10 Real Ways to Steal a PIN Code from a Former Carder. Hacking an ATM.

BadB

Professional
Messages
1,711
Reaction score
1,719
Points
113
A former carder talks about all the currently known ways to steal a credit card PIN. Skimming (ATM skimming), shimming (a new way to steal money from cards) and the shimmers themselves, trapping, fake payment terminals, POS terminals and even fake ATMs, writing the PIN directly on the card, test ATM transactions, hacker methods of breaking into ATMs and POS terminals, hacking bank processing centers via the Internet, phishing, portable video cameras and overhead keyboards for ATMs that remember your PIN, stealing contactless payment cards (MasterCard PayPass and VISA PayWave), as well as precautions when using bank cards and how to protect your money from fraudsters - in an exclusive conversation with the author of the book "How I Stole a Million. Confessions of a Repentant Carder".

What to do if you lost your bank card, what to do if money was stolen from your plastic card or you lost your bank card. What to do if you found a bank card and how to get your money back if it was stolen from a plastic card, how money is stolen from credit cards and other card "tricks" - in this topic.

You will also learn the difference in the theft of a debit and credit card, how fraudsters steal money from contactless bank cards, how to withdraw money from an ATM without a card, who and how steals from credit cards and how to protect your bank card from theft, whether it is possible to protect yourself from virtual robbers and how to get your money back if money is stolen from a bank card, electronic theft of plastic cards and much more.


Contents:
  • Is it possible to steal a PIN code?
  • Why is it so important to keep your PIN code secret? 10 ways to steal a PIN code.
  • How to steal a card PIN code, how to protect a PIN code.
  • Trapping, what to do if the ATM does not issue a card, why you can not leave the ATM without your credit card?
  • Skimming, what is a skimmer, how not to become its victim?
  • Shimmer, why is there no protection against it?
  • Fake POS terminals, ATMs, payment terminals, the most dangerous countries for your bank card.
  • Childish way of stealing a credit card, how to protect yourself from it?
  • Test transactions or how to withdraw $400 instead of $20?
  • "Hacker" method or how to hack an ATM.
  • Hacking an ATM via the Internet, endless money on the card.
  • Phishing, why you need to update antiviruses and call the bank in controversial situations.
  • Cut an ATM with an oxyacetylene torch.
  • How do they steal money from contactless payment cards, wrap cards in foil?
  • TOP 14 precautions for your plastic card.

Why is it so important to keep your PIN code a secret? Don't listen to anyone's advice. Now I will tell you 10 ways how money can be stolen from your card. Your card did not get into the ATM because you enter the correct PIN code, but nothing happens.

Is it possible to steal a PIN code?
Friends, hello! Today I want to talk about something I understand myself. Today I want to talk about bank cards and whether it is possible to steal a card's PIN code.

We pick up the phone and call T-Bank:
- Welcome to T-Bank.
- I would like to open a card with you, and I am interested in its security, how easy it is to steal money, steal a PIN code?
- And regarding the PIN code, it means that fraudsters are now coming up with a lot of ways to get a PIN code. For example, they use skimming.


And here is what Alfa Bank says about this:
- Hello, this is Alfa Bank.
- Hello, I have a question about card security. Can attackers somehow steal my PIN code?
- Well, in the event that you yourself provided this data to third parties, or if, for example, ATMs are equipped with reading devices.


Now let's dial Sberbank:
- Hello. This is Sberbank.
- Tell me, is there any way they can steal my PIN code?
- Well, we don't have that information, it depends on where you store it. You only have one copy of your PIN code, that is, you only have it in the PIN envelope. For your safety, you just need to, most importantly, not share your card information.
- Okay, thank you.


Why is it so important to keep your PIN code a secret? 10 ways to steal a PIN code.
Why is it so important to keep your PIN code a secret? Because transactions using a PIN code are almost impossible to protest, and the banks' position on this issue is that if a client has entered a PIN code and money has been entered, then most often he is the one to blame, and you simply will not get your money back.

How to steal a card PIN code, how to protect a PIN code.
So, now I will tell you 10 ways how money can be stolen from your card.

