Credit Cards Frauds

Transcript

1. CREDIT'CARD'FRAUDS RASTISLAV'TUREK

2. Who$am$i • Blogger $$$(blog.synopsi.com) • Slovak • Independent$security$consultant $$$$$(synopsi.com) •

   Twitterholic $$$$(almost$6$500$tweets$in$year$and$half) • Technologist

3. Before&we&start …&little&survey • Do&you&know&the&differences&between&credit&and&debit&card? • Do&you&have&one&or&two&debit&or&credit&cards? • Do&you&have&more&than&two&cards? • Do&you&know&what&credit&card&number&means?

   • Did&somebody&steal&money&from&you&card?

4. History(of(Credit(Cards • First(credit(card((1920”(in(US) • Diners(Club((1950) ((((First(modern(credit(card(company • American(Express((1958) • BankAmericard((1958)

   ((((later(Visa • Everything(Card((1967) (((((later(Master(Charge((1969) ((((later(Master(Card((1979) ( (((

5. Card%security%improvements • Personal − Signing%from%1920 − Magnetic%stripe%from%1966 − Pin%from%1967 −

   Chip%and%Pin%from%2003 • Internet ! CVV/CVV2/CSC/CVVC/CCV ― MasterCard%from%1997 ― Visa%from%2001 ! 3D%Secure%from%2004 ― Verified%By%Visa ― MasterCard%SecureCode ― J/Secure • Global − PCI%Security%Standards%Council%(2006) ― Payment%Application%Data%Security%Standard % %

6. Card%types • Debit&Card&[your&money] Funds%are%withdrawn%directly%from%customer's bank%account • Credit&Card&[bank&money] Funds%are%withdrawn%directly%from%bank's%account loaned%to%the%customer %

   Widely&used: • Classic%%%%%%%%Limit:&$100%<%$2%000 • Gold%%%%%%%%%%%%Limit:&$500%–%$15%000 • Business%%%%%%%%Limit:&$500%–%$25%000 • Platinum%%%%%%%%Limit:&$1000%<%$100%000 • Amex%Black%(Centurion)%%%%Limit:&“Unlimited” • (Airline,%Charge,%…)%%%%Limit:&Depends%on%company % %

7. Card%number • All%magnetic%stripe%identification%cards%are%generated%in%ISO/IEC%7812 • Almost%every%issued%card%number%can%be%validated%with%Luhn%“mod%10” algorithm • You%can%check%your%card%via%IS%(BIN)%on%http://bins.bankinfo.sk % %

8. Issuer&Identification&Number • Previously&“Bank&Identification&Number”&(BIN) • This&number&is&used&to&identify: − Country&of&issuer&(Slovakia,&UK,&USA,&…) − Issued&bank&(HSBC,&Citibank,&Commerce&AG,&…) −

   Exact&card&type&(Credit&Gold,&Debit&Business,&…) − Issuer&phone&number&for&card&blocking & & & & & & & *&Card&Number&Length Issuer Identifier CNL.* Diner’s&Club/Carte&Blanche 300xxx&T&305xxx,&36xxxx,&38xxxx 14 American&Express 34xxxx,&37xxxx 15 Visa 4xxxxx 13,&16 MasterCard 51xxxx&–&55xxxx 16 Discover 6011xx 16

9. • PIN − 4#digit#value,#sometimes#can#be#chosen/changed#by#user − generated#by#encrypting#PAN#(Primary#Account#Number) with#PGK#(PIN#Generation#KEY)#with#3DES#and#at#the#end decimalised.#Sometimes#can#be#added#offset#to#original#PIN # •

   CVV/CVV2/CVC/CVC2 − Mostly#3#digit#value,#only#AMEX#has ###4#digit,#printed#on#the#back#side ###of#card,#AMEX#on#the#front − generated#by#encrypting#PAN,#service#code#and#expiration date#with#CVK#(Card#Verification#Key)#and#at#the#end decimalised. # Card#security#elements

10. Card%security%elements • Magnetic)Stripe • Track)1 B4888603170607238^Head/Potato^050510100000000001203191805191000000 • Track)2 4888603170607238=05051011203191805191 •

    Track)2)plus/se)(Track)3) 014888603170607238==0401000000000000003000000000000007020===0= Track%2%can%be%generated%manually%from%track%1%and%vice%versa. Also%Track%3%can%be%generated%from%Track%1,%but%not%vice%versa. % % B format)code 4888603170607238 PAN%(Primary%account%number)%mostly%credit%card%number ^ separator Head surname Potato first>name 0505 card>expiration>date 101 service>code>(tells>if>card>has>chip>verification,>or>not) 00000000001203191805191000000 generated%for%concrete%card%type%from%concrete%issuer

