CARDING, SKIMMING AND THE UNDERGROUND ECONOMY OF FRAUD

[Brother]

Plastic payment cards, such as credit and debit cards, are highly popular and convenient cash alternatives, widely accessible to people across most of the world. Their portability and ease of use make them a favored choice for financial transactions. This efficiency is supported by a vast, interconnected network of computers. However, where there's technology, there's also the risk of hacking.

Payment card frauds have raised significant privacy and authenticity issues among users, especially in recent years. Numerous well-known retail chains and brands have fallen victim to these frauds. The lucrative nature of this crime has drawn major cybercriminals, who form sophisticated networks to execute these thefts. These crimes, primarily driven by financial gain, often involve a lengthy process from data theft to actual fraudulent activities. This paper delves into the workings of this fraud network and its significant impact on the electronic payment industry.

Key Terminologies

1. Credit/Debit Card: A financial tool, often termed as 'plastic cash', utilized for purchasing goods. A Debit card is linked to the user's bank account, allowing purchases up to the account balance. A Credit card, conversely, functions as a short-term loan for purchases, with the bank initially covering costs and later reclaiming them from the user. Credit cards have a predefined spending limit.
2. PIN (Personal Identification Number): A unique numeric code for verifying the card owner's identity.
3. CVV/CVV2: A 3 or 4-digit number on the card, serving as an extra security measure for validating the cardholder.
4. BIN (Bank Identification Number): The initial six digits of the card, identifying the issuing bank and, in some cases, the card type.
5. Card Brands: These are authorized entities whose networks enable the interaction between acquirer and issuer banks. Notable brands are Visa, Mastercard, and American Express (Amex). Each brand has distinct starting numbers for their cards: Visa cards begin with 4, Mastercard with 5, and Amex (which are 15 digits) with 3. A detailed list is provided later in the document.
6. Buyer/Consumer: The individual holding the card, who makes purchases and pays through the card.
7. Merchant: The provider of goods and services who accepts card payments.
8. Acquirer Bank: The financial institution that processes credit card transactions for merchants.
9. Issuer Bank: The bank that issues the credit card to consumers.
10. POS (Point Of Sale): These are the devices used to execute financial transactions between buyers and merchants through card reading.
11. Magnetic Strip: A black strip on the card's rear, storing essential data for financial transactions.
12. Tracks: The magnetic strip contains information on Tracks 1, 2, and 3. Tracks 1 and 2 usually hold details like account number and owner name. Track 3, an optional track, is used for additional data storage.
13. Card Dumps: These are the unencrypted data retrieved from the temporary storage (RAM) of Point Of Sale (POS) devices. Card dumps include information from Tracks 1 and 2, which are read by the POS device during transactions.
14. Card Reader/Writer: This is a combination of hardware and software used for encoding data onto the magnetic strip of a plastic card. The MSR-206 is a widely recognized encoder for this purpose.
15. Carder: An individual who engages in fraudulent transactions using stolen credit or debit card information.
16. Runner: A person or group responsible for using counterfeit cards to withdraw cash from ATMs.
17. Dropper: The designated location or individual tasked with receiving goods bought online. The Dropper's role is to collect these items and deliver them to the carder, often in exchange for cash or other goods.
18. Shopper: This refers to individuals or groups who make in-store purchases using counterfeit cards, often accompanied by fake IDs to add legitimacy to their fraudulent activities. Carders themselves can act as shoppers or runners.
19. EMV (Europay, Mastercard, and Visa): These are Chip-and-Pin cards that represent a more secure alternative to traditional swipe cards, encrypting data on a chip. However, even with encryption, POS malwares can potentially extract this data once it's decrypted in the memory.
20. Contactless RFID Cards: An advancement over traditional magnetic strip cards. RFID (Radio-Frequency Identification) enabled cards allow buyers to make payments by simply waving the card near a POS terminal.