Method 1. The dumbest, but still quite common. Write down the PIN code on the card. Look, you have a lot of cards, and I understand that it is difficult to remember the PIN code for each one. What do you do? Take a marker or some sharp object, scratch it and write down the PIN code on the card. And in this case, if you suddenly lose your wallet, or a pickpocket, say, steals you, the thief will have not only your card in his hands, but also the PIN code.

Accordingly, all your money can be easily withdrawn through an ATM. Fortunately, banks now allow, in principle, the client to choose the PIN code himself. You can set one PIN code for all cards, it will be easy to remember. Write down the PIN code for each in the phone's memory, write it down on your computer. And if you write down the PIN code on the card, then you can at least increase each digit by one. That's it. If you lose it, no one will understand anything, but you, in principle, understand everything.

Trapping, what to do if the ATM does not issue a card, why can't you leave the ATM without your credit card?
Method 2. Trapping. Trap is translated from English as a trap. And the essence of the method is as follows. You go to the ATM, insert the card into the ATM, enter the PIN code, but nothing happens. Why doesn't it happen? Because someone or something caught your card in the slot of the card receiver, that is, it did not get inside the ATM. You do not know what to do, you cannot press "cancel" because the card has not yet entered the ATM, and in principle you do not know at all at the moment what to do.

Your card did not get inside the ATM because the attacker previously installed a so-called trap, made of thin film or any other suitable thin material. That is, they take, say, a film, bend it, insert it into the slot of the card receiver and catch your card there. You don’t understand what to do.

The card is stuck. At this point, a criminal approaches from the side, asks what your problem is. You explain that the card is stuck, you don’t know what to do. He offers, says, yes, I also had this recently, but enter the PIN code in a new way, everything should work, you, suspecting nothing, enter your PIN code and then nothing happens. Frustrated, you go to the bank branch, swear there, call, get your card.

At this point, the criminal carefully takes out his trap from your card from the ATM and calmly withdraws all the money from the ATM, because he just spied on the PIN code when you were swiping in front of him. How to protect yourself from this? Firstly, do not listen to anyone’s advice. Secondly, when entering the PIN code, always cover the keyboard with your hand. And thirdly, if something happened to your card, it got stuck, the ATM swallowed it, or something else, solve all the problems without leaving the ATM.

That is, call your bank that issued the card. And for this, in principle, it is a good idea to write down the bank number from the back of the card in your phone in advance. Or call the bank that owns the ATM, the phone numbers are always listed there. Trapping as such a method, it is not very common these days, but it does not hurt to know it in principle.

No matter how you know these rules, do not follow them, they will not help in any way if we are dealing with skimming.

Skimming, what is a skimmer, how not to become its victim?
Method 3. Skimming. Skimming is called from the English word "skim-to remove". And the skimmer is a special device that is made in the form of a factory part of an ATM. In other words, this is a special overlay that is installed on the receiver card.

When you insert your card into an ATM, it passes through a malicious skimmer, which takes a dump of your card at that time. That is, all the information that is recorded on the magnetic strip. It is enough to counterfeit your bank card. Your card has passed through the skimmer and entered the ATM. In principle, nothing interferes with the work.

You perform the desired operation with the ATM there. Withdraw money, check the balance. Do everything you need, take the card and leave. Its data has already fallen into the hands of the attacker. Skimmers can be either ordinary ones with memory that record data on many cards with internal built-in flash memory, or more advanced ones with a GSM module that send the stolen card data immediately via SMS or even e-mail to the attacker.

But you can object that the skimmer only takes a dump, that is, information from the magnetic strip of the card. And how then in this case can you find out the PIN code? But in this case, removing the PIN code is also a kind of art. That is, they can use, firstly, disguised video cameras that are attached somewhere to the side of the ATM, there may be some kind of box hanging there supposedly for letters, or for something else.

And secondly, overhead keyboards are used. And these overhead keyboards, they look completely like real ones, that is, they are superimposed on the factory keyboard of the ATM. And in this case, you are unlikely to distinguish by eye, that is, that there is some kind of fake keyboard there, but meanwhile it records everything in its memory, that is, each entered PIN code, so if we are dealing with skimming, well, our card is practically not protected in any way. The only way to avoid this is to carefully look at the slot of the card receiver, card reader, whether there are any foreign overlays. Well, you can also look at the ATM keyboard, for the presence of double such keyboards, they can protrude a little, but in general it is very difficult to notice. To avoid problems with skimming your card, it is recommended to use ATMs that are installed indoors, for example, in a large store or bank, because it is simply much more difficult for a fraudster to install his skimmer unnoticed.

