Bank cards [lecture, 2023]

[Mr. Nick]

Today we will talk a little about bank cards, the basic principles of their operation (and working with them) and the nuances of their purchase, as well as touch on issues such as the receipt of cards, AVS, 3DS/VBV and why we can get a decline even on “good” cards (unsuccessful result of the transaction)

(19:21:07) Pustota: Each of you has come across bank cards in one way or another in your life, but few people have thought about how the card payment process works and what information the plastic itself carries and the information printed (or embossed) on it

(19:21:36) Pustota: The first thing a novice carder should learn is basic information about bank cards in the context of our shadow activities.

(19:22:16) Pustota: Before that, I emphasize that any information that you receive in the course of work, whether it is a successful or unsuccessful order, must be recorded. In order to check the data in the future and not make mistakes. Or it's trite not to forget something. Example:

(19:23:00) Pustota: Let's continue.

(19:23:31) Pustota: In our context, CC (Credit Card, credit card, cardboard, etc.) is the carefully stolen data of a real (or virtual) card holder (cardholder, CH) who does not live in the CIS countries

(19:24:09) Pustota: Where can we get cardboard? The 3 main options are to buy in shops, from private (or not so) sellers, or to get it yourself (from a fake site, from a sniffer on a real–life site, from a botnet, some hacked database, or from any other place where your imagination is enough). We will not talk about independent mining today, this is a topic "with an asterisk" for independent development

(19:24:39) Pustota: Consider the most popular and obvious option with the purchase of a card

(19:27:50) Pustota: When you buy, you will receive cardboard in approximately this format:

4147400219040084 | 12/21 | 826 | Richard Lang | 56 Groveview Cir #302 | Rochester | 14612 | NY | USA | 661-298-0881 | [email protected]

The format of each shop / seller is different, somewhere it can be customized, but the main points are identical

In our example, 4147400219040084 is the credit card number;

12/21 (12 month / 21 year) - expiration date of the card (Expiration Date);

826 – CVV/CVV2/CVC card security code;

Richard Lang – First and Last Name (first name, last name);

56 Groveview Cir – Address Line 1 (first line of address);

#302 - Address Line 2 (the second line of the address). Please note that the street name and house number are always Line 1, and the apartment/annex/office number is Line 2. If the house is private, then Address Line 2 will be missing;

Rochester – city;

14612 – Zip code (zip, an analogue of our zip code);

NY (New York) – state;

USA – country;

661-298-0881 – phone;

[email protected] – holder's email address.

(19:29:11) Pustota: The minimum necessary information to work in most areas - SS number, Expiration Date, CVV, First/Last name, Address line 1, Zip code. Let's take a closer look at the card number, it contains important information for work

(19:30:16) Pustota: BIN (Bank Identification Number) – the first 6 digits of the credit card number. Each banking organization has a pool of unique numbers that are assigned to the cards issued by them. These numbers contain information about the payment system (Visa/MC/AmEx/Discover, etc.), issuing bank, card level (Classic/Gold/Platinum, etc.), card type (Credit/Debit/Prepaid)

(19:31:06) Pustota: The first digit of BIN defines Major Industry Identifier (MII) - the global payment system under which this card operates. The main payment systems that you will encounter are AmEx (the first digit of the card starts with 3), Visa (4), MasterCard (5), Discover (6)

(19:32:37) Pustota: Detailed information about the beans can be found on services like binlist.net , binov.net (the latter is very convenient for mass bin search and reverse bin search by banks, although the databases are somewhat outdated at the moment), also bin databases are built into most SS shops. If we break through the BIN cards from the example above (414740), we will see the following information:
TYPE: VISA;
BANK: CHASE BANK USA, N.A.;
RANK: CREDIT;
TYPE: SIGNATURE;
COUNTRY: USA

We will analyze RANK and TYPE further in the course of the lecture (the type and level of the map), the rest of the data is obvious based on the name

