After yesterday's story with the theft of money from my Sberbank card by cloning the card, I decided to understand how this happens.
And, to be honest, I was shocked by two things: that even a schoolboy can easily create a copy of the card, and that the United States is simply a paradise for fraudsters who clone bank cards.
What you will read in this post will surprise many of them very much.
Warning: this post is written SOLELY for informational purposes and to warn the readership about potential dangers when using bank cards.
Copying your own or other people's bank cards is a violation of the law of the Russian Federation and entails criminal liability.
Do not attempt to use the information in this post to perform illegal actions related to copying and using bank cards!
Did you know that bank cards are rewritable media with a small capacity (about 2 KB)? Actually, a floppy disk. Rather, an audio tape! If you have an old cassette recorder, turn it on and swipe the magnetic stripe of your credit card across the head. You will hear audio: the tape recorder read the account number, cardholder's name, and additional service information. No, of course, modern bank cards are a little more complicated than a regular tape recorder, but the principle of operation is identical. And as is often the case with many technical solutions that are outdated, but accepted and used everywhere ... credit cards do not actually have any serious copy protection!
You can simply rewrite them, as in the distant 80s we rewrote Metallica or Sweet May from the cassette of a neighbor at the desk.
And this is exactly what many scammers around the world are doing, reading information from our cards with skimmers, then recording clone cards and selling them on the giant black market. For example, in South America, theft of data from cards is put on stream (in Brazil, they are not even trying to fight the installation of skimmers on ATMs), and in the United States, the legalization of clone cards is underway.
What, how and why, read under the cut.
How a bank card works
Depending on the bank and the type of card, 3 elements can be installed on it: a magnetic stripe on the back of the card, an EMV chip, and RFID (a chip and antenna for contactless card reading, the so-called Pay Pass). The most up-to-date card has all three elements. The most unprotected one is the one that has only a magnetic stripe. Now, pay attention! ALL cards have a magnetic stripe. In other words, all cards can be copied. Next, the question is whether the copied card can be used. This is more difficult, because they still haven't learned how to fake a chip, and any bank will tell you that your chip card is protected and they won't be able to use its clone. that's not true! My chiped card was tilted and used. How?
And in this place, the United States enters the arena! In this richest country in the world, banks still PRACTICALLY do not issue cards with chips, using cards with a stripe, and even your chip card in the store will be rolled to the strip in the old-fashioned way! Despite the fact that almost all terminals at points of sale can work with chip cards without any problems.
That is, to use your super-secure chip card in the US, fraudsters don't even need to try to copy your chip! They can easily roll the magnetic stripe of the card somewhere at the self-service checkout. That is why at the beginning of the post I called the United States a paradise for scammers of this kind.
Why is this happening? It's simple! Nothing personal, just business. All cards in the United States are insured against theft of funds, and the customer pays for insurance, so this is just a giant market for insurance companies. So why should banks go to the trouble of spending extra money on more expensive chip cards?
Now let's learn more about the card security elements.
1. Magnetic stripe on the back of the card. In fact, there are as many as three magnetic strips, the so-called Track 1, 2 and 3.
Here's what the band looks like under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic card! Although it is easier to find a ready-made, clean or use an old credit card with an expired validity period. Fraudsters even use various VISA gift cards and the so-called “white plastic” without any prints for mass recording of clones. The main thing is a recordable magnetic layer.
Bank cards usually use Track 1 and 2. In the past, the PIN code was stored in encrypted form on track number 3, so that you can work with ATMs in offline mode. But with the development of communication systems and the blatant vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Currently, Track 3 is not used in credit cards. Therefore, fraudsters need to get the PIN code in a different way, and for this they are paired with a skimmer using either an overlay on the ATM keyboard, or hang a small video camera over the ATM. If you can't steal the PIN code, the cost of the tilted plastic will be low, because it can only be used to buy goods, and this is a very high risk. But if you managed to read both the card data and the pin code, the cost of such a card increases significantly, because you can withdraw cash from it at any ATM. And, by the way, the bank will not return the money for such a fraudulent operation (if the PIN code was entered) according to VISA rules.
This is what the reader head of the payment terminal looks like. The photo clearly shows three elements for reading tracks.
2. EMV (Europay, MasterCard, Visa Chip) chip-similar to a SIM card and having similar electronic characteristics. This chip is responsible for checking card transactions on EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
One of the reasons that chips do not fake is that it is not enough to simply copy the contents of the chip to another card, primarily because there is often no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check is performed at the hardware level, and there are references on the Internet that the ATM generates a certain number, to which the chip should give the correct answer. However, in many banks, the check is simply for the presence of an EMV chip from this bank!!!