Do not install a skimmer in the morning, since passers-by are more vigilant at this time. Do not choose an ATM that has more than 250 customers per day. Avoid cities with a population of less than 15 thousand residents. Locals know very well what their ATMs look like and can notice your skimmer.

The instructions attached to the skimmers sold on one of the carding sites said. The cost of a skimmer, by the way, starts from $ 8,000, that is, these are quite expensive devices. Therefore, they are usually bought not by individual cybercriminals, but by entire criminal groups that have enough money and a large scope for subsequent thefts.

Shimmer, why is there no protection against it?
Method 4. Shimmer. When we talked about skimming, you might have thought that the skimmer is the worst thing. That is, if you did not notice, it is installed on the ATM, it is definitely death for your credit card and for your money. But the skimmer is not the worst thing and in principle all the precautions that I voiced in skimmers will not help if we are dealing with shimming.

A shim is essentially the same as a skimmer, but a shim is a thin flexible board much thinner than a human hair that is placed on the carrier card, that is, on a regular plastic card, inserted into the ATM and attached to the ATM contacts that are responsible for reading the card. That is, if you still have a chance to somehow notice the skimmer, an extraneous overlay on the ATM, then you will never notice a shim installed inside the card receiver.

The device is, in general, ingenious, because its thickness does not exceed 0.1 mm, that is, it is thinner than a human hair, and the removal of the PIN code in this case occurs in the same way as with skimming, that is, these are disguised video cameras next to the ATM or overhead keyboards. Shimming is not very common in the world due to the technical complexity of manufacturing the shims themselves, and for the general public, as you understand, such things are not sold.

Fake POS terminals, ATMs, payment terminals, the most dangerous countries for your bank card.
Method 5. Fake post-terminals, ATMs, and payment terminals. Thefts using such methods were first described in 1988 in the USA. Fraudsters built a machine, well, like modern vending machines you can see selling cola, there, Snickers, chips, that's it.

They built a machine that accepted any card with a PIN code, and accordingly, gave out a pack of cigarettes in return. That is, you went to the machine, inserted the card, entered the PIN, received a pack of cigarettes, everyone seemed happy. What happens next? All your card data remains with the scammers and a duplicate is simply made and withdrawn from the ATM. The PIN code is also known, all the money.

There are also fake ATMs. The ATM itself is bulky, it costs money and the method is not very widespread, but in principle, which is why I said in the previous methods, that you need to try to use ATMs installed somewhere indoors, for example, a bank or a store, because a fake ATM is completely fake, you can’t insert it there. Much more often than this, of course, there are fake POS terminals.

For example, you are having lunch in a restaurant, they bring you a terminal to pay. You pay, it seems, but the transaction does not go through for some reason. That is, there supposedly appears a cancellation on the screen, or something else. But in fact, they have just brought you a fake terminal, which simply recorded your card details and, accordingly, you entered the PIN code. After that, they can bring it and say, let's go through another terminal, we have another bank, it is possible that something is not working.

How to protect yourself from this? If in the case of ATMs, as I said above, to use ATMs in banks or stores, then in the case of counterfeit terminals, it is not that it is fake, it is a real terminal, it is just reflashed, it is reprogrammed to withdraw, to remember your dumps from the magnetic strip and PIN codes, so you cannot tell the difference.

The only thing is that it may not be possible to pay with a card in dubious places, of course. And also in such tourist countries, card theft very often occurs. These are Turkey, Egypt, Ukraine, Thailand. Therefore, try not to pay with your card in such countries at all.

Childish way of stealing a credit card, how to protect yourself from it?
Method 6. I called it "childish". For this scam you need steady hands and superglue.
You glue the cards on the ATM keyboard, clear and cancel. The victim comes to the ATM, inserts his card, enters the PIN code, wants to press here, the key is glued, accordingly, he cannot do this, wants to press cancel to take his card back, and this key is glued, it also does not work, and he cannot do anything, take out his card and return it back.