(19:35:02) Pustota: The remaining digits of the card, except for the last one, identify the holder's account in the bank, and the last digit is a control one designed to validate the bank card number using the Luhn Algorithm - for us this information is useful only in the context that a random set of digits cannot be a valid card number, but having been sealed by 1 digit when entering, we will 100% enter a non-existent card number. Also, the Luna algorithm is used by pseudo-real data generation services (fake data / fake cc generators) and during input validation (you probably met with a case when the card number input field "turns red" and says about the wrong card number at the stage when you print the number). Now, as for directly buying cards in shops

 

[Mr. Nick]

(19:36:11) Pustota: When buying cards in most shops, we will see such a parameter as the validity of the database in which the card was received in the shop. It is defined by a shop / seller as follows: a random number of cards is taken and validated by a checker. Let's say 7 valid cards came out of 10 – the *declared* validity of such a database is about 70%. I note that the actual validity may vary greatly depending on the honesty of the seller/shop, the checker used, the method of card mining and how long ago the base was mined and stamped on the valid

(19:37:39) Pustota: A card checker is a service that runs cards through its merch. Checkers can work in different ways: a small amount ($1-2) can be preauthorized from the card through a merchant checker and returned back after a short period of time. This method is bad because the holder may have notifications for transactions configured and a suspicious transaction may force him to block the card. Well, or he can just check the bank statement at the wrong time (a bank statement, sometimes available in paper form, by calling the bank, or in online banking)

(19:38:23) Pustota: More advanced checkers use a cardless validation ($0 authorization), which most often goes unnoticed by the holder and gives an answer from the payment system about the validity of the card

(19:39:59) Pustota: An alternative way to check the validity of the card is to link it to any services (as an example, to Google, or to any other service where the card fits into the personal account)

(19:40:23) Pustota: This is a fairly safe check method that minimizes the risk of card death, provided that it also uses the principle of cardless validation.

(19:41:54) Pustota: In normal shops, a refund is provided for invalid cards – usually 5-15 minutes are given for a check. To minimize time and financial losses, I recommend checking cards after purchase and trying to get a refund if the card is dead. If you do not trust your method of checking cards (for example, you think that it can kill cards), you can check the card after driving in to minimize the likelihood of its death from the check

(19:43:16) Pustota: It is also worth remembering that the checkers built into the shops often spoil the cards much more than your own check methods, so use them only if you are sure that the card is invalid (the algorithm is most often this: you check the card with a shop checker, if the shop checker reports the premature death of the card, you get a refund; if the checker says that the card is alive, then no)

(19:44:39) Pustota: Also, I want to note that by far the safest method of checking a card is an attempt to fill it up or ring it on the balance (fill it up is a derivative of Enroll). This concept will be covered in detail in further lectures, implies access to online card banking), or a call to the bank. In this case, sometimes it may be necessary to punch an additional. information on the card (SSN (social security number insurance)/DoB (holder's date of birth) or something else)A few words about the types of CC. As I said above, Visa, MasterCard, American Express, Discover cards will most often be found in your work

(19:45:48) Pustota: From my experience, it is easiest to find good Visa and MC beans, but in practice I have also met fat amex beans (however, the latter has its own specifics - the chargeback goes faster, which is often disastrous for drives. You need to understand where this will take place, and where it will ruin your work). Discover cards, rather, belong to the exotic - but in some directions they are also used

(19:46:02) Pustota: Visa, MasterCard and Discover cards have 16 digits each in the card number and 3-digit CVV codes. Amex has 15 digits in the card number and a 4-digit CVV

(19:47:11) Pustota: The cards of some countries (specifically, USA, Canada, Australia, New Zealand and the United Kingdom) have an AVS (Address Verification System) protection mechanism that verifies the address used when making a transaction with that of the issuing bank. In the event that the data does not match (the numbers in the address and ZIP code are checked), an AVS Mismatch response is received from the bank and such a transaction will be rejected. From here, in the future you will encounter concepts such as billing and shipping address, they will be touched upon in further lectures.

(19:50:10) Pustota: AVS - Address Verification System should have been studied, the bottom line is that if you make a transaction inside the country (that is, the issuing bank of the card of the same country as the store) you can verify the digital part of the address, and if it does not match, there will be a decline, remember the list of countries that have this system. That is, this system does not exist in the Russian Federation /EU.