In other words, if you write a magnetic stripe on a card without an EMV chip or a card with an EMV chip of another bank, the ATM will not accept such a card, but if you roll up the track on an expired card of the same bank with the correct EMV chip,you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only a magnetic card is still read without EMV. This is especially true for third world countries and, as I said above, the United States!
How do they copy cards with a magnetic stripe?
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and there is the most software available for them. And in general, they are available in any hotel where a magnetic card is used as a key. They are purchased through an online store like Ebay.
The device operates via a serial com port interface. The cost ranges from $ 100 to $ 300, the devices differ in configuration and design, but there is no fundamental difference between them.
Through TOR, you can find a lot of utilities that read and copy data from magnetic strips.
This is what the interface of one of them, Jerm, looks like
And here is a dialog box for working directly with the card
Read — read the card. The indicator on the MSR206 lights up yellow, the card is read, and its contents appear in the ASCII and HEX windows, as well as in the Track 1, 2, and 3 fields. If you want to save the image of the received card, use the “File\Save as... " command. If you need to make a duplicate right away, just Write. All you have to do is swipe a blank card on MSR206 and that's it, the card is copied!
Erase Track (s) — if you need to use a card that already has some information on it (for example, an expired bank card), then you need to clear the card before using it again. To do this, select all three tracks and click the Erase button. All you have to do is swipe the card across the device.
There is even a batch mode, Batch mode, if you need to record many magnetic cards at once.
How do I get data for copying the card?
As I said above, it is enough for scammers to read data from a magnetic stripe, and they are not interested in the chip at all.
Everyone knows how they do it. With the help of skimmers that are placed on ATMs.
The skimmer can be a plastic pad attached to the card reader, or a miniature video camera in a brochure holder next to the ATM. Also common are special pads on the keyboard that read the order of dialing the PIN code. Skimmers are attached to ATMs using conventional double-sided tape or Velcro fasteners. For example, if the keyboard was concave, then a special overlay will make the panel flatter. The skimming device can also change the keys themselves: they will either be sunk into the keyboard panel, or, conversely, they will bulge too much. ATM manufacturers in recent years have started installing special devices on ATMs that allow them to recognize skimmers.
It is quite difficult to detect a skimmer on an ATM with the naked eye, so it is recommended to use only those ATMs that are located in bank branches, large shopping centers, or in a protected area.
Yes, the skimmer can only steal information from the magnetic stripe, not from the chip. But for scammers who then legalize their cards in the United States, this is enough.
There are also portable skimmers that allow you to make a copy of the card when it is in the hands of an attacker (for example, if he is also a waiter in a restaurant where customers often pay with plastic cards).
From a conversation with a person who has studied this topic in depth, I learned that most of these cards are now “stolen” in South America. While in Russia and other countries, bank security services constantly struggle with skimmers, in Brazil and Colombia this is simply not done, which gives fraudsters ample opportunities.
Then the scammers write down the received data on the so-called white plastic and sell the cards in bulk to dealers. The cards are sent to the United States and either withdraw money from them if they manage to remove the PIN code, or they are sold cheap on the black market.
Well, there is already someone on the Internet trying to buy something, someone in the supermarket, as happened with my card…
PS Yes, and to protect against skimmers, many ATMs install special transparent anti-skimmers, you've seen them all. But they are not available everywhere abroad, and that is where you are most at risk of having your card copied.
When writing the post, some materials were used.
(c) https://medium.com/life-travel/как-копируют-банковские-карты-30313990c242
And, to be honest, I was shocked by two things: that even a schoolboy can easily create a copy of the card, and that the United States is simply a paradise for fraudsters who clone bank cards.
What you will read in this post will surprise many of them very much.
Warning: this post is written SOLELY for informational purposes and to warn the readership about potential dangers when using bank cards.
Copying your own or other people's bank cards is a violation of the law of the Russian Federation and entails criminal liability.
Do not attempt to use the information in this post to perform illegal actions related to copying and using bank cards!
Did you know that bank cards are rewritable media with a small capacity (about 2 KB)? Actually, a floppy disk. Rather, an audio tape! If you have an old cassette recorder, turn it on and swipe the magnetic stripe of your credit card across the head. You will hear audio: the tape recorder read the account number, cardholder's name, and additional service information. No, of course, modern bank cards are a little more complicated than a regular tape recorder, but the principle of operation is identical. And as is often the case with many technical solutions that are outdated, but accepted and used everywhere ... credit cards do not actually have any serious copy protection!
You can simply rewrite them, as in the distant 80s we rewrote Metallica or Sweet May from the cassette of a neighbor at the desk.
And this is exactly what many scammers around the world are doing, reading information from our cards with skimmers, then recording clone cards and selling them on the giant black market. For example, in South America, theft of data from cards is put on stream (in Brazil, they are not even trying to fight the installation of skimmers on ATMs), and in the United States, the legalization of clone cards is underway.
