ACCOUNT TAKE OVER
Account take over or simply "ATO" refers to the act of taking over someone's account (Bank or Financial Account). OR
Account-Take-Over is when a fraudster poses as a genuine customer, gains complete control of an account and then makes thousands of dollars in unauthorized transactions, sometimes even maxing out the account and clearing out all the funds available. Lucky for you, I am an expert in ATOing accounts and today I will teach you everything there is to know about this fraud technique.
Now this is where things start to get really interesting, and where the big money lies in. You ever wanted to card thousands of dollars’ worth of electronics and resell them for a quick, big profit? With this method this is completely possible, however that doesn’t necessarily mean it is easy.
To even attempt an "ATO", you will need to understand a couple of things. First of all, is "NEVER" use CVV checkers that charge cards. This will burn cards instantly. personally i recommend You get a good Checker that doesn't charge your cards or charges few bucks like $0.01 cent for dead cards and $0.02 cents for live cards.
In ATOing I personally prefer to simply call the bank myself using a burner phone, spoofed with the CVV holder’s phone and check the balance, credit access line, recent transactions and more using the automated prompts. There are great service that allow you to pay them in BTC. Alternatively, you can use the service Many fraudsters use.
Any transaction that involves an Account-Take-Over are transactions above $300 dollars and up in value. Usually below $2000 however, as most cards will get flagged for transactions above that number regardless of the ATO. You can always make multiple transactions of $1000-$2000 however with ATOed accounts through the span of a few days to a few weeks and max out the card.
If you call a bank using your burner and the automated prompt tells you the account has been closed for security reasons or the system automatically transfers you to an operator when you type the card number, that means the card is dead and useless, ditch it and move on. Keep in mind that some banks will require the victim’s SSN to access the account balance and menu prompt. I recommend that you note down everything the automated prompt will give you including most importantly, the account balance, credit line access and recent transactions (up to 10 in case they ask you for it).
Once you have called the bank and checked everything, you should have the victim’s balance, credit access line and recent transactions. With this information you know how much you can spend on that card. However, there is still one more
obstacle we need to tackle, this is the fact that most high security websites such as Amazon, Ebay, Bestbuy, Neiman Marcus, Stockx, Saks… will refuse to ship to an address that is not in file with the bank. To solve this, we will take over the victim’s account (ATO).
To do this, we will call the bank, talk to an operator and first request a change of the primary phone number. Remember, this will require SOCIAL ENGINEERING, which is something that requires training and experience. Don’t act nervous, act like you own the account. Remember you are the account owner, why would you be nervous? This is your account. Would you ever call your bank and act nervous? I doubt. To do this, you will need to have the following information from your victim in hand and preferably memorized.
• Full CVV number, expiration and, CSC code.
• Full billing address
• Date of birth (and don’t forget to write down his age as well)
• Social Security Number
• Mother’s Maiden Name (if you can’t find this, first try his middle name, and if that doesn’t work then just try guessing using common last names in the background report)
• Background Report
• Closest relatives date of birth (you can get this by carding their background
reports)
• sim swap (if needed).
The most commonly asked tokens are MMN, SSN, DOB, billing address and card details. All the other questions are only available through public records and will not be asked by the first operator you get, only by the FRAUD DEPARTMENT. The Fraud Department is a department that you can be transferred to if you answered any questions wrong from the first operator or if he suspects you are nervous and conducting an ATO on the account, that’s why it is very important to keep cool.
If you try changing the phone number and the bank asks for a one-time passcode that will be sent to the cardholder’s phone, tell them you no longer have access to the primary phone on file with them since it was disconnected recently when you changed phone carriers. Give them your burner number, receive the text and give it to them, that should work fine. If the system does not allow them to send a text to your burner, then they will transfer you to the fraud department. At this point, I recommend you hang up the phone as soon as they put you on hold, since the fraud department will most likely not be able to conduct the change on the account either and they will end up burning the card by telling you they will give you a call back in 24-48h and they will first try the card holder obviously. Hang up and let’s try another way.