Processing of Credit Card Payments

Credit card transactions undergo several stages before the completion of payment. These are the key steps involved in a credit card transaction:

1. Authorization: This step initiates when cardholders opt to make purchases using their credit card. The merchant forwards the transaction request to the acquiring bank. The acquirer then relays this request through the cardholder's card brand network to the issuing bank. The issuer responds with authorization codes, which are sent back through the card brand's network to the acquirer, and then to the merchant. If authorized, merchants proceed to provide the cardholder with the requested goods or service.
2. Batching: At the end of each day, merchants compile all authorized sales into a batch. This batch is sent to the acquirer through payment service providers, in order to receive payment.
3. Clearing: The acquirer dispatches the batch through the card brand's network to the issuers, requesting payment. The card brand's network segregates each transaction for the appropriate cardholders. Subsequently, issuers transfer the funds requested through the card brand's network back to the acquirers.
4. Funding: The acquiring bank transfers the payment to the merchant via the payment service provider. The merchant's account is then credited with the payment amount.

These steps provide a basic framework for how payments are processed using credit cards. Alongside these, there are various other authorization processes involved, but these four stages form the essential components of the transaction phases.

With this foundational understanding of the plastic card payment system and its interconnections, the discussion can progress to more technical aspects such as stolen data dumps, steps in fraudulent transactions, identification of vulnerabilities, etc. Before delving into these, a brief overview of common methods used by hackers to extract critical payment data is also beneficial.

Types of CC Fraud

Credit card theft typically unfolds in three distinct phases:

• Reconnaissance
• Attack
• Selling

In the initial Reconnaissance phase, the perpetrator assesses the environment targeted for attack, seeking vulnerabilities to exploit in crafting their strategy. The Attack phase commences once these vulnerabilities are pinpointed. Key techniques employed in this stage include keylogging, phishing, exploiting vulnerabilities, and using Point of Sale (POS) memory scraping malware, with the latter being particularly prevalent. POS memory scraping directly impacts devices central to processing card-based payments, making it a favored method among attackers.

A delivery mechanism is needed for the POS malware to infiltrate the system. Phishing and exploiting vulnerabilities are commonly used to establish such a mechanism. Additionally, insider threats play a significant role in the infection of POS terminals. Given its prominence in the current fraud landscape, it's important to briefly discuss POS malwares. These are the primary tools empowering cybercriminals to target major retail chains and brands globally.

POS Malware

Point of Sale (POS) terminals serve as the central processing units during card-based transactions between a buyer and a seller. Specialized malware, known as POS malware, is designed to extract data from these terminals' main memory. The objective is to capture the unencrypted data temporarily stored in the terminal's primary memory (RAM) during the processing of a credit or debit card for payment.

A common misconception about POS devices is that data transmission always occurs in an encrypted format. While this is generally true, there is a brief interval when the POS terminal initially reads the card data and stores it in plain text in its primary memory, before re-encrypting it. It is during this critical window that POS malware operates, extracting the information from the memory.

This article briefly outlines the key characteristics and steps of Point of Sale (POS) malware, which are instrumental in facilitating fraud involving plastic cards. A comprehensive analysis of the technical intricacies of POS malware is beyond its scope, but the following points highlight its major features:

1. Basic Malware Functionalities: POS malware encompasses standard malware capabilities like data exfiltration over networks, collecting system information, communication with command and control (C&C) servers, and a kill switch for self-removal from infected systems.

2. Targeted Purpose: The primary objective of these malwares is to scrape memory data from terminals, specifically focusing on card data.

3. Process Identification and Scrapping: The malware scans all processes in the device memory, comparing them against a local database to determine which processes to target or ignore for data scraping.

4. Data Extraction Techniques: After identifying relevant processes, the malware uses custom functions or regular expressions to extract credit card data (Track 1 and 2 information) from the memory.

5. Data Storage and Exfiltration: The scraped data is stored on the disk in a specific location. When the malware detects a live network connection and can reach its C&C server, it transmits the stored file (which may be encrypted or unencrypted) to the server, thereby successfully completing data exfiltration.

