The Underground Ecosystem Of Credit Card Frauds | The Carding World

Use of Plastic cards as a mode of payment is one of the most widely used and
convenient alternatives to cash.

This mode of payment is now accessible to the common population of almost all the major geographical locations on our globe.

Its ease of use and portability makes it a preferred mode of financial dealing. Such efficiency cannot be achieved without the presence of a large networked ecosystem connected through nodes of various computational devices.

But, where there are computers and networks, there are hackers.

Carding forums (popular name) or dedicated websites for selling credit and debit
card data are the most popular means of connecting with the mass newbie and
elite group of people who have adopted this fraud as their full time profession.
These forums are pretty similar in design and format, but what sets them apart is
their source of dumps.

Key Vocabularies

  • Credit/Debit card: A monetary instrument, often referred to as plastic cash, used

    to make payment for goods purchased. A Debit card is linked with the user’s bank
    account and can be used to purchase goods worth value not exceeding the amount
    of money in the linked account. A Credit card is a temporary loan purchase; wherein the bank pays for the purchase value and recovers the cost from the user later
    on. Credit cards also have specific monetary limit.

  • PIN (Personal Identification Number): A personal numeric value used to
    validate the card owner.

  • CVV/CVV2: 3 or 4 digit number printed on the card. This number is used as an
    additional verification point to validate the cardholder.

  • BIN (Bank Identification Number): The first six numbers of the card that is used
    to identify the issuing bank and in certain cases, the type of card.

  • Card brands: Refers to the authorized companies whose network is used to
    facilitate the interaction between acquirer and issuer. Popular brands include Visa,
    Mastercard and American Express (Amex). A card starting with a 4 is a Visa, with a
    5 is a Mastercard and with a 3 (15 digits long) is an Amex. A comprehensive list is
    provided later in the paper.

  • Buyer/Consumer: The cardholder who purchases the goods and uses card for

  • Merchant: Goods and service provider who accepts cards as a mode of payment.

  • Acquirer Bank: The bank responsible for processing the merchant’s credit card
    transactions with the buyer.

  • Issuer Bank: The bank that issues credit card to the consumer.

  • POS (Point Of Sale): POS machines are the card reading devices used to carry out
    the monetary transaction between the buyer and merchant.

  • Magnetic Strip: The black strip on the backside of the credit/debit card that stores
    various details required during financial transaction.

  • Tracks: Information on the magnetic strip is saved on tracks 1,2 and 3. The first
    two tracks are generally used to store the details like account number, owner
    name etc. The 3rd track is optional and used for storing additional data.
    The Underground Ecosystem Of Credit Card Frauds – BlackHat, Asia 2015 3

  • Card dumps: The raw un-encrypted data extracted from the temporary
    storage(RAM) of POS devices. These dumps carry information written on tracks 1
    and 2 that are read by the POS device while making transactions.

  • Card reader/Writer: Is a piece of hardware and software that is used to write
    data onto the magnetic strip of the plastic card. MSR-206 is the most popular
    encoder used for writing data over cards.

  • Carder: Is the individual who uses the stolen plastic card information to carry out
    fraudulent transactions.

  • Runner: The individual/group who uses the counterfeit cards to cash out from

  • Dropper: The drop point for goods purchased online. The Dropper is usually an
    individual whose sole purpose is to receive the ordered item and deliver to the
    carder in return for cash or other goods.

  • Shopper: Is the individual/group that does in-store shopping with counterfeit
    cards. These shoppers also carry fake IDs to make the fraud look more legitimate.
    Usually the carder can himself be a shopper or a runner.

  • EMV: EMV or Chip-and-Pin cards are an alternative solution to swipe cards, which
    stores data on a chip in an encrypted manner. Even though the storage mechanism
    is encrypted, POS based malwares can still steal the data once it is decrypted in the

  • Contactless RFID cards: Another enhancement to traditional magnetic strip based
    cards. In RFID enabled cards, the buyer can pay for the goods by simply waving the
    card close to the POS terminal.

Below is the further understating the key discussion points.	

Let’s get started!

The Underground Ecosystem Of Credit Card Frauds The Carding World (722.1 KB)



Thanks man :sailboat:

1 Like