Chargen19
Basic
- Joined
- 02.10.20
- Messages
- 99
- Reaction score
- 115
- Points
- 43
PART I
The Underground Ecosystem Of Credit Card Frauds Introduction to Payment Card frauds
Use of Plastic cards as a mode of payment is one of the most widely used and convenient alternatives to cash. This mode of payment is now accessible to the common population of almost all the major geographical locations on our globe. Its ease of use and portability makes it a preferred mode of financial dealing. Such efficiency cannot be achieved without the presence of a large networked ecosystem connected through nodes of various computational devices. But, where there are computers and networks, there are hackers.
Frauds related with Payment cards like Credit and Debit cards have raised serious privacy and authenticity concerns among its users. The recent few years have been worse hit where-in several major retail chains and brands were found to be affected with such frauds. The high monetary profit involved in this theft has attracted the biggest online cybercriminals and hackers to build their own empire with tightly knitted gang of individuals and groups. Most of the major payment card frauds are financially motivated and spans over several months starting from stealing the user information to conducting actual frauds. This paper goes into the details of how this entire fraud ecosystem functions and how it is disrupting the current electronic payment industry at a large scale.
To start with, let us first give a quick read at some of the key vocabularies that will be used throughout this paper and will be relevant in further understating the key discussion points.
Key Vocabularies
Credit/Debit card: A monetary instrument, often referred to as plastic cash, used to make payment for goods purchased. A Debit card is linked with the user’s bank account and can be used to purchase goods worth value not exceeding the amount of money in the linked account. A Credit card is a temporary loan purchase; where- in the bank pays for the purchase value and recovers the cost from the user later on. Credit cards also have specific monetary limit.
PIN (Personal Identification Number): A personal numeric value used to validate the card owner.
CVV/CVV2: 3 or 4 digit number printed on the card. This number is used as an additional verification point to validate the cardholder.
BIN (Bank Identification Number): The first six numbers of the card that is used to identify the issuing bank and in certain cases, the type of card.
Card brands: Refers to the authorized companies whose network is used to facilitate the interaction between acquirer and issuer. Popular brands include Visa, Mastercard and American Express (Amex). A card starting with a 4 is a Visa, with a 5 is a Mastercard and with a 3 (15 digits long) is an Amex. A comprehensive list is provided later in the paper.
Buyer/Consumer: The cardholder who purchases the goods and uses card for payments.
Merchant: Goods and service provider who accepts cards as a mode of payment. Acquirer Bank: The bank responsible for processing the merchant’s credit card
transactions with the buyer.
Issuer Bank: The bank that issues credit card to the consumer.
POS (Point Of Sale): POS machines are the card reading devices used to carry out the monetary transaction between the buyer and merchant.
Magnetic Strip: The black strip on the backside of the credit/debit card that stores various details required during financial transaction.
Tracks: Information on the magnetic strip is saved on tracks 1,2 and 3. The first two tracks are generally used to store the details like account number, owner name etc. The 3rd track is optional and used for storing additional data.
Card dumps: The raw un-encrypted data extracted from the temporary storage(RAM) of POS devices. These dumps carry information written on tracks 1 and 2 that are read by the POS device while making transactions.
Card reader/Writer: Is a piece of hardware and software that is used to write data onto the magnetic strip of the plastic card. MSR-605 is the most popular encoder used for writing data over cards.
Carder: Is the individual who uses the stolen plastic card information to carry out fraudulent transactions.
Runner: The individual/group who uses the counterfeit cards to cash out from ATMs.
Dropper: The drop point for goods purchased online. The Dropper is usually an individual whose sole purpose is to receive the ordered item and deliver to the carder in return for cash or other goods.
Shopper: Is the individual/group that does in-store shopping with counterfeit cards. These shoppers also carry fake IDs to make the fraud look more legitimate. Usually the carder can himself be a shopper or a runner.
EMV: EMV or Chip-and-Pin cards are an alternative solution to swipe cards, which stores data on a chip in an encrypted manner. Even though the storage mechanism is encrypted, POS based malwares can still steal the data once it is decrypted in the memory.
Contactless RFID cards: Another enhancement to traditional magnetic strip based cards. In RFID enabled cards, the buyer can pay for the goods by simply waving the card close to the POS terminal.
part II awaiting..