11. Card%security%elements • Chip • More%secure%than%Magnetic%stripe • Same%CHIP%as%in%GSM%SIM%cards%(not%encryption) • Encrypted%data%by%3DES%or%RSA •

    Key%set%is%usually%loaded%(DES)%or%generated%(RSA) • After%decryption,%there%are%similar%tracks%as%in %%%Magnetic%stripe % • Chip%(Track%2) 4974101234567890=0810221xxxxxx4060000 4970891234567890=0909221xxxxxx3000000 • Magnetic%(Track%2) 4974101234567890=0810221xxxxxx0210000 4970891234567890=0909221xxxxxx3370000 % % % % %

12. • 3"D$Secure • XML$based$protocol • Always$using$SSL$connection $ $ $ •

    You$are$buying$something$from$a$merchant • He$will$redirects$you$to$payment$processor$page$(encrypted) • You’ll$enter$card$information$(encrypted) • Payment$processor$checks$if$you$card$is$valid$for$VBV/MSC/JSC • If$it’s$ok,$it$redirects$you$to$card$issuer$website$(your$bank).$Many$banks$are$outsourcing$this step,$then$you$can$be$redirected$to$different$website$(encrypted) • You’re$prompted$to$fill$up$form$(if$you’re$there$for$first$time),$or$fill$up$password$(SMS$code, etc.)$(encrypted) • If$verification$passed,$you$are$redirected$back$to$payment$processor$website$which$will$check your$supplied$card$data$(encrypted) • And$at$the$last$step$you$are$redirected$back$to$merchant$website $ $ Card$security$elements

13. Card%transactions • ATM,%POS%and%Internet%payments%works%very%similar,%there are%just%little%differences. % • You%give%card%to%a%merchant • He%puts%it%in%to%POS%terminal •

    POS%terminal%send%important%information %%%to%payment%processor%(encrypted) • Payment%processor%checks%who%is%a%issuer%and %%%ask%him%if%your%card%is%ok,%if%you%have%enough %%%money%for%this%transaction%(encrypted) % • Bank%will%send%response%(only%YES,%NO)%to%payment %%%processor%(encrypted) • Payment%processor%sends%response%to%your %%%merchant%(encrypted) • If%response%is%positive,%you’ll%get%your%stuff

14. Frauds • There*are*many*ways*how*to*steal*from*people • But*there*are*just*few*ways*how*to*cash*money*from*stolen cards • There*is*bran*new*business*just*for*this * •

    In*this*part*you*will*see*business*models*of*thieves • You*will*see*real*life*examples,*from*real*businesses*used*by these*people * *

15. Stealing • Your-card-can-be-stolen-using-many-ways-: - ― hacked-website-(eshop,-…) ― hacked-payment-processor ― hacked-bank

    ― hacked-mall ― skimming ― phishing-/-vhishing ― stolen-card ― malware-/-keylogger ― generated-card - - - - --------------------------http://www.ic3.gov/media/annualreports.aspx

16. Business'models • Universal'business'model'to'get'cash'from'stolen'credit'cards • Sometimes'one'person'is'able'to'serve'several'positions

17. Position:(Hacker • His(job(is(get(credit(card(with(all(accessible(information • Middle(dangerous(position • As(a(“freelancer”(will(get(only(approximately($1(for(each working(card • In(a(group(he(gets(smallest(cut

    ( • How$he$gets$credit$cards? • SQLi((on(websites((mostly(eShops) • Hacking(payment(processors((millions(cards) • Eavesdropping(traffic(in(mall ( ( (

18. Hacker’s)Pricelist • Talking)about)“freelancer” • Prices)mostly)depends)on)amount)of)information • He)can)get)much)more,)if)he)can)provide)information)like balance)of)credit)on)the)card,)SSN,)DOB,)MMN,)etc. ) )

    ) ) ) ) ) • all)cards)are)checked)before)selling Credit'card'country Credit'card'type Additional'info'(SSN,'DOB,'…) Price USA Credit SSN)+$2)K)$10)|)DOB)+$2)K)$10))|)PIN)+$10)K)$30 $1)K)$25 USA Debit SSN)+$2)K)$10)|)DOB)+$2)K)$10))|)PIN)+$10)K)$30 $0.3)K)$15 UK Credit DOB)+$5)K)$25)|))PIN)+$10K$30 $3)K)$50 UK Debit DOB)+$5)K)$25)|))PIN)+$10K$30 $2)K)$25 Others)EU Credit DOB)+$25)K)$50))|))PIN)+$10K$30 $5)K)$50 Others)EU Debit DOB)+$25)K)$50))|))PIN)+$10K$30 $3)K)$50

