Tomcat
Professional
- Messages
- 2,689
- Reaction score
- 934
- Points
- 113
Another scenario of fraud using plastic bank cards. The most vulnerable are Sberbank cards suitable for payments on the Internet - starting from Visa Classic and MasterCard Standard. Owners of “salary” Maestro and other Momentum are not subject to this technique.
A small educational program
1. Sberbank has the ability to transfer money from card to card and top up someone else’s card, knowing only its number (on the front side). No other values are needed for this.
2. It is possible to find out the name of the owner of someone else’s (!) card by its number by making a payment to it through Sberbank Online. We try to transfer, say, 10 rubles to someone else’s card, enter the someone else’s card number and on the “Check details” screen we see the amount of our payment, the someone else’s card number and... the full name of its owner.
3. Many people ask for help and post ads on charity websites. In addition to the usual bank details and WebMoney/Yandex.Money wallet numbers, more and more often it began to come across “or on Sberbank card No. XXXX XXXX XXXX XXXX.”
4. There are payment gateways that can take money from a card without asking for either the CVV (CVC) or the MasterCard SecureCode. Amazon.com, for example, is served this way. To complete the payment, you only need to enter the card number, owner's name and expiration date.
Algorithm of the scammer's actions
1. We are looking for charity sites and posts on LiveJournal, like this:
“you can make a donation to the number of a Sberbank plastic card at any branch of Sberbank of Russia. It is enough to know the card number 676280389109721113 Recipient Borovkova Anastasia. A HUGE HUMAN THANK YOU TO ALL WHO RESPONDED!!!”
Excellent option, even the recipient's name is indicated. Translit, ANASTASIYA BOROVKOVA... Or maybe ANASTASIA BOROVKOVA. There aren't many options.
What if it is not specified?
Let’s say this is an advertisement:
“Sberbank account for transferring donations from card to card (without interest!) - 5469 3800 2643 5684”
Not a problem, now let’s find out:
a) Open Sberbank Online, select “Transfer to card”:
b) Enter details of someone else’s card and the amount - whatever you want. We kind of want to make a charitable transfer.
c) Oops! Full name of the card owner.
We refuse the translation, we just found out everything we need.
Translit, DANIIL FIRSOV? Maybe.
2. We collected the database “Sberbank card number - owner’s name?” Great. Let's go to Amazon.com, add a new card:
CVV NOT ASKED!!! Transfer to SecureCode does NOT occur. Sberbank one-time passwords are NOT requested. A one-time password is also NOT requested for Vanguard cards. Hold occurs immediately in this case.
What do we need to guess? Card type and expiration date. It's hardly Gold, definitely not American Express, and definitely not Diners Club. Well, either MasterCard, or Visa, or Cirrus/Maestro or Visa Electron, which are of no interest to us.
How can we find out what is in front of us?
Look here:
Visa and MasterCard cards have 16-digit numbers.
VISA card numbers always begin with the number “4”.
MasterCard card numbers always start with the number “5” and consist of 16 digits.
The Maestro card number starts with the numbers “3”, “5”, “6” and can consist of 13, 16 or 19 digits.
We focus on the first two types (“normal” Visa and MasterCard), Cirrus/Maestro in the firebox.
Enter the card type, its number, transliteration of the owner’s name. All that remains is to guess the expiration date. For how many years are cards issued? 3..4 years usually. Often a card is created as soon as fundraising begins. One or two possible year values and 12 month values. No more than 36 options. There are no delays, no captcha. The card is either added or not. Not added? Let's try other values.
Added? We try to buy something... You might even end up with a credit card.
-?????
-PROFIT!!!
Protection against such fraud
DO NOT publish your card number anywhere. It is often thought that without a CVV and even without the owner’s name, the card number is of no use. This method shows that this is a common misconception.
In any case, even if the bug does not work, scammers still have ample opportunities for social engineering in relation to the person who published the data.
