Use of Plastic cards as a mode of payment is one of the most widely used and
convenient alternatives to cash.
This mode of payment is now accessible to the common population of almost all the major geographical locations on our globe.
Its ease of use and portability makes it a preferred mode of financial dealing. Such efficiency cannot be achieved without the presence of a large networked ecosystem connected through nodes of various computational devices.
But, where there are computers and networks, there are hackers.
Carding forums (popular name) or dedicated websites for selling credit and debit
card data are the most popular means of connecting with the mass newbie and
elite group of people who have adopted this fraud as their full time profession.
These forums are pretty similar in design and format, but what sets them apart is
their source of dumps.
Credit/Debit card: A monetary instrument, often referred to as plastic cash, used
to make payment for goods purchased. A Debit card is linked with the user’s bank
account and can be used to purchase goods worth value not exceeding the amount
of money in the linked account. A Credit card is a temporary loan purchase; wherein the bank pays for the purchase value and recovers the cost from the user later
on. Credit cards also have specific monetary limit.
PIN (Personal Identification Number): A personal numeric value used to
validate the card owner.
CVV/CVV2: 3 or 4 digit number printed on the card. This number is used as an
additional verification point to validate the cardholder.
BIN (Bank Identification Number): The first six numbers of the card that is used
to identify the issuing bank and in certain cases, the type of card.
Card brands: Refers to the authorized companies whose network is used to
facilitate the interaction between acquirer and issuer. Popular brands include Visa,
Mastercard and American Express (Amex). A card starting with a 4 is a Visa, with a
5 is a Mastercard and with a 3 (15 digits long) is an Amex. A comprehensive list is
provided later in the paper.
Buyer/Consumer: The cardholder who purchases the goods and uses card for
Merchant: Goods and service provider who accepts cards as a mode of payment.
Acquirer Bank: The bank responsible for processing the merchant’s credit card
transactions with the buyer.
Issuer Bank: The bank that issues credit card to the consumer.
POS (Point Of Sale): POS machines are the card reading devices used to carry out
the monetary transaction between the buyer and merchant.
Magnetic Strip: The black strip on the backside of the credit/debit card that stores
various details required during financial transaction.
Tracks: Information on the magnetic strip is saved on tracks 1,2 and 3. The first
two tracks are generally used to store the details like account number, owner
name etc. The 3rd track is optional and used for storing additional data.
The Underground Ecosystem Of Credit Card Frauds – BlackHat, Asia 2015 3
Card dumps: The raw un-encrypted data extracted from the temporary
storage(RAM) of POS devices. These dumps carry information written on tracks 1
and 2 that are read by the POS device while making transactions.
Card reader/Writer: Is a piece of hardware and software that is used to write
data onto the magnetic strip of the plastic card. MSR-206 is the most popular
encoder used for writing data over cards.
Carder: Is the individual who uses the stolen plastic card information to carry out
Runner: The individual/group who uses the counterfeit cards to cash out from
Dropper: The drop point for goods purchased online. The Dropper is usually an
individual whose sole purpose is to receive the ordered item and deliver to the
carder in return for cash or other goods.
Shopper: Is the individual/group that does in-store shopping with counterfeit
cards. These shoppers also carry fake IDs to make the fraud look more legitimate.
Usually the carder can himself be a shopper or a runner.
EMV: EMV or Chip-and-Pin cards are an alternative solution to swipe cards, which
stores data on a chip in an encrypted manner. Even though the storage mechanism
is encrypted, POS based malwares can still steal the data once it is decrypted in the
Contactless RFID cards: Another enhancement to traditional magnetic strip based
cards. In RFID enabled cards, the buyer can pay for the goods by simply waving the
card close to the POS terminal.
Below is the further understating the key discussion points.
Let’s get started!