19. Position:(Skimmer • His(job(is(get(cards(information(from(Magnetic(Stripe(/(Chip(/(RFID • Very(dangerous(position • As(a(“freelancer”(will(get(approximately($25(for(each(working(card ( (

20. Skimmer’s)Pricelist • Talking)about)“freelancer” • Price)depends)on)type)of)card,)issued)country)and)bank • He)can)get)much)more,)if)he)can)provide)information)about)balance • Price)also)depends)on)source)of)card)(Hotels)have)high)value, restaurants)have)low)value,)…)

    ) ) ) ) ) ) ) • all)cards)are)checked)before)selling Credit'card'country Credit'card'type Price'if'balance'is'known Price USA Credit 3%–)10%)from)balance $25)N)$500 USA Debit 3%–)10%)from)balance $25)N)$200 UK Credit 3%–)15%)from)balance $50)N)$500 UK Debit 3%–)15%)from)balance $25)N)$250 Others)EU Credit 3%–)15%)from)balance $50)N)$500 Others)EU Debit 3%–)15%)from)balance $25)N)$250

21. Skimmer'in'action

22. Skimmer'in'action

23. Skimmer'in'action

24. Skimmer'in'action

25. This%will%not%help

26. Position:(Phisher/Vhisher • His(job(is(to(get(information(about(cards(by(using(social(engineering • Low(dangerous(position • Success(only(in(0.001%(from(all(sent(emails((depends(on(quality(of(email(and(site) • He(mostly(get(all(information(about(card(and(his(owner((on(black(market(known(as Fullz,(high(valuable(cards)

    • In(65%(he(also(get(access(to(owners(email(and(in(47%(is(the(target(site(PayPal • Vhishing(is(form(of(phishing(but(over(the(phone((much(more(successful) ( ( (

27. Phisher’s(Pricelist • Talking(about(“freelancer” • High(valuable(cards • They’re(mostly(selling(with(cards(PayPal,(MoneyBookers,(eBay, RapidShare,(…(accounts. • Declined(Fullz(can(be(used(for(shopping(with(“Bill(Me(Later,(PayPal

    Later,(…” ( ( ( ( ( ( • all(cards(are(checked(before(selling • Talking(about(Fullz((SSN,(DOB,(MMN,(PIN,(…) Credit(card(country Credit(card(type With(email Price USA Credit +$30(T($150 $50(T($500 USA Debit +$30(T($150 $25(T($500 UK Credit +$30(T($150 $75(T($750 UK Debit +$30(T($150 $50(T($500 Others(EU Credit +$30(T($150 $75(T($750 Others(EU Debit +$30(T($150 $50(T($500

28. Phisher’s(Success

29. Phisher’s(Success

30. Black&Market • Black&Markets&allows&verified&people&to&exchange&any valuable&stuff,&like&credit&cards,&fullz,&emails,&phishing templates,&… & • They&can&be&found&on&many&places ― IRC&[anyDnetwork&#ccworld]

    ― Web&(mostly&forum)&[mazafaka.cc,&cardingzone.org,…] ― SILC&(most&exclusive)&[access&only&for&invited&people] ― Mail&discussions&[access&only&for&invited&people] & • To&get&access&to&private&black&markets&you&need&to&be&invited from&5&or&more&people&and&pay&from&$1&000&to&$10&000 &

31. (ordinary)*Black*Market*prices * * *

32. Black&Market:&How&to&pay • Most&popular&was&eGold&until&2007&when&the&US&government ordered&e@gold&administration&to&lock/block&approximately 58&e@gold&accounts,&in&2008&was&three&directors&plead&guilty • Now&exist&two&very&popular&services&with&pretty&good identification&guarantee: — WebMoney&(Russian&multifunctional&payment&service)

    — Liberty&Reserve&(Very&similar&as&eGold,&but&HQ&is&in&Costa&Rica) • Exchange&service&can&be&used&to&cover&much&more&identity, which&will&transfer&money&from&one&service&to&another&in&few seconds&for&big&fees&(5%&@&25%,&depends&on&services). • There&exists&more&than&500&Exchange&services,&and&95%&are from&China,&Russia,&Costa&Rica,&Belize,&Seychelles,&etc. • Many&rippers&(frauders)&on&ordinary&black&markets &