What happens next? The client is annoyed, leaves, maybe to the bank, maybe call the bank and so on. You get out of the ambush, go to the ATM and using the control keys located on the ATM screen, withdraw all the money. But for some reason, most people forget that all control functions are duplicated not only on the ATM keyboard, but also on the screen.

How to protect yourself from this? Well, just remember that if the ATM keyboard does not work for some reason, you can perform all the necessary operations using the buttons on the ATM screen.

Test transactions or how to withdraw $400 instead of $20?
Method 7. Test transactions. You can find a manual for almost any ATM model on the Internet, and many criminals take advantage of this.

Of course, in order to reprogram the ATM and make it perform certain commands, you must know a special code, that is, the developer's password for each ATM. But the trouble is that due to an oversight of ATM installers, i.e. bank employees and programmers, ATM passwords are often left by default, i.e. as they are indicated in the manual.

If an intruder has found instructions for a specific ATM model, using and the bank's programmers have not changed the service password for the ATM, with certain knowledge, you can easily reprogram the ATM and convince it, say, that it is filled with $1 bills instead of $120, and thus you can withdraw the following transactions not $20, but $400 in fact. This method, in principle, does not apply to a nearby person, this is more the fault of the employees of the banks themselves, that is, those installing ATMs.

The "hacker" method or how to hack an ATM.
Method 8. Hacker. Almost all ATMs run Windows, which means they can be infected with a special virus. Of course, this requires opening the ATM lid, connecting a laptop or, even better, a mini-computer to it and reprogramming it, that is, installing your spyware, but in principle, many hackers have access to this, and subsequently, using this program, you can either record all the card data that went through the ATMs during the day, their PIN codes, or simply reprogram the ATM and force it to give out all the money during the next transaction. Of course, you can object that now all ATMs are equipped with video cameras and shock sensors, but in practice it turns out that, firstly, not all ATMs are equipped, and secondly, if they are equipped, then these video cameras and shock sensors are often for some reason disabled.

Hacking an ATM via the Internet, endless money on the card.
Method 9. Hacking via the Internet. You paid with a card in some retail chain. What happens next? Hackers hack the POS terminal network of this retail chain via the Internet and steal data from all cards that went through these POS terminals.

But the good news is that such hacks are available, firstly, only to super-professional hackers. They take several years and, secondly, these hackers, most of them, were simply jailed and they sit mainly in the USA. Also, top-level hackers can easily hack the processing center, say, of a certain bank, and then they get full control over the POS terminals, but much more importantly over the banks of this network.

And they can both steal credit card data and simply reprogram ATMs. For example, lawyer Mironov is now defending a group of professional hackers who gained access to the processing center of certain banks, including Uralsib and other Russian banks, and reprogrammed them in such a way that a person, a special drop, a front man, comes up, withdraws all the money he has from his card, and the guys send a command to the ATM via the Internet to cancel the transactions. It turns out that you withdrew all the money from your card and the transactions were cancelled, and it turns out that the bank returned the same balance to your account.

Thus, they were able to steal more than 1 billion Russian rubles. There are only two methods left, after which I will tell you about precautions if you do not want to lose money from your bank card.

Phishing, why you need to update antiviruses and call the bank in controversial situations.
Method 10. Phishing. All of the above methods mainly involved physical actions with an ATM. Method 10 is probably the simplest and is most often carried out via the Internet. Phishing comes from the distorted English word "fishing". And the essence of the method is that you receive an email, supposedly from your bank or from some large store where you make purchases, where you are offered to use certain tricks to go to the bank's website or the store's website and enter your bank card details, that is, the card number, its expiration date and PIN code.

You unsuspectingly follow the link in the letter, thinking that this email was sent by your bank, and you end up on a website that is almost exactly the same as your bank's website. You enter your card details there and, in principle, they fall into the hands of criminals. Also, when I called a T-bank employee, he said that for these purposes they do not necessarily send an email.

You may get a call from someone who is supposedly an employee of your bank, introduce themselves, or a robot may call you and say a prepared text that, let's say, a suspicious transaction for such and such an amount has been made from your card, well, of course, they will say a large amount so that you immediately panic, and to cancel it, for example, they will require you to enter the card number, expiration date or PIN code.