At this point you have 2 choices. Either conduct a SIM swap on the victim’s phone number by calling his phone carrier and claiming your SIM was damaged/stolen/lost and you need to port it to a new phone you just bought with a new SIM (this will require all the details needed to conduct an ATO as well and if they ask you for the account PIN just tell them you forgot, which will lead them to asking you security questions on the account or trying some other way, which should work fine if you have the required information on your victim). This will also require a NEW BLANK SIM FROM THE CARDHOLDER’S CARRIER.
TRICKS & EXTRA TIPS
Your next option is a little tricky and you will require 2 burner phones. First, you will call the bank with the first burner and tell them to send the one-time passcode, however before you tell them to send the passcode you will have to tell them to hold for 5 minutes while you get your cellphone since you don’t have it with you at the moment, during that hold call the cardholder with your 2nd burner number SPOOFED to the bank’s toll free support number (e.g. 1-800-935-9935) and social engineer him into giving you the one time passcode, you will have to be fast with this. Below is an example of how the dialogue would play out.
• “Hello there, may I speak with Mr. Joe castateen please?”
• “Speaking”
• “Hi there, this is Terry johnson calling on behalf of J.P. Morgan Chase Bank Fraud Department, we are calling you to conduct an identity verification as we have noticed some unusual activity on your account lately, did you call us to change your primary billing address on file?”
• “What? NO! I didn’t try to change my address, what is happening??”
• “Okay Mr. Castateen, nothing to worry about, I would like to first apologize to you for this inconvenience on behalf of Chase and its partners, but apparently someone has tried to impersonate you and change the primary billing address on your account on file with us. Would you please verify your identity for me by receiving a one-time passcode and telling me what that passcode is?”
• “Yes, go ahead”
• “Okay, thank you for your patience and understanding Mr. Castateen, I will have to put you on a brief hold while I send you the one-time passcode. Please keep in mind Chase will not charge you for the text message, but additional charges may be incurred depending on your phone provider.”
• “Okay”
• At this point, put him on “hold”, and get back to your first burner to talk with the bank operator again. Tell him okay I have the phone now, you can send the text message. He will proceed to send the text message to the victim’s phone. Then, you tell him to wait a little bit while you receive the text on your cellphone and get back to your 2nd burner where the victim is on hold.
• “Hello there Mr. Castateen, thank you for your patience, I have just sent the one time passcode to your phone, please keep in mind the code is only valid for 5 minutes.”
• “Okay, I got it, the passcode is 023847027.”
• “Thank you very much Mr. Castateen, give me one second here while I verify your identity with that code.”
• Get back to the bank operator, give him the code he told you and there you go, you have just changed your phone number on file with the bank. Hang up the call and get back to Mr. Castateen.
• “Alright Mr. Castateen, seems like we have you all verified now. Thank you very much for your cooperation and again, we are very sorry for this inconvenience. Do you have any further questions for me?”
• “No, thank you”
• “Awesome, have a great day Mr. Castateen and thank you for banking with Chase”
This dialogue will obviously not go exactly like this, however, if you have all the victim’s information it should be very easy to social engineer him. You can even change this up, and create your own method.
Once you have changed the phone number, let the account sit for at least some days. During that time, create an account with the .edu email and navigate the website every day for 30 minutes to 1 hour, look at the products, click on them, add them to cart, read reviews, ask questions ext. Act like a real shopper. Remember, some websites have really good fraud systems in place and think of literally everything, so you really have to be smart with this to trick them into thinking you are a legit shopper. Then you call back the bank and change the billing address on file. You can also choose to ADD an additional address to the account, it is really up to you. Again, to change this, have the victim’s most commonly asked tokens in hand (SSN, MMN,DOB, billing address, and your burner phone number since it is now the primary one). Once your identity is verified with the tokens and you are inside the account, rell the operator you have recently moved out of your address and would like to update it. They will most likely ask you for the one-time passcode again, but this time this should be a no-brainer since you have the primary phone number on the account set up to your burner and the text will be sent there. Give them the code and update the address, simple as that.