33. Black&Market&Examples&Forum

34. Black&Market&Examples&IRC

35. Position:(Buyer(/(Cashier • His(job(is(use(cards(for(buying(stuff(to(safe(drop • Low(dangerous(position • Must(have(very(good(skills,(know(security(of(payment(gateways(and(eShops • Many(times(he(need(to(confirm(orders(by(additional(information(about(card(owner, like(background,(SSN,(MMN,(DOB

    • Sometimes(he(need(to(confirm(orders(by(phone(conversation ( • Buyers(have(mostly(very(good(access(to(all(information(from(3rd(party(services • They(have(access(to(high(valuable(proxys,(which(can(be(chosen(by(country(and(city and(are(also(high(anonymous((not(sending(any(proxy(identificators) ( • If(are(they(independent,(they(are(asking(for(10%(O(25%(from(goods(price • If(they’re(working(in(group,(they(get(30%(O(60%(from(sold(prices ( ( ( (

36. Position:(Drop • His(job(is(pick1up(money(or(ordered(goods • Very(dangerous(position • Safe(drops(for(money(are(used(for(wire(transfers,(or(WesterUnion(orders • Many(times(is(drop(for(WesterUnion(WU(Agent(in(country(like(Thailand,(Indonesia, India,(etc.

    • Good(drops(often(use(homeless(or(asocial(people(for(picking(goods(from(UPS, Fedex,(or(Post ( • Independent(drops(takes(20%(1(50%(from(goods(or(money • In(group(they(takes(20%(1(40%(from(goods(selling(price(or(money ( • They’re(also(cashing(skimmed(cards • Mostly(in(countries(like(Thailand(or(Italy,(because(of(countries(block((Many(US,(AU, CA,(…(cards(are(blocked(for(countries(like(Germany,(Slovakia,(Russia,(etc.(Card owner(can(withdraw(money(from(card(in(a(bank(with(assistance(of(bankers)

37. How$to$… Real$life$examples

38. How$to$get$cards • Most$ordinary$way$is$to$hack$eShop • Most$popular$technique$is$SQLi

39. How$to$check$card$validity • Most$ordinary$way$is$to$use$“Donate$us”$form$on$any$foundation$website$to$make payment$on$small$amount$($0.1$A$$15) $ • Much$more$sophisticated$is$to $$$use$three$step$payment $$$processors,$which$can$tell$in $$$first$step,$if$a$card$is$valid,$in

    $$$second$will$check$AVS$(adress $$$verification$system),$if$address $$$and$zip$are$same$as$in$card $$$and$in$third$will$try$to$make $$$payment • An$hacker$can$stop$this$in$first $$$or$second$step$and$not$make $$$payment$on$card • Bigger$chance$not$loose$this$card

40. How$to$get$SSN,$DOB,$… • In$US,$UK,$DE,$etc.$law$enforcements,$firefighter,$doctors$in$hospitals,$employments in$social$security$and$lawyers,$have$access$to$this$information • There$are$always$people,$who$wants$make$more$money

41. How$to$get$balance$information • Balance$information$is$highly$valuable,$because$cashier$will$not$attract$attention$to himself • This$is$mostly$most$expensive$service$provided$by$3rd$party$groups $ • There$are$two$very$nice$and$simply$ways$how$to$get$it$in$USA —

    Call$to$free$number$in$biggest$bank$in$US$+18004321000((Bank$of$America) $$$a$robot$voice$will$request$credit$card$number$and$for$verification$SSN — Good$payment$processor,$which$can$check$card$validity$with$paying$amount$in first$single$request.$Then$an$hacker$need$to$send$few$request$to$know approximately$amount $ — Example$of$such$a$request: — Paying$amount:$$$$$4500 — Paying$amount:$$$$$1500 — Paying$amount:$$$$$3500 — Paying$amount:$$$$$3000 — Paying$amount:$$$$$3200

42. How$to$bypass$3,D$secure • This$depends$on$implementation,$but$90%$of$3,D$secure$websites$are$outsourced by$big$payment$processors$(FirstData$[achex],$etc.) • https://www.achex.com/RequestDispatcher/Issuer3DSecureResponse;AchexSessio n=DCXzGW9GQT7ZTgrFpnTCy75ZvXm0QJgyBRHjz1L8WNTBL1jCVYvz!1061590781 • This$bug$was$really$simple.$They$have$forgotten$to$add$expiration/destroy$to response$session,$then$every$card$can$be$verified$by$3D,Secure$with$this$old$URL