There are many ways. Hackers can make hacker attacks, call clients and ask you for a card number, like, to participate in a promotion or something like that. They can send you messages like a robot is talking to you and say, let's say, your amount on the card is frozen, send us a PIN code to unblock it. In such cases, call the bank in any case.

You can protect yourself from phishing, and to do this, first of all, you need to update your antiviruses and your Internet browser in a timely manner, because, in principle, antiviruses and browsers constantly maintain a database of phishing sites, and if you go to some fake site that replicates your bank, you may receive a warning.

Secondly, you need to carefully check the address to which you go from a letter supposedly from your bank, because you think, for example, that you are going to the bank.com site, but phishers could use the bank2.com domain, and in this, in principle, if you check carefully, you can notice the difference, and you will already understand that, most likely, this is not the original Sberbank.

And also do not listen to any messages from the alleged bank, calls from the bank, because it almost never happens in life that a bank sends letters or calls you with a request to provide card details or a PIN code. And, as far as I know, phishing is especially common in the USA, where the population is highly law-abiding. People think that if a bank sends a letter, then it is necessary to respond to it, but in principle, each of us can face this, I personally have probably received dozens of such letters more than once.

Cut the ATM with an oxyacetylene torch.
There is also such an exotic way of hiding an ATM as cutting it with an oxyacetylene torch, that is, with special welding. In the CIS, there have already been a dozen such cases, but as you understand, it has not become widespread, because in principle it can be compared in terms of labor intensity, in terms of the degree of danger, with a bank robbery.

Yes, sometimes there are quite impressive sums in the ATM, not uncommonly 200 thousand dollars, but the robbers who cut the back wall of the ATM and try to get the safe, at the same time need to know that the ATM safe is equipped with a special protective device with paint. And if you do not cut the ATM skillfully, then the device will work, accordingly, and all the bills will be dirty, dirty with special paint, and then you will not be able to do much with them.

Yes, and one more thing, as a bonus I will tell you how money can be stolen from your contactless payment card.

How do they steal money from contactless payment cards, wrap the cards in foil?
I think many of you know that the same Visa and MasterCard have contactless cards that allow you to pay for goods up to 1000 rubles without entering a PIN code, that is, MasterCard calls it MasterCard PayPass, and Visa PayWave.

And it looks like this, on the card you can just look for an icon of such a radio wave, here. Yes, of course, contactless payment cards are convenient, but they also conceal one danger. Having paid with a card in a store, you can put it there carefree in the back pocket of your jeans or in the side pocket, in your jacket, the fraudster who is standing near the checkout, he saw where you put the card, and what does he do? He comes up with a mobile terminal, and you could have seen couriers, for example, who bring you pizza, or other delivery people. He comes up, brings his portable terminal to your card at a distance of several centimeters and reads, in fact, steals from your card an amount of up to a thousand rubles. And just imagine how much money can be stolen in a large supermarket in an hour this way.

Yes, of course, the method requires certain costs, because in order to get a portable POS terminal, a fraudster needs to open some company, a limited liability company, that is, spend money on opening it, and then get a POS terminal for it, supposedly the company provides some trade services there. All this takes 100-200 thousand rubles in costs, but in principle it can pay off in 1-2 days.

Therefore, in order to protect your contactless payment card, the Central Bank, for example, recommends wrapping your cards in foil. But as for me, let the Central Bank wrap the cards in foil itself, that is, there are much more convenient ways. And this can be either a wallet that is cloned inside somewhere behind the foil lining. You don’t need to do it yourself, there are quite a lot of special wallets for contactless payment cards on sale now. Or

you can buy a rather stylish beautiful case, metal or plastic, which will be shielded from all sides and, in principle, it will protect all your contactless cards.

TOP 14 precautions for your plastic card
Now let's talk about precautions. If we look at the number of carding and hacking forums today, their number exceeds 30 and the total number of registered members reaches one and a half million.

Of course, many users will have several accounts on each of the forums, but by the roughest estimates, if we discard all duplicate accounts, then at present I would say that in the CIS there are about 300 thousand hunters for your money, for your credit cards first of all. Therefore, it is very important to observe certain precautions when using bank cards. What are they?