(19:51:12) Pustota: (approx. there are no AVS on corporate cards in England, just as not all cards in usa/ca/au can have such protection, in usa and ca almost everything is more realistic to find in au without reconciliation)

(19:52:46) Pustota: When working with maps, sooner or later you will encounter 3D Secure protection mechanisms (https://wwh-club.io/threads/3-3-2-vbv-mcsc.2108 /)

(19:53:30) Pustota: Visa cards have it called Visa Secure / Verified by Visa (VBV); MC has MasterCard Secure Code (MCSC), and Amex has SafeKey. Accordingly, many gateways have their own analogues.

(19:54:31) Pustota: 3DSecure - It seems it is usually called the 3rd layer of protection, the point is that you enter an Internet password for purchases, I think you have already encountered this when buying from your cards, when the bank sent you an SMS code to confirm the transaction.

(19:55:38) Pustota: What is very important to note, if you made a purchase with a 3ds code,the chargeback falls entirely on the shoulders of the cardholder or the bank, the store is not responsible for this operation, that is, even if the cardholder burns the transaction, it is unlikely that this will affect the shop and it will not send you the goods, but there is an exception (a shop that values its reputation will cancel).

(19:56:29) Pustota: That is, transactions with a 3ds code have a high trust (the exception is USA due to the fact that the Internet password is often static there, that is, for example, as an email password, and it can be reset).

(19:57:39) Pustota: I'll clarify a little

https://imgur.com/1KQzbTx

this is the window for entering the 3ds code from the USA bank, but instead of SMS you are asked by the bank to enter card information + ZIP code.

(19:58:18) Pustota: In general, 3ds is the most common type of protection, in most countries merchants in shops have it connected to cards

(19:58:53) Pustota: That is, if the merchant does not have this protection connected, and it is on the card, then the transaction will take place without 3ds, since it was not initiated by the shop.

Let's analyze the 3Ds moment in more detail20:00:34) Pustota: These mechanisms are designed to significantly reduce the percentage of unauthorized/fraudulent card transactions by adding an additional transaction confirmation method unrelated to the card itself. In case of entering into the merch with the activated 3DS system, during the transaction you will be redirected to the page of entering a static code that should be known to the holder, or a one-time code sent to the holder by SMS / e-mail

(20:01:42) Pustota: Static codes will be unknown to you when buying a card, however, for some bins they can be reset. The bins where this can be done are called VBV reset bins

(20:02:50) Pustota: Also, there are beans that pass VBV automatically. It looks like this: during the transaction, you get to the VBV page, similar to that for the above bins, but the VBV code itself does not request you. At this time, the issuing bank evaluates your transaction according to its anti-fraud criteria and gives an answer to the merchant, whether you have passed the VBV check or not. Such bins are called avtovbv. Also, sometimes VTB cards are found in banks that simply have not yet implemented protection with 3DS, in such banks the percentage of successful completion of VBV will be higher. Usually these are small banks (most often Credit Union's)

(20:03:51) Pustota: If you work on a duffel bag with US shops and stumbled upon a shop with VBV/MCSC, the easiest way is to score on such a shop and find another one. If you beat any service where VBV is mandatory (for example, Airbnb), or work in the EU - there you already need to look for beans with reset / avtobv, which will climb into the merch of your service / shop

(20:04:22) Pustota: 3ds code in USA is often static, as a rule it is either zip/ssn or zip+ssn, or it can be set by the cardholder, but it can often be reset (you will see the reset item).

(20:05:02) Pustota: So in eu/ca/au and possibly in other regions, you can also find cards that can reset a static password (provided that it is static and not an SMS or token and there is a reset point) but no one can say how much money you will spend in search of this)

(20:06:06) Pustota: Unless in the UK the chance is higher to find something with a reset, since at one time there were a lot of bins with a 3ds password change by DOB

(20:08:16) Pustota: There used to be a lot of bins with a 3ds password reset, according to dob, zip (data that made their way through open sources) now I'm talking about Europe and England, at the moment, as I said, there are fewer such bins, but it's real to find them, I would start with England and Italy, but it's subjective. At the moment, many have already left this, and now either sms or 2FA tokens (like 2FA Google apps) But if there is an SMS, then there are options, and in the world already from 2017-2018 they are trumpeting that it is necessary to refuse confirmation by phone number, so it is likely that in 2-3 years a lot of banks will switch to tokens.