    $ • In$a$real$world,$you$not$need$much$to$validate$yourself$as$owner$of$card$in$3,D secure,$because$every$password$can$be$changed$online$by$adding$few$information about$card,$mostly$SSN,$DOB,$ZIP,$CVV2,$EXP$date. • If$the$owner$of$a$credit$card$didn’t$use$fill$up$information$on$3,D$secure$register form,$you$can$always$push$“No$Thanks”$and$pay$without$3,D$secure $ • Anyone$can$check,$if$a$card$is$in$Verified$by$Visa,$or$MasterCard$Secure$Code program$just$by$visiting$this$sites$and$put$there$card$number $$$https://verified.visa.com/aam/data/vdc/landing.aam?partner=vdc&resize= https://enrollment.securecode.com/vpas/cuets-en.html $ $

43. How$to$get$proxy$for$exact$city • Every$buyer/carder$needs$good$proxy$for$exact$city$in$exact$country/state$as$is$his stolen$credit$card.$Many$eShops$and$payment$processors$are$using$GeoIP localization • Anyone$can$buy$proxies$from$specialized$russian$service,$which$is$using$botnet$to provide$socks$5$proxies.$They$can$be$ordered$by$country,$state,$city$and$speed • They’re$offering$approximately$250$000$working$proxies$from$almost$every$country

    in$the$World $ $

44. How$to$get$cash$from$cards • There$exist$few$ways$how$to$get$money$from$credit$cards $ • Use$virtual$POS$terminal — Virtual$POS$terminal$will$transfer$money$to $$$bank$account$in$next$day.$This$technique$require $$$real$working$shop,$which$accept$orders$daily,

    $$$and$cash$only$few$stolen$cards$per$day$to$not $$$attract$attention. $ • Affiliate — Very$popular$technique$is$to$open$an$affiliate$account,$mostly$on$porn$sites$and order$customer$accounts$through$this$affiliate$accounts$with$stolen$cards.$This$will cost$every$card$$25$H$$50$for$a$month$and$affiliate$will$get$$10$H$$50$for$each customer. $ $

45. How$to$get$cash$from$cards • Western$Union — WU$is$pretty$complicated,$because$needs$a$lot$assets$to $$$make$successfully$order. ― WU$allows$people$from$few$countries$(US,$CA,$AU,$NZ,$…)$to$make$online$order with$their$Visa$or$MasterCard. ―

    They’re$using$3KD$secure$and$every$order$must$be$confirmed$online$via$phone. ― Phone$number$must$be$same$as$in$credit$card$file$in$the$issuer$database$and they’re$asking$for$background$information$(if$it’s$available). ― Cashier$need$to$have$access$to$good$VoIP$service$to$change$displayed$number, good$information$about$card$owner$(including$background)$and$also$there$must$be very$good$drop,$to$receive$this$money. ― Many$times$is$drop$original$Western$Union$Agent$in$countries$like$Thailand,$India, China,$etc. ― Good$cashier$can$make$daily$$15$000$K$$150$000 $ $$$ $

46. Malware'in'ATM Opt Function Description 0 Restore'Logs Restore'the'log'files 1 Uninstall Uninstall'malware'and'clean'all'files

    2 Display'Stats Creates'and'displays'a'window'presenting'statistics'(numbers'of transactions,'cards,'keys) 3 Delete'Logs Deletes'the'harvesting'log'files 4 Reboot'ATM Forces'a'full'system'reboot. 5 Test'Printer ATM’s'receipt'printer'will'print'Hello'and'123456789. 6 Print'Collected Data Print'the'harvested'data,'in'an'encrypted'format,'via'the'ATM'receipt printer. 7 Secondary Menu This'option'will'present'the'user'with'a'window'displaying'a'challenge and'wait'for'the'correspondingresponse'to'be'entered 8 Supply'Manager Information The'malware'tries'to'access'the'ATMTvendorTsoftware’s'user'interface 9 Writing'to'a'smart card Transfer'the'harvested'data'directly'to'a'card'injected'into acompromised'ATM.

47. …and%if%you%are%asking%yourself: Why%would%somebody%risk long%jailtime? % here%is%the%answer

48. None

49. Thank&you & & & & Rastislav(Turek & [email protected] +1&(615)&SYN=OPSI &

    & &