Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
 
Training session 18: Credit Card's
Difficulty: Medium
Learn how Credit Card Fraud is Commited
Creator: m101


Note: The methods used by carders these days have quite dramatically changed making this a bit out of date. When I have some time I will bring it upto date...

Have you ever wandered how so many credit card fraud's are almost allowed to happen without much trouble at all? Or have you wondered why some people will trade cc (credit card) numbers like baseball cards over the net? To put it simply, they are easy to rip off, much easier than PIN cards, or stealing stocks. Cc's arent safe to use, the algorithm used to create them is way too simply validated, and the schemes put in place to withdraw money from them does not even include some for of PIN number or password.

If i wanted to purchase a book over the net, lets look at what information we provide for the purchase:

Card Holders Name
Credit Card Number
Expiry Date

Nothing is trivial to get, all of it is printed directly on the card, and on the transaction paper. If you were to retrieve this information, there is normally only one safe guard against making large withdrawal's. In some banks, all transactions over $500 are verified by a phone call to the owner of the card, this means any purchases over $500 probably wont succeed. It is best to target items that are relatively cheap, around the $300 mark to make sure this never happens, and use the card number over a few days.

If you ever plan on using cc numbers illegally, make sure you take all of the precautions to make sure you never get caught. Do not supply your own mailing address, rather get it sent to a vacant house, or somewhere that you do not have to provide an identity to pickup items. Use proxies at a minimum to order the items thru, never make a direct connection to the target. Basically never leave your own name, or you IP address anywhere that can be associated with the cc you use.

To validate a credit card number, and follow the these steps:

Step 1. Take a credit card number:
4940 5266 1029 1634

Step 2. Split it up into seperate numbers and remove the last number leaving the following:
4
9
4
0
5
2
6
6
1
0
2
9
1
6
3

Step 3. Double every odd number:
8 Doubled
9
8 Doubled
0
10 Doubled
2
12 Doubled
6
2 Doubled
0
4 Doubled
9
2 Doubled
6
6 Doubled

Step 4. Split all numbers over 10 into two seperate numbers, for example 15 would be split into 1 and 5:
8
9
8
0
1 Split
0 Split
2
1 Split
2 Split
6
2
0
4
9
2
6
6

Step 5. Add these numbers up and you should be left with:
66

Step 6. Divide the answer by nine, and then remove everything after the decimal point, for example 5.3 would become 5:
66/9
=7.333
=7

Step 7. Multiply the result by 10:
7*10
=70

Step 8. Subtract the original number from step
70-66
=4

Step 1. If the last number of the original string is equal to the answer then the card is valid:
4940 5266 1029 163[4] Last Number
4=4
Valid Number!

Notice that if you were to increment that number by one from '4940 5266 1029 1634' to '4940 5266 1029 1635', the number would be invalid, same with every other number except the one.

The first Number must be a '4' otherwise the number is not valid. This entire process can be sped up by using the following program written in Turbo Pascal:

program cc;
var a:string[16];
var c:char;
var t:word;
var x,m,n:byte;
var valid:boolean;

begin
valid:=false;

{Credit card number to validate}
a:='4842134679851247';

c:=a[length(a)];
writeln(length(a));
dec(a[0]);
m:=2;
t:=0;
for x:=length(a) downto 1 do
begin
n:=(byte(a[x])-48);
n:=n*m;
if n>9 then
begin
n:=n-10;
inc(t);
end;
t:=t+n;
m:=3-m;
end;
t:=(trunc((t+9)/10)*10)-t;
writeln('Answer: ',t);
writeln;
if t=(byte(c)-48) then valid:=true;
writeln(valid);
end.

Nearly random credit card numbers can be generated by using this algorithm, substitute a random number beginning with '4' into the number, run the program and check what the answer is, then just change the last number to the answer. For example '4345789154276147' returns '5', so all we do is change the last number to '5' making our valid number '4345789154276145'.

Credit cards can be stolen from databases on web sites, or directly from working at places that use credit cards. There are many sources so just be imaginative.

An example situation is the following:

Our target criminal works LameTeck furniature store. A customer from this store purchases a nice lounge on his credit card. LameTeck still uses carbon copies to make credit card payments. The carbon copy is thrown in the bin and while our criminal is emptying the bin he takes the carbon paper for himself. Later that night the criminal purchases himself a laptop computer from Acer over the net. He has is mailed to his own house. Three days later four cops bust thru his door at two in the morning and hold a gun to his head. This is an example of how not to commit credit card fraud.

Here is another example:

Our taget joe has just hacked the website of Electonics Boutique, and claimed himself a nice database of ninety credit card numbers from the online order section of the site. Joe clears his tracks, and hides any evidence of his existence. He DOES NOT deface the website. Over the next four days joe take orders from five of his mates for a selection of electronic goods, he arranges payment well before the delivery. Joe continues to create a fake ID for each of his friends under the name of the chosen credit card. Later that night joe arranged the delivery of a Portable MP3 Player from five diferent stores, each to be mailed to his local post office. Each player costs $400 US. Five days later joe gives each of his friends a fake ID along with instruction to pickup their purchase from the post office, joe makes $150 from each of his friends. Immediately joe goes down to his local shop and legally purchases the exact MP3 player he purchased from his friends. Since joe never gave any real details, he never gets in trouble with the police, and if somehow he is found, he has a purchased item with a proper receipt proving that he did not steal the MP3 player, and therefore did not purchase any off the net. If one of the players is traced back as being stolen, joe is also only done for stealing one player, and since he has one player which is already purchased the evidence is deamed false. Joe removes all traces of the database he hacked, and sells the remaining cards to a trusted friend for their own personal use.

The second case goes more into not getting caught than is usually needed, but joe is smart, and therefore does not get caught. The process is so simple that nearly any school kid with an internet connection, and a reasonably populated neighbourhood can succeed. Hopefully you will be discouraged to ever get a credit card now, or if you already have one, to burn it.
Name

URL or Email

Message