#HackTheP
The Underground Ecosystem Of Credit Card Frauds Introduction to Payment Card frauds
Use of Plastic cards as a mode of payment is one of the most widely used and convenient alternatives to cash. This mode of payment is now accessible to the common population of almost all the major geographical locations on our globe. Its ease of use and portability makes it a preferred mode of financial dealing. Such efficiency cannot be achieved without the presence of a large networked ecosystem connected through nodes of various computational devices. But, where there are computers and networks, there are hackers.
Frauds related with Payment cards like Credit and Debit cards have raised serious privacy and authenticity concerns among its users. The recent few years have been worse hit where-in several major retail chains and brands were found to be affected with such frauds. The high monetary profit involved in this theft has attracted the biggest online cybercriminals and hackers to build their own empire with tightly knitted gang of individuals and groups. Most of the major payment card frauds are financially motivated and spans over several months starting from stealing the user information to conducting actual frauds. This paper goes into the details of how this entire fraud ecosystem functions and how it is disrupting the current electronic payment industry at a large scale.
To start with, let us first give a quick read at some of the key vocabularies that will be used throughout this paper and will be relevant in further understating the key discussion points.
Key Vocabularies
Credit/Debit card: A monetary instrument, often referred to as plastic cash, used to make payment for goods purchased. A Debit card is linked with the user’s bank account and can be used to purchase goods worth value not exceeding the amount of money in the linked account. A Credit card is a temporary loan purchase; where- in the bank pays for the purchase value and recovers the cost from the user later on. Credit cards also have specific monetary limit.
PIN (Personal Identification Number): A personal numeric value used to validate the card owner.
CVV/CVV2: 3 or 4 digit number printed on the card. This number is used as an additional verification point to validate the cardholder.
BIN (Bank Identification Number): The first six numbers of the card that is used to identify the issuing bank and in certain cases, the type of card.
Card brands: Refers to the authorized companies whose network is used to facilitate the interaction between acquirer and issuer. Popular brands include Visa, Mastercard and American Express (Amex). A card starting with a 4 is a Visa, with a 5 is a Mastercard and with a 3 (15 digits long) is an Amex. A comprehensive list is provided later in the paper.
Buyer/Consumer: The cardholder who purchases the goods and uses card for payments.
Merchant: Goods and service provider who accepts cards as a mode of payment. Acquirer Bank: The bank responsible for processing the merchant’s credit card
transactions with the buyer.
Issuer Bank: The bank that issues credit card to the consumer.
POS (Point Of Sale): POS machines are the card reading devices used to carry out the monetary transaction between the buyer and merchant.
Magnetic Strip: The black strip on the backside of the credit/debit card that stores various details required during financial transaction.
Tracks: Information on the magnetic strip is saved on tracks 1,2 and 3. The first two tracks are generally used to store the details like account number, owner name etc. The 3rd track is optional and used for storing additional data.
Card dumps: The raw un-encrypted data extracted from the temporary storage(RAM) of POS devices. These dumps carry information written on tracks 1 and 2 that are read by the POS device while making transactions.
Card reader/Writer: Is a piece of hardware and software that is used to write data onto the magnetic strip of the plastic card. MSR-605 is the most popular encoder used for writing data over cards.
Carder: Is the individual who uses the stolen plastic card information to carry out fraudulent transactions.
Runner: The individual/group who uses the counterfeit cards to cash out from ATMs.
Dropper: The drop point for goods purchased online. The Dropper is usually an individual whose sole purpose is to receive the ordered item and deliver to the carder in return for cash or other goods.
Shopper: Is the individual/group that does in-store shopping with counterfeit cards. These shoppers also carry fake IDs to make the fraud look more legitimate. Usually the carder can himself be a shopper or a runner.
EMV: EMV or Chip-and-Pin cards are an alternative solution to swipe cards, which stores data on a chip in an encrypted manner. Even though the storage mechanism is encrypted, POS based malwares can still steal the data once it is decrypted in the memory.
Contactless RFID cards: Another enhancement to traditional magnetic strip based cards. In RFID enabled cards, the buyer can pay for the goods by simply waving the card close to the POS terminal.
part II awaiting..
#HackTheP