Having established an understanding of how POS terminals are compromised and data is stolen, it is now pertinent to examine the nature of the data that POS malware extracts, its appearance, and the manner of its interception. The example provided demonstrates the format of data sent by a POS malware to its Command and Control (C&C) server:

• Track 1 Example: An example of Track 1 data is "B4096654104697113^ABHINAV/SINGH^08061012735900521000000".
• Track 2 Example: An example of Track 2 data is "361344212572004=0512052335136; ABHINAV/SINGH".
• Combined Track 1 and Track 2 Example: An example of combined data is "4411037117155348=14111010000013500000; B4411037117155348^ABHINAV/SINGH^14111010000000135000000?".
• Additional Data Formats: Additional data examples include strings like "165430 | 134884 | 2 | 4921817934747226 | 4 | 2008 | 3 | 2010 | | 662 | ABHINAV SINGH | 10 | VARUNA APP | VARANASI | PO139UX" and "468442/ 165337 | 134815 | 2 | 4921817809597243 | 3 | 2008 | 2 | 2010 | | 185 | ABHINAV SINGH | 10 | VARUNA | VARANASI | PR4 3HB | | lancs 01436672207".

At first glance, this data may appear as a random series of numbers and text. However, to properly understand this data, it is essential to delve into the structure of a magnetic strip and the specific format used to store data across its various tracks.

Track 1 and 2 Block Diagram

Magnetic strips are logically divided into tracks or records that is used for storing the data required during financial transaction. The logical placement is shown in the following diagram.

Tracks on magnetic strips are arranged sequentially, with Track 1 followed by Tracks 2 and 3, and data reading occurs in this order. Track 1 and Track 2 primarily store vital data, while Track 3 is used for optional data. Depending on the bank's preference, financial details may be stored on either Track 1 or Track 2. Both these tracks adhere to specific formats for data storage. To comprehend how data is stored and read on these tracks, it is helpful to examine the block diagram of both Track 1 and Track 2.

Both Track 1 and Track 2 on magnetic strips store information in distinct blocks, each representing a specific value with a particular storage limit, separated by delimiters. Analyzing an example of Track 1 data, based on the fields outlined in the block diagram, provides insight into this structure:

• Track 1 Example: "B4096654104697113^ABHINAV/SINGH ^08061012735900521000000?"
• In this example, omitting values for SS and FC, the first seventeen characters ("B4096654104697113") represent the Bank Account number, followed by a field separator ("^") and the Account holder’s name ("ABHINAV/SINGH"). The subsequent four characters ("0806") denote the card's expiry date in YYMM format. The following digits are the Service code ("1012735900") and Identification number ("521"), with additional digits filling the remaining bytes.

Track 2 data can be similarly interpreted. Notably, Track 1 data alone is often sufficient in cases involving card dumps, as it contains enough information to be converted into Track 2 data. Tools like Trackgenerator.net provide online services for such conversions. Most online carding forums deal in Track 2 data.

To summarize the discussion so far, the paper has explored how plastic payment networks operate, the various threats posed to electronic payments, and a focus on POS malwares and the type of information they extract. The next section will delve into how this stolen information becomes central to an increasingly profitable realm of cybercrime.

The Carding Ecosystem

The cybercrime ecosystem related to credit card fraud is structured around three major steps:

1. Attack: This step, already explored in detail, involves malware authors and hackers designing various attack vectors to pilfer crucial customer payment data.
2. Sell: The next phase involves establishing a marketplace for the stolen data.
3. Shop: This step will be discussed further in the context of the cybercrime ecosystem.

Having already delved into the intricacies of crafting attack vectors to steal payment data, the focus now shifts to the second step: setting up a virtual 'shopping mall' for the trafficked data. This step is a pivotal component in the cycle of credit card fraud, facilitating the distribution and monetization of stolen data within the cybercrime network.