What, how and why, read under the cut.
How a bank card works
Depending on the bank and the type of card, 3 elements can be installed on it: a magnetic stripe on the back of the card, an EMV chip, and RFID (a chip and antenna for contactless card reading, the so-called Pay Pass). The most up-to-date card has all three elements. The most unprotected one is the one that has only a magnetic stripe. Now, pay attention! ALL cards have a magnetic stripe. In other words, all cards can be copied. Next, the question is whether the copied card can be used. This is more difficult, because they still haven't learned how to fake a chip, and any bank will tell you that your chip card is protected and they won't be able to use its clone. that's not true! My chiped card was tilted and used. How?
And in this place, the United States enters the arena! In this richest country in the world, banks still PRACTICALLY do not issue cards with chips, using cards with a stripe, and even your chip card in the store will be rolled to the strip in the old-fashioned way! Despite the fact that almost all terminals at points of sale can work with chip cards without any problems.
That is, to use your super-secure chip card in the US, fraudsters don't even need to try to copy your chip! They can easily roll the magnetic stripe of the card somewhere at the self-service checkout. That is why at the beginning of the post I called the United States a paradise for scammers of this kind.
Why is this happening? It's simple! Nothing personal, just business. All cards in the United States are insured against theft of funds, and the customer pays for insurance, so this is just a giant market for insurance companies. So why should banks go to the trouble of spending extra money on more expensive chip cards?
Now let's learn more about the card security elements.
1. Magnetic stripe on the back of the card. In fact, there are as many as three magnetic strips, the so-called Track 1, 2 and 3.
Here's what the band looks like under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic card! Although it is easier to find a ready-made, clean or use an old credit card with an expired validity period. Fraudsters even use various VISA gift cards and the so-called “white plastic” without any prints for mass recording of clones. The main thing is a recordable magnetic layer.
Bank cards usually use Track 1 and 2. In the past, the PIN code was stored in encrypted form on track number 3, so that you can work with ATMs in offline mode. But with the development of communication systems and the blatant vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Currently, Track 3 is not used in credit cards. Therefore, fraudsters need to get the PIN code in a different way, and for this they are paired with a skimmer using either an overlay on the ATM keyboard, or hang a small video camera over the ATM. If you can't steal the PIN code, the cost of the tilted plastic will be low, because it can only be used to buy goods, and this is a very high risk. But if you managed to read both the card data and the pin code, the cost of such a card increases significantly, because you can withdraw cash from it at any ATM. And, by the way, the bank will not return the money for such a fraudulent operation (if the PIN code was entered) according to VISA rules.
This is what the reader head of the payment terminal looks like. The photo clearly shows three elements for reading tracks.
2. EMV (Europay, MasterCard, Visa Chip) chip-similar to a SIM card and having similar electronic characteristics. This chip is responsible for checking card transactions on EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
One of the reasons that chips do not fake is that it is not enough to simply copy the contents of the chip to another card, primarily because there is often no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check is performed at the hardware level, and there are references on the Internet that the ATM generates a certain number, to which the chip should give the correct answer. However, in many banks, the check is simply for the presence of an EMV chip from this bank!!!
In other words, if you write a magnetic stripe on a card without an EMV chip or a card with an EMV chip of another bank, the ATM will not accept such a card, but if you roll up the track on an expired card of the same bank with the correct EMV chip,you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only a magnetic card is still read without EMV. This is especially true for third world countries and, as I said above, the United States!
How do they copy cards with a magnetic stripe?
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and there is the most software available for them. And in general, they are available in any hotel where a magnetic card is used as a key. They are purchased through an online store like Ebay.
The device operates via a serial com port interface. The cost ranges from $ 100 to $ 300, the devices differ in configuration and design, but there is no fundamental difference between them.
Through TOR, you can find a lot of utilities that read and copy data from magnetic strips.
This is what the interface of one of them, Jerm, looks like
And here is a dialog box for working directly with the card
Read — read the card. The indicator on the MSR206 lights up yellow, the card is read, and its contents appear in the ASCII and HEX windows, as well as in the Track 1, 2, and 3 fields. If you want to save the image of the received card, use the “File\Save as... " command. If you need to make a duplicate right away, just Write. All you have to do is swipe a blank card on MSR206 and that's it, the card is copied!
Erase Track (s) — if you need to use a card that already has some information on it (for example, an expired bank card), then you need to clear the card before using it again. To do this, select all three tracks and click the Erase button. All you have to do is swipe the card across the device.
There is even a batch mode, Batch mode, if you need to record many magnetic cards at once.
How do I get data for copying the card?
As I said above, it is enough for scammers to read data from