Now once you have changed the billing address, wait 1 day and make the purchase on the website of your choice. Try to keep it under $2000, or the system may flag it immediately, especially since the cardholder never makes such high value purchases. Enter all the information correctly, your drop address that is now the billing address on file with the bank, and your billing phone number that is the same with the bank as well. Make both shipping and billing addresses the same, this is CRUCIAL. Triple-check everything for accuracy.
You might be greeted by a Verified by Visa or MasterCard SecureCode prompt, however this should be very easy to bypass if you have the required information on the cardholder.
At this point, your order will go through and either one of two things can happen.
1. The order goes through smoothly without any problem, and becomes
“pending”. You should’ve received an order confirmation email as well.
2. The transaction gets declined and the website says you need to call your bank. In this case, call the bank and the automated prompt will act as if the card is burnt (transfer you to an operator automatically) and a fraud agent will answer. Tell them you authorized the transaction, but is not sure why it was declined. If you have ATOed the account correctly, then this should be very easy. He may ask you some questions in relation to the victim’s background report, but that should be easy to answer as well if you have all the required information. When the agent tells you are all good to go, submit the order again on the website and this time it should go through. REMEMBER TO CALL AS SOON AS YOU GET THE DECLINED TRANSACTION OTHERWISE THE BANK WILL RING THE CARDHOLDER AT THE OLD NUMBER AND YOUR CARD WILL BE BURNT TO A CRISP!
3. At this point you are all good to go and your order should be in “pending” status. You should’ve also received an order confirmation email and will soon receive an email that your order has been shipped. SUCCESS!
CONCLUSION:
However, ATOing is not as easy as it seems but I hope this guide will help with some knowledge on how to do ATOing.
Have a good one.
GOOD LUCK!
Account take over or simply "ATO" refers to the act of taking over someone's account (Bank or Financial Account). OR
Account-Take-Over is when a fraudster poses as a genuine customer, gains complete control of an account and then makes thousands of dollars in unauthorized transactions, sometimes even maxing out the account and clearing out all the funds available. Lucky for you, I am an expert in ATOing accounts and today I will teach you everything there is to know about this fraud technique.
Now this is where things start to get really interesting, and where the big money lies in. You ever wanted to card thousands of dollars’ worth of electronics and resell them for a quick, big profit? With this method this is completely possible, however that doesn’t necessarily mean it is easy.
To even attempt an "ATO", you will need to understand a couple of things. First of all, is "NEVER" use CVV checkers that charge cards. This will burn cards instantly. personally i recommend You get a good Checker that doesn't charge your cards or charges few bucks like $0.01 cent for dead cards and $0.02 cents for live cards.
In ATOing I personally prefer to simply call the bank myself using a burner phone, spoofed with the CVV holder’s phone and check the balance, credit access line, recent transactions and more using the automated prompts. There are great service that allow you to pay them in BTC. Alternatively, you can use the service Many fraudsters use.
Any transaction that involves an Account-Take-Over are transactions above $300 dollars and up in value. Usually below $2000 however, as most cards will get flagged for transactions above that number regardless of the ATO. You can always make multiple transactions of $1000-$2000 however with ATOed accounts through the span of a few days to a few weeks and max out the card.
If you call a bank using your burner and the automated prompt tells you the account has been closed for security reasons or the system automatically transfers you to an operator when you type the card number, that means the card is dead and useless, ditch it and move on. Keep in mind that some banks will require the victim’s SSN to access the account balance and menu prompt. I recommend that you note down everything the automated prompt will give you including most importantly, the account balance, credit line access and recent transactions (up to 10 in case they ask you for it).