Carding forums

Crdpro.cc, ASCarding, Blackbones and Carder are specifically related to carding and/orfraud. Cracked. Nulled, and CryptBB are related but focus more on hacking. Most carding forums are scams.

Dedicated websites for selling credit and debit card data, are essential hubs in the cybercrime ecosystem for credit card fraud. These forums connect a wide range of participants, from novices to seasoned professionals who have embraced carding as a full-time occupation.

The design and format of these forums are generally similar, but they are distinguished by their sources of card data, or 'dumps'. For example, the forum rescator.su gained notoriety for selling data stolen from the Target retail store breach, as reported by krebsonsecurity.com. Following this forum over several months revealed key changes in its selling model in response to customer feedback and process improvement:

1. Classification by Card Brand: Initially, dumps were categorized by card brands like Visa, Mastercard, Amex, etc.
2. Additional Filters: Later, more specific filters were added, such as dumps with particular details or from a specific country. Premium card types like Signature and Platinum were priced higher.
3. City-Specific Filters: The city of origin for card details was also incorporated as a filter, recognizing the importance of localized card usage.
4. Fraud Detection Countermeasures: Banks and payment networks continuously monitor transactions for fraud, making overseas or out-of-city usage of cards without notification a trigger for detection. Hence, the relevance of buying dumps from specific countries and cities.
5. Success Rate Feature: An interesting addition was a feature that rates the success chance of a card based on factors like age of the dump, proximity to its expiry date, and card status (e.g., platinum, titanium). Cards with lower success rates were sold at lower prices.
6. Once stolen card details become available for sale, the focus shifts to the buyers of these details. Key aspects of a buyer's role in this ecosystem include:
7. Buyer profiles on these forums range from beginners to experienced and regular customers. Both buyers and sellers enhance their reputation through loyalty and frequent interactions.
8. Buyers have the choice to purchase either individual card details or a collection of multiple, unsorted details known as dumps. There is also a category named “Fullz,” which includes cards with comprehensive details like CVV, country, and city.
9. Buyers can use various filters previously mentioned (such as card brand, country, city) to select credit cards that meet their specific needs. For example, a fraudster in Singapore might prefer to buy dumps from Singapore or the Asian region to avoid detection for overseas usage.
10. For payments, buyers commonly use cryptocurrencies, with Bitcoin being the most popular, providing additional anonymity to the parties involved in selling dumps.
11. The pricing of cards and dumps depends on their freshness and type. On average, a single Mastercard or Visa platinum card can range from $15 to $50. Purchasing dumps, which involves buying in bulk, is usually cheaper. The price for dumps varies between $50 to $200, typically containing about 10 card details. Bulk purchases of multiple dumps can cost between $600 to $5,000, depending on the quantity and quality.
12. To ensure anonymity and avoid traceability, the download link for the dumps or card details is often provided through a TOR-based onion routing network or via IRC channels.

This is how the buyer gets introduced into this ecosystem and from here on, the buyer is the main driving element of the entire fraud ecosystem. Now the big question comes up is what would buyer do with the raw dumps supplied by the seller. The buyer now has two distinct options:

• Online Carding
• Offline/In-store Carding

Online Carding

Online carding is the process of using the stolen credit card details for purchasing goods online. This step involves some pre-steps before the buyer can go online and use the purchased card details for shopping. The first and the foremost important thing is knowing the CVV number. Most carding forums usually sell CVV details as well along with the card details. In case the CVV is not present, the buyer will have to follow some additional steps in order to obtain CVV number from the original owner of the card. These steps might include Phone phishing; fake postal mails asking for card verification etc. Buying “Fullz” is the most preferred option for online carding as It has all the required details.