In addition, to collect funds you can use Cirrus/Maestro Momentum cards issued free of charge from Sberbank, which are not suitable for payments on the Internet. The scammer is unlikely to get anything from publishing their number, even knowing the name and expiration date.
A small educational program
1. Sberbank has the ability to transfer money from card to card and top up someone else’s card, knowing only its number (on the front side). No other values are needed for this.
2. It is possible to find out the name of the owner of someone else’s (!) card by its number by making a payment to it through Sberbank Online. We try to transfer, say, 10 rubles to someone else’s card, enter the someone else’s card number and on the “Check details” screen we see the amount of our payment, the someone else’s card number and... the full name of its owner.
3. Many people ask for help and post ads on charity websites. In addition to the usual bank details and WebMoney/Yandex.Money wallet numbers, more and more often it began to come across “or on Sberbank card No. XXXX XXXX XXXX XXXX.”
4. There are payment gateways that can take money from a card without asking for either the CVV (CVC) or the MasterCard SecureCode. Amazon.com, for example, is served this way. To complete the payment, you only need to enter the card number, owner's name and expiration date.
Algorithm of the scammer's actions
1. We are looking for charity sites and posts on LiveJournal, like this:
“you can make a donation to the number of a Sberbank plastic card at any branch of Sberbank of Russia. It is enough to know the card number 676280389109721113 Recipient Borovkova Anastasia. A HUGE HUMAN THANK YOU TO ALL WHO RESPONDED!!!”
Excellent option, even the recipient's name is indicated. Translit, ANASTASIYA BOROVKOVA... Or maybe ANASTASIA BOROVKOVA. There aren't many options.
What if it is not specified?
Let’s say this is an advertisement:
“Sberbank account for transferring donations from card to card (without interest!) - 5469 3800 2643 5684”
Not a problem, now let’s find out:
a) Open Sberbank Online, select “Transfer to card”:
b) Enter details of someone else’s card and the amount - whatever you want. We kind of want to make a charitable transfer.
c) Oops! Full name of the card owner.
We refuse the translation, we just found out everything we need.
Translit, DANIIL FIRSOV? Maybe.
2. We collected the database “Sberbank card number - owner’s name?” Great. Let's go to Amazon.com, add a new card:
CVV NOT ASKED!!! Transfer to SecureCode does NOT occur. Sberbank one-time passwords are NOT requested. A one-time password is also NOT requested for Vanguard cards. Hold occurs immediately in this case.
What do we need to guess? Card type and expiration date. It's hardly Gold, definitely not American Express, and definitely not Diners Club. Well, either MasterCard, or Visa, or Cirrus/Maestro or Visa Electron, which are of no interest to us.
How can we find out what is in front of us?
Look here:
Visa and MasterCard cards have 16-digit numbers.
VISA card numbers always begin with the number “4”.
MasterCard card numbers always start with the number “5” and consist of 16 digits.
The Maestro card number starts with the numbers “3”, “5”, “6” and can consist of 13, 16 or 19 digits.
We focus on the first two types (“normal” Visa and MasterCard), Cirrus/Maestro in the firebox.
Enter the card type, its number, transliteration of the owner’s name. All that remains is to guess the expiration date. For how many years are cards issued? 3..4 years usually. Often a card is created as soon as fundraising begins. One or two possible year values and 12 month values. No more than 36 options. There are no delays, no captcha. The card is either added or not. Not added? Let's try other values.
Added? We try to buy something... You might even end up with a credit card.
-?????
-PROFIT!!!
Protection against such fraud
DO NOT publish your card number anywhere. It is often thought that without a CVV and even without the owner’s name, the card number is of no use. This method shows that this is a common misconception.
In any case, even if the bug does not work, scammers still have ample opportunities for social engineering in relation to the person who published the data.
In addition, to collect funds you can use Cirrus/Maestro Momentum cards issued free of charge from Sberbank, which are not suitable for payments on the Internet. The scammer is unlikely to get anything from publishing their number, even knowing the name and expiration date.