Once you have called the bank and checked everything, you should have the victim’s balance, credit access line and recent transactions. With this information you know how much you can spend on that card. However, there is still one more
obstacle we need to tackle, this is the fact that most high security websites such as Amazon, Ebay, Bestbuy, Neiman Marcus, Stockx, Saks… will refuse to ship to an address that is not in file with the bank. To solve this, we will take over the victim’s account (ATO).
To do this, we will call the bank, talk to an operator and first request a change of the primary phone number. Remember, this will require SOCIAL ENGINEERING, which is something that requires training and experience. Don’t act nervous, act like you own the account. Remember you are the account owner, why would you be nervous? This is your account. Would you ever call your bank and act nervous? I doubt. To do this, you will need to have the following information from your victim in hand and preferably memorized.
• Full CVV number, expiration and, CSC code.
• Full billing address
• Date of birth (and don’t forget to write down his age as well)
• Social Security Number
• Mother’s Maiden Name (if you can’t find this, first try his middle name, and if that doesn’t work then just try guessing using common last names in the background report)
• Background Report
• Closest relatives date of birth (you can get this by carding their background
reports)
• sim swap (if needed).
The most commonly asked tokens are MMN, SSN, DOB, billing address and card details. All the other questions are only available through public records and will not be asked by the first operator you get, only by the FRAUD DEPARTMENT. The Fraud Department is a department that you can be transferred to if you answered any questions wrong from the first operator or if he suspects you are nervous and conducting an ATO on the account, that’s why it is very important to keep cool.
If you try changing the phone number and the bank asks for a one-time passcode that will be sent to the cardholder’s phone, tell them you no longer have access to the primary phone on file with them since it was disconnected recently when you changed phone carriers. Give them your burner number, receive the text and give it to them, that should work fine. If the system does not allow them to send a text to your burner, then they will transfer you to the fraud department. At this point, I recommend you hang up the phone as soon as they put you on hold, since the fraud department will most likely not be able to conduct the change on the account either and they will end up burning the card by telling you they will give you a call back in 24-48h and they will first try the card holder obviously. Hang up and let’s try another way.
At this point you have 2 choices. Either conduct a SIM swap on the victim’s phone number by calling his phone carrier and claiming your SIM was damaged/stolen/lost and you need to port it to a new phone you just bought with a new SIM (this will require all the details needed to conduct an ATO as well and if they ask you for the account PIN just tell them you forgot, which will lead them to asking you security questions on the account or trying some other way, which should work fine if you have the required information on your victim). This will also require a NEW BLANK SIM FROM THE CARDHOLDER’S CARRIER.
TRICKS & EXTRA TIPS
Your next option is a little tricky and you will require 2 burner phones. First, you will call the bank with the first burner and tell them to send the one-time passcode, however before you tell them to send the passcode you will have to tell them to hold for 5 minutes while you get your cellphone since you don’t have it with you at the moment, during that hold call the cardholder with your 2nd burner number SPOOFED to the bank’s toll free support number (e.g. 1-800-935-9935) and social engineer him into giving you the one time passcode, you will have to be fast with this. Below is an example of how the dialogue would play out.
• “Hello there, may I speak with Mr. Joe castateen please?”
• “Speaking”
• “Hi there, this is Terry johnson calling on behalf of J.P. Morgan Chase Bank Fraud Department, we are calling you to conduct an identity verification as we have noticed some unusual activity on your account lately, did you call us to change your primary billing address on file?”
• “What? NO! I didn’t try to change my address, what is happening??”
• “Okay Mr. Castateen, nothing to worry about, I would like to first apologize to you for this inconvenience on behalf of Chase and its partners, but apparently someone has tried to impersonate you and change the primary billing address on your account on file with us. Would you please verify your identity for me by receiving a one-time passcode and telling me what that passcode is?”
• “Yes, go ahead”
• “Okay, thank you for your patience and understanding Mr. Castateen, I will have to put you on a brief hold while I send you the one-time passcode. Please keep in mind Chase will not charge you for the text message, but additional charges may be incurred depending on your phone provider.”
