrypted) Bank will send response (only YES, NO) to payment processor (encrypted) Payment processor sends response to your merchant (encrypted) If response is positive, you’ll get your stuff
27. Frauds There are many ways how to steal from people But there are just few ways how to cash money from stolen cards There is bran new business just for this In this part you will see business models of thieves You will see real life examples, from real businesses used by these people
37. Business models Universal business model to get cash from stolen credit cards Sometimes one person is able to serve several positions
38. Position: Hacker His job is get credit card with all accessible information Middle dangerous position As a “freelancer” will get only approximately $1 for each working card In a group he gets smallest cut How he gets credit cards? SQLi on websites (mostly eShops) Hacking payment processors (millions cards) Eavesdropping traffic in mall all cards are checked before selling
39. Hacker’s Pricelist Talking about “freelancer” Prices mostly depends on amount of information He can get much more, if he can provide information like balance of credit on the card, SSN, DOB, MMN, etc. all cards are checked before selling
40. Position: Skimmer His job is get cards information from Magnetic Stripe / Chip / RFID Very dangerous position As a “freelancer” will get approximately $25 for each working card
41. Skimmer’s Pricelist Talking about “freelancer” Price depends on type of card, issued country and bank He can get much more, if he can provide information about balance Price also depends on source of card (Hotels have high value, restaurants have low value, …) all cards are checked before selling
47. Position: Phisher/Vhisher His job is to get information about cards by using social engineering Low dangerous position Success only in 0.001% from all sent emails (depends on quality of email and site) He mostly get all information about card and his owner (on black market known as Fullz, high valuable cards) In 65% he also get access to owners email and in 47% is the target site PayPal Vhishing is form of phishing but over the phone (much more successful)
48. Phisher’sPricelist Talking about “freelancer” High valuable cards They’re mostly selling with cards PayPal, MoneyBookers, eBay, RapidShare, … accounts. Declined Fullz can be used for shopping with “Bill Me Later, PayPal Later, …” all cards are checked before selling Talking about Fullz (SSN, DOB, MMN, PIN, …)
54. Mail discussions [access only for invited people]To get access to private black markets you need to be invited from 5 or more people and pay from $1 000 to $10 000
57. Liberty Reserve (Very similar as eGold, but HQ is in Costa Rica)Exchange service can be used to cover much more identity, which will transfer money from one service to another in few seconds for big fees (5% - 25%, depends on services). There exists more than 500 Exchange services, and 95% are from China, Russia, Costa Rica, Belize, Seychelles, etc. Many rippers (frauders) on ordinary black markets
60. Position: Buyer / Cashier His job is use cards for buying stuff to safe drop Low dangerous position Must have very good skills, know security of payment gateways and eShops Many times he need to confirm orders by additional information about card owner, like background, SSN, MMN, DOB Sometimes he need to confirm orders by phone conversation Buyers have mostly very good access to all information from 3rd party services They have access to high valuable proxys, which can be chosen by country and city and are also high anonymous (not sending any proxy identificators) If are they independent, they are asking for 10% - 25% from goods price If they’re working in group, they get 30% - 60% from sold prices
61. Position: Drop His job is pick-up money or ordered goods Very dangerous position Safe drops for money are used for wire transfers, or WesterUnion orders Many times is drop for WesterUnion WU Agent in country like Thailand, Indonesia, India, etc. Good drops often use homeless or asocial people for picking goods from UPS, Fedex, or Post Independent drops takes 20% - 50% from goods or money In group they takes 20% - 40% from goods selling price or money They’re also cashing skimmed cards Mostly in countries like Thailand or Italy, because of countries block (Many US, AU, CA, … cards are blocked for countries like Germany, Slovakia, Russia, etc. Card owner can withdraw money from card in a bank with assistance of bankers)
63. How to get cards Most ordinary way is to hack eShop Most popular technique is SQLi
64. How to check card validity Most ordinary way is to use “Donate us” form on any foundation website to make payment on small amount ($0.1 - $15) Much more sophisticated is to use three step payment processors, which can tell in first step, if a card is valid, in second will check AVS (adress verification system), if address and zip are same as in card and in third will try to make payment An hacker can stop this in first or second step and not make payment on card Bigger chance not loose this card
65. How to get SSN, DOB, … In US, UK, DE, etc. law enforcements, firefighter, doctors in hospitals, employments in social security and lawyers, have access to this information There are always people, who wants make more money
73. How to get proxy for exact city Every buyer/carder needs good proxy for exact city in exact country/state as is his stolen credit card. Many eShops and payment processors are using GeoIP localization Anyone can buy proxies from specialized russian service, which is using botnet to provide socks 5 proxies. They can be ordered by country, state, city and speed They’re offering approximately 250 000 working proxies from almost every country in the World
74.
75. They’re using 3-D secure and every order must be confirmed online via phone.
76. Phone number must be same as in credit card file in the issuer database and they’re asking for background information (if it’s available).
77. Cashier need to have access to good VoIP service to change displayed number, good information about card owner (including background) and also there must be very good drop, to receive this money.
78. Many times is drop original Western Union Agent in countries like Thailand, India, China, etc.
79.
80. …and if you are asking yourself: Why would somebody risk long jailtime? here is the answer