Once the CVV is available to the buyer, he now needs to figure out cardable websites. Cardable websites are those website that meet the following criteria:

1. Making sure that the website’s terms and conditions do not specifically ship items only to the card’s registered address. It should ship to other shipping address mentioned during purchase as well.
2. Making sure that International shipping is allowed.
3. The next thing to look for is weather the website has Visa verification code or Mastercard secure code enabled. This is a two-step authentication where the payment gateway asks for a secure code before proceeding with payment. The card owner only knows this secure code.
4. Check for additional security measures like card scans, delivery at door even when there is no one home, call backs to confirm item payment etc.
5. It is not easy to find such websites but professional fraudsters are good at finding work around. Several Gambling and online casino websites usually don’t have such strong security measures thus giving a good scope for fraudsters to add money to their gambling account. Buying porn website subscriptions, buying crypto currency, online betting and gaming are few other popular ways of using CC for online carding. Underground forums are a good place for finding new and updated list of cardable websites. The community is tightly knitted and carders keep posting their findings into these forums to make sure that the ecosystem is ticking.

Offline/In-store Carding

Offline carding or in-store carding is far more interesting and involves a much larger group to perform it successfully. As its name suggests, offline or in-store carding means swiping the counterfeit cards at the actual stores or POS terminals to make purchases. In order to do this, the buyer must convert his dumps into plastic cards. The buyer can either do it himself if he has the required hardware and software or he can again head back to his dark web to let third party do this for him. There are specific stores in the dark web forums that specialize in creating counterfeit cards using the dump data. They provide a wide variety of options based on card brands, genre etc. Their neatness and enhanced customization make them a vital part of this fraud ecosystem. But at times, there are chances of a double fraud where the fake card generating store might run away with your dump details thus leaving you with nothing. Reputation is the key to this fraud system.

Many professional carders prefer generating counterfeit cards in-house to avoid leakage of their purchased dumps. In order to do this, there are some specific hardware and software requirements:

• Plain plastic cards or fake counterfeit cards without any data on magnetic strip.
• Magnetic card reader/writer.
• Software to write Track 1, 2, and 3 data onto the plastic cards.

Briefly, the following steps are involved in generating counterfeit cards using the above mentioned requirements and purchased CC details:

The process begins by purchasing counterfeit cards or plain plastic cards with magnetic strips.

1. Once the card is available, the carder requires a combination of Encoder hardware and software to write data onto the magnetic strip. There are multiple variants of hardware available readily on popular e-commerce websites and underground hacking forums. The most popular encoder amongst the community is the MSR206. It works fine with most versions of OS and is compatible with popular encoding softwares like “thejerm” and “Exeba”.
2. The process of writing data to the Magnetic strip is very much self-explanatory. The carder needs to provide Track 1 or Track 2 or both track information from the dumps into the encoder software.
3. Once the software is provided with these details, the hardware needs to be set up and the card needs to be properly placed in the encoder hardware. Once the writing process is complete, the card is now ready for shopping.
4. There are some additional precautionary steps taken by carders, for example:
5. Generating a fake signature at the back of the card for verification.
6. Generating a fake ID. In case of large purchases, the shop might ask for a valid ID proof before accepting the card.
7. Having backup cards or cash in case the presented card payment fails. This would make the purchase look genuine to the merchant.
8. Offline or in-store carding may sound a bit risky but it has a better success rate compared to online carding. Swipe and use is a convenient mode of payment for the merchants as well, so they usually do not look at such card usage as suspicious. On the contrary, online shopping involves computer-based authentication and authorization, so the chances of failure are high.

Carders also keep an eye on finding out ways for a more risk-free offline carding. Some of the most discussed and widely used techniques include:

• Using the card at self-service gas stations or self-service grocery stores. Usually, there is no payment machine supervisor present at the self-service payments, and the carder can easily swipe even a white plastic card and make the payment.
• Choosing stores that do not have enough security measures like CCTV camera or the supervisor is not very active in checking the card and ID before payment.