(20:09:10) Pustota: But if there is an SMS, then there are options, and in the world already from 2017-2018 they are trumpeting that it is necessary to refuse confirmation by phone number, so it is likely that in 2-3 years a lot of banks will switch to tokens.

(20:10:03) Pustota: Here's what the 3ds window looks like and the principles of protection for the eu:




(20:10:17) Pustota: And here, after entering the 3ds code, it additionally requested the account number

(20:11:12) Pustota: Methods of working with the EU mat will be given to you at lectures on hotels and air travel, because all these directions are very tightly interconnected. A little trick to determine the presence of 3ds at the store, you need to take a card that has this protection installed and conduct a transaction, preferably not typical so that auto3ds does not work, so you can go through the lists of shops, or find out which merchant the shop has and read the documentation on their official website.(20:11:56) Pustota: Also, when working with European cards in America, it is worth checking with the support whether they have the opportunity to pay with cards from other countries. Because if the transaction goes further, the bank may not miss it and only a ring will save it there. Therefore, we communicate with support.

(20:12:25) Pustota: If we talk about other nonUSA countries, we can distinguish the following: These are Latin America, the European Union, the CIS, Asia, Australia, Africa.

(20:13:07) Pustota: You can also highlight the Arab countries and India, England (note. the lecture was previously about Europe and Asia, but I decided to include the whole world, but in fairness I will say that I worked mainly on the USA/eu/Asia). You should look up information about regions on the Internet. There may be different situations in countries, influence, etc. Simply put, you need to be able to use Google. https://habr.com/ru/sandbox/46956/

(20:14:14) Pustota: As I wrote above, I mainly worked with yusa /eu /Asia, so these areas will be analyzed in more detail, in other regions +- the same situation as in EU and Asia

(20:14:20) Pustota: Let's talk a little about the types and levels of CC

(20:15:28) Pustota: Credit (Credit) - a card on which you can spend borrowed funds, i.e. without having your own money on the account. Moreover, US cards on credit cards often do not have such a thing as a positive balance at all - you can only spend credit funds on them and repay the loan. The higher the KX Credit Score, the greater the credit limits the bank gives. I would like to draw your attention to the fact that if you want to call the bank on such a card, or fill up and find out the balance, then the really available funds for spending the day will not be account balance, but available credit

(20:16:00) Pustota: Debit is a card that is linked to a bank account (account) and is a kind of key to a bank account for the convenience of everyday payments (obviously, as a method of making payments, bank accounts are not as convenient as cards). Funds are debited from debits only within the current balance on the BA (bank account)

(20:17:02) Pustota: Prepaid card with a prepaid amount - a smart card that stores electronic money deposited there in advance by the cardholder. In use, they are similar to debit cards, but unlike them they are not associated with bank accounts. They are often found in payment systems like Payoneer, etc. Some merchants refuse to work with prepaid cards. I note that this is the worst option for work, except for cases when you clearly know the properties of such a bean, how to work with it and what to do

(20:18:44) Pustota: As for the card levels, there are a lot of them and they are different for different banks and payment systems. From Classic to Black. You can read a detailed description in the educational program format of each of the levels in the working conference on the forum, there should be a corresponding post. On the one hand, higher-level cards indicate a higher status of the owner and potentially there may be more money on them than on lower-level cards. However, in practice this is not always the case - for example, in my arsenal there are Classic beans, which always have a lot of available funds, their holders are mostly active and such cards allow you to write off large amounts. On the other hand, there are Platinum beans, on which, on average, there is little money and it turns out with a creak to write off transactions from them, and often it is impossible at all because of ubiquitous limits and evil bank fraud.