• “Okay”
• At this point, put him on “hold”, and get back to your first burner to talk with the bank operator again. Tell him okay I have the phone now, you can send the text message. He will proceed to send the text message to the victim’s phone. Then, you tell him to wait a little bit while you receive the text on your cellphone and get back to your 2nd burner where the victim is on hold.
• “Hello there Mr. Castateen, thank you for your patience, I have just sent the one time passcode to your phone, please keep in mind the code is only valid for 5 minutes.”
• “Okay, I got it, the passcode is 023847027.”
• “Thank you very much Mr. Castateen, give me one second here while I verify your identity with that code.”
• Get back to the bank operator, give him the code he told you and there you go, you have just changed your phone number on file with the bank. Hang up the call and get back to Mr. Castateen.
• “Alright Mr. Castateen, seems like we have you all verified now. Thank you very much for your cooperation and again, we are very sorry for this inconvenience. Do you have any further questions for me?”
• “No, thank you”
• “Awesome, have a great day Mr. Castateen and thank you for banking with Chase”
This dialogue will obviously not go exactly like this, however, if you have all the victim’s information it should be very easy to social engineer him. You can even change this up, and create your own method.
Once you have changed the phone number, let the account sit for at least some days. During that time, create an account with the .edu email and navigate the website every day for 30 minutes to 1 hour, look at the products, click on them, add them to cart, read reviews, ask questions ext. Act like a real shopper. Remember, some websites have really good fraud systems in place and think of literally everything, so you really have to be smart with this to trick them into thinking you are a legit shopper. Then you call back the bank and change the billing address on file. You can also choose to ADD an additional address to the account, it is really up to you. Again, to change this, have the victim’s most commonly asked tokens in hand (SSN, MMN,DOB, billing address, and your burner phone number since it is now the primary one). Once your identity is verified with the tokens and you are inside the account, rell the operator you have recently moved out of your address and would like to update it. They will most likely ask you for the one-time passcode again, but this time this should be a no-brainer since you have the primary phone number on the account set up to your burner and the text will be sent there. Give them the code and update the address, simple as that.
Now once you have changed the billing address, wait 1 day and make the purchase on the website of your choice. Try to keep it under $2000, or the system may flag it immediately, especially since the cardholder never makes such high value purchases. Enter all the information correctly, your drop address that is now the billing address on file with the bank, and your billing phone number that is the same with the bank as well. Make both shipping and billing addresses the same, this is CRUCIAL. Triple-check everything for accuracy.
You might be greeted by a Verified by Visa or MasterCard SecureCode prompt, however this should be very easy to bypass if you have the required information on the cardholder.
At this point, your order will go through and either one of two things can happen.
1. The order goes through smoothly without any problem, and becomes
“pending”. You should’ve received an order confirmation email as well.
2. The transaction gets declined and the website says you need to call your bank. In this case, call the bank and the automated prompt will act as if the card is burnt (transfer you to an operator automatically) and a fraud agent will answer. Tell them you authorized the transaction, but is not sure why it was declined. If you have ATOed the account correctly, then this should be very easy. He may ask you some questions in relation to the victim’s background report, but that should be easy to answer as well if you have all the required information. When the agent tells you are all good to go, submit the order again on the website and this time it should go through. REMEMBER TO CALL AS SOON AS YOU GET THE DECLINED TRANSACTION OTHERWISE THE BANK WILL RING THE CARDHOLDER AT THE OLD NUMBER AND YOUR CARD WILL BE BURNT TO A CRISP!
3. At this point you are all good to go and your order should be in “pending” status. You should’ve also received an order confirmation email and will soon receive an email that your order has been shipped. SUCCESS!
CONCLUSION:
However, ATOing is not as easy as it seems but I hope this guide will help with some knowledge on how to do ATOing.
Have a good one.
GOOD LUCK!