Specialized Services in the Fraud Ecosystem

In the credit card fraud ecosystem, there are specialized services that reduce the overall burden of running the entire process single-handedly. Individuals and groups providing these services work as partners with carders and form a close-circled group to run the business model, with profits shared based on each participant's role. The three most important specialized services are:

1. Runners: Runners bear significant risk by making fraudulent transactions from counterfeit cards obtained from carders. Their main target is ATM withdrawals, providing immediate hard cash. Runners often generate multiple fake debit cards with the same details for withdrawals from different locations simultaneously. Additionally, they might use services like PayPal or Western Union to transfer funds into fake accounts, which they then withdraw or transfer to the buyer's account. Runners typically charge between 40 to 60 percent of the stolen money for their services.
2. Droppers: Droppers provide a solution for carders who need a shipping address that can't be traced back to them for online purchases. They might rent an apartment or use a PO Box, providing fake details to avoid tracking. Droppers may work with multiple carders and charge between 30 to 50 percent of the product's value. Sometimes, they may request a specific product order in return for their services.
3. Shoppers: Shoppers specialize in purchasing goods using counterfeit cards provided by the carders. They are skilled at conducting nervousness-free shopping, avoiding suspicion. In case of authentication failure, they have fail-safe techniques to dodge payment supervisors. Shoppers are in high demand as they involve lesser risk compared to other services, and carders pay them a profit cut in the range of 10 to 20 percent for the goods purchased. The profit margin for shoppers depends on the type and value of the items they are asked to purchase.

The point to note here is the organized way in which this entire fraud ecosystem has been built up. The high profit margin and scope of evasions has attracted almost all the major cyber criminals into this ecosystem. This kind of balanced and optimized model is not set up overnight. It involves a series of progression and development. Whatever we just now learnt is not new. This payment fraud ecosystem has existed for years under our nose and it still continues to foster. In the closing few pages, I would like to discuss about the economics involved in this fraud ecosystem, its challenges and possible solutions in order to remediate these threats

Money Flow

This entire fraud ecosystem is motivated by financial gains hence money is an important factor in this system. We already have a fair amount of understanding of how the stolen details are pushed to online shops and how the fraudsters are using it to conduct fraud. Let us revise the entire flow again and add the financial instance to the entire process.

The top of the pyramid comprises of the originators or the creators of the attack vector. They include POS malware authors, phishing attackers, insider threats etc. At the beginning of the stage, there is not enough investment or return involved in terms of money. The attackers spend their resources and time into crafting the perfect attack vector in order to gain privileged access.

Once the attack is successful, the attackers start listening to the incoming data to find something meaningful out of it. Once they have their wealth of information, they begin cashing on their hard work. The attackers have two options: to either set up their own shop or reach out to an already reputed carding shop in the underground network that has trusted customer base.

Based on the amount of credit card data that the attackers have to offer, they reach to a settlement with the forum owners for a fixed amount of money. This is the point where money gets added into this ecosystem. Now a significant amount money has been invested by the card forum owners, they would look to make return over their investments.

Before releasing the dumps for the public to buy, the forum owners first reach out to their trusted circle of carders who work full time into this business. The reason they do this is because a silent release of dumps will give their trusted circles an upper hand into quickly making profit and they would be willing to pay a descent amount for getting an upper hand at a fresh set of dumps.

Once the dump is brought up for sale, the demand goes high and there is a sudden flow of money in the network. Newbies and other regular carders start making bulk purchases. Taking quick action is also a key factor in the carding business because dumps might have limited availability and once the dumps are made available for purchase, the banks can track back the infected merchant and can quickly block all the cards that were used at that merchant store in a particular range of time. Banks and financial institutions will waste no time in doing damage control. By the time the dumps get old or there is a press release regarding the source of the dump, the forum owners and sellers would have made their profits. When dumps are released for sale in millions, there is not enough that the banks and financial institutions can do. They can trace back a few cards but not all.

Since the dumps are already ported onto counterfeit cards, the wheel starts rolling and the seller who has made investment will now start making his return with the help of runners, droppers and shoppers. They will in-turn get their share of profit. The Underground Ecosystem Of Credit Card Frauds – BlackHat, Asia 2015 19 Once the seller has recovered his investment and started making profits, he will again head back to the forums and shops to continue the cycle.

Demand and Supply

In the recent couple of years, POS malwares have proved to be the most effective means of stealing payment card information. The reason being they directly affects the device that is associated with the payment, the POS terminal. Installing POS malwares and mega retail chains and big brands resulted into millions of credit and debit card data hanging out there for people to buy and conduct financial fraud.

As soon as there is a hint of a major POS breach, the carding community gets active to quickly get their hands on the most fresh and reliable dumps available in the market. This leads to a sudden raise in the demand for dumps especially in the areas where the POS terminals are affected. For example, A press release about a major POS breach in US would lead to a higher demand for fresh dumps in that region. The card shop owners try to make sure that they are able to maintain a good flow of dumps at regular interval so as to meet the demands.

But the problem occurs when the supply is way more than the demand. At times, eminent researchers and financial institutions are able to identify a major POS breach even before the dumps are released in underground shops. The forum owners and sellers might be in possession of those dumps captured from the infected terminals but they have not yet publically released it for sale due to various factors. But when there is a press release about the breach, then the banks and general public will become aware of it and thus the dumps might lose its value if stays unused for long. So in order to make some profit over their investments, the shop owners and sellers quickly release the dumps for sale. Usually these dumps are released in bulk figures (thousands, millions etc) thus making a surplus presence of stolen card details in the market. This is the situation where the supply might surpass demand. So to keep up the momentum, the shop owners and sellers begin lowering the price of their dumps and cards. This brings down the market valuation thus creating deficit.

When the supply is moderate and as per the demand, the price is higher than market value but when there is a surplus supply and the demand is stagnant, it leads to a saturation point and thus the price starts falling thus forming an inverted parabolic curve. Similar results are seen in the plot for Price versus Time. The longer a dump stays in the market, the lesser will be its value thus further lowering its demand.

Scope, Challenges and Sollutions

Credit card fraud has been around for years now and with time, the model has grown stronger and better with each passing day. As more and more newbies and computer expert yet unemployed people gets attracted towards this model, it will continue to grow at the same pace. The major challenge that this ecosystem faces is double fraud, ie, fraud within fraud. Many times, the buyer purchases the dumps, uses it and once it is blocked, they again put it for sale onto different forums. Also there are fake sellers whose main motive is to attract buyers and in-retrun rips them of their money. There is no way to verify the originality of dumps in advance. Since most of these dealings are in crypto currencies, they can’t be tracked back easily. Reputation plays a key role here. Sellers and buyers with good reputation are trusted more compared to a new or unknown seller.

Some other challenges include controlling the abuse, keeping the operation stealth, avoiding being caught etc. The payment industry has been dealing with this issue seriously but the problem lies in the widespread reach of card usage. It is not easy for them as well to enforce certain changes in a go. EMV or Chip-and-Pin cards have been introduced as a new replacement for Magnetic strips. The EMV card stores information on a chip in an encrypted manner thus making it difficult to skim the information. EMV cards are also difficult to counterfeit, as faking a chip on top of the card wont be easy. But EMV cards are still susceptible to POS memory scraping. Introduction of Contactless RFID cards are also the talking point these days. It allows the card owner to just wave the card in front of the POS terminal in order to complete the payment transaction. Both EMV and RFID have their own set of protocols and security measures defined in a definite manner to insure maximum security of the customer.

To conclude, this has proven to be yet another cat and mouse battle where the mouse has always been a step ahead. Cybercriminals are always looking for new ways to make easy money by exploiting the weaknesses that they are always ahead in finding. Bob Russo, General Manager of Payment Card Industry Security Standards Council says, “There is no single answer to securing payment card data”. Certainly, building a 100% secure model is not possible, but progressive steps and learning from previous mistakes can atleast make things more difficult and challenging for the criminals from stealing the hard earned money of the common man.

EVM Reader Writer (link)
EMV/NFC Paycard software (link)