1. As I already said, do not write down the PIN code on the card under any circumstances. And if you write it down, do it in some distorted way so that you understand, but the attackers, or the one who steals or finds your card, do not understand.

2. Carefully inspect the ATM or POS terminal where you insert your card. Check the ATM for foreign overlays, the card slot, or the keyboard.

3. When entering your PIN code, be sure to cover the keyboard with your free hand.

4. Do not fall for fraudulent letters and calls supposedly from a bank or a store where you often make purchases. No bank will ever ask you to provide your card details, and especially your PIN code, in a letter or over the phone. And if an employee supposedly from the bank calls you, then under no circumstances should you provide them with your card details, especially your PIN code. It is better to call the bank afterwards and find out whether an employee with that name and surname even works there.

5. All possible problems with the card, for example, it got stuck in the ATM, or something else happened, solve without leaving the ATM. To do this, call the support service of the bank of the ATM owner, or the support service of your bank. And for this, write down the phone number from the back of the card to your mobile phone in advance.

6. When paying with a card, for example, in a store, in a hotel, in a restaurant, in no case let the card disappear from your sight, because the waiter, for example, in a restaurant can very well say that we have a terminal installed there and leave with your card. Of course, now such cases are much less, because all establishments already, in principle, have portable POS terminals, but they still happen a little. And in this case, if the cashier, courier, waiter wants to go somewhere with your card, in this case just follow him, because otherwise he can use a special portable device, it is called a card reader and is no larger than half a matchbox. It can easily copy the dump, that is, the magnetic strip of your card.

7. After paying for the goods at the checkout, be sure to study the average receipt, if there are any extra amounts, because very often it happens either intentionally or by mistake of the cashier that purchases that are not yours are scanned. Therefore, be sure to take the receipt after each transaction with the card and study it without going far from the checkout.

8. Try not to pay with a card in high-risk countries. That is, as I said above, these are Turkey, Egypt, Thailand. Ukraine is also on this list. This is especially true for credit cards, because if your data is stolen, you will be in debt, and even with interest.

9. Do not send card data, that is, the number, its expiration date and the CVV code, which is protective, which is indicated on the back of the card, not encrypted, not in a secure form. That is, do not send it to anyone by e-mail, in messengers, in SMS to relatives or friends.

10. Do not buy with card payment in dubious online stores. Use only official verified large stores with a large number of reviews on third-party portals. Because small stores can be specially designed and placed on the Internet only to steal your card data, they do not conduct any activity and, accordingly, will not send you any goods.

11. And it is better to get a separate card for online transactions, no matter physical or virtual, and put on it only the amount necessary for each specific purchase.

12. Be sure to set up SMS notifications for each transaction, because if money starts disappearing from your card, you will have time to quickly notice and block it, and then reissue the card. As far as I know, almost half of people have SMS notifications for each transaction disabled, so be sure to turn it on, it is not that expensive per month, something around a dollar, be sure to turn it on.

13. It would also be a good idea to set a maximum limit if you make small transactions every day. For example, you spend a maximum of 2,000 rubles per day on your card. Okay, set a maximum daily limit of 2,000, and if you need to make a larger transaction, call the bank directly from the cash register and they will allow you to make a larger transaction after they make sure it is you. Therefore, a daily limit, yes, it may be inconvenient, but it will help protect your money on the card from intruders.

14. And finally, a very important precaution when using cards is to prohibit any transactions on the card that are different from the country of your residence. That is, you live, for example, in Russia, that is, you will allow the use of the card only on the territory of Russia, and if you are going on vacation, for example, to Spain, then you will come to the bank in advance, call or write a statement, I do not know exactly how this is done, and they will allow you to make transactions to a certain country, because most often, when data is stolen from your card, they usually withdraw money not in this country. That is, the card data was stolen in Russia, and the withdrawal takes place somewhere in Israel, in America, or in some other countries. Therefore, it is imperative, yes, to prohibit cards, prohibit transactions on cards in a country other than the country of your residence.

Ask interesting questions, I really like it when you ask interesting questions, and not just write there, the topic is super, cool rules, there is something else. There is still a lot of interesting things ahead. And don't forget that in the case of credit cards, only healthy paranoia will help protect not only your cards and money, but also your nerves. Good luck to everyone!
 
Top