(20:19:18) Pustota: Thus, I want to dispel the popular myth that it is worth trying to take cards of higher levels - often, this is far from the case (at least when working with US cards. In the case of EU cards, the use of Gold and higher level cards is justified and really shows statistically better results). I also want to note that the availability of funds available for spending on the card is not always equal to a successful drive-in, and now I will give a detailed explanation why. To do this, we will consider in detail the entire kitchen that occurs when paying with a card and is hidden from the eyes of the layman.(20:19:34) Pustota: The process of paying with a bank card on the Internet is not as simple as it seems at first glance. Let's say you make a payment in an online store

(20:22:04) Pustota: Let's analyze the main participants in the payment process:

- KX: cardholder, the owner of the card with which the payment is made;
- Merchant: actually, an online point of sale of goods with a checking account, where funds for the goods should eventually arrive. Many people confuse merchant and what is more correct to call payment gateway. These are different entities, but in carder slang, to simplify, we talk about them as a single whole (about merch);

- Payment Gateway (payment gateway) is a technology that allows you to connect a merchant with a processing center and an acquiring bank;

- Processing Center is a high-tech system for processing bank card payments in the field of e-commerce. Accepts data from payment gateways, processes and redirects them to the issuing bank;

- Acquiring bank (merchant bank): a bank that is a member of the global payment system (Visa/MC, etc.) and allows businesses to accept payments using bank cards;

- Issuing Bank (CH Bank) : a bank that is also a member of the global payment system and has issued a card to the holder;

- The Global Payment System (Visa/MC, etc.) is an organization that regulates and performs interbank settlements. In simple words, it allows you to transfer money from the account of the issuing bank to the account of the acquiring bank and handles the entire process that takes place at the same time.

(20:23:16) Pustota: After pressing the Place Order button, first the data gets into the shop's anti-fraud system.

And decides whether to skip the order further automatically, send it to manual verification or give an instant decline. At this stage, in most cases, the card data has not yet gone beyond the shop

(20:24:13) Pustota: If the anti-fraud check is successfully passed, or the manager manually approved the order, the payment process continues. After the order is approved, your data is collected, encrypted and transmitted to the Payment Gateway. In turn, he evaluates the transaction according to his criteria (gateways have their own anti-fraud systems that allow detecting suspicious patterns) and can immediately deploy the payment

(20:25:18) Pustota: Let's say the KX transaction seemed legitimate to the gateway - in this case, it passes all the data on to the processing center. The processing center again checks its criteria for fraudulent transactions and decides whether to forward the transaction further. If the processing center liked everything, the transaction goes through the global payment system to the issuing bank

(20:26:01) Pustota: The issuing bank analyzes the transactions of KX and if the transaction seems out of the ordinary to him (for example, KX has never bought anything more than $100 from the card, and you suddenly try to drive a gold bar for $10k) - it can also wrap the transaction (at least, before KX calls the bank and verifies such a transaction, usually accompanied by a decent number of questions, the answers to which in theory should be known only to KX)

(20:26:26) Pustota: The issuing bank also looks at the limits set by the holder and, of course, the availability of available own/credit funds

(20:27:27) Pustota: If it seems to the issuing bank that everything is in order, it sends a positive response to the acquiring bank back through the global payment system, which, in turn, returns the result of a successful transaction to the payment gateway and the gateway informs you and the shop managers directly about the successful payment.(20:28:51) Pustota: Now do you understand why the fact that you have a card with a known balance on your hands does not give you confidence in a successful drive-in? You are dealing with a multi-stage anti-fraud (shop, payment gateway, processing center and banks). Most of our activity when working with maps is to learn how to effectively bypass all the steps of anti-fraud. This is quite difficult, because there are always a lot of variables that are inaccessible to us, but competently analyzing the drives, sooner or later we find vulnerabilities that we exploit until they close

(20:30:02) Pustota: If we are talking about working with maps, then we have 2 main entities that we need to choose correctly in order to bypass the above-mentioned protection systems. The first is the technical side, namely, the correct configuration of the system, simulating that of a real holder (includes, for example, system languages, time zone, etc., IP address substitution using anonymizers (proxy servers, SSH tunnels, OVPN/PPTP configs, direct access to machines ((H)RDP, (H)VNC, etc.) and behavioral factors (imitation of the actions of a real user). In future lectures, we will somehow touch on both of these sides applicable to various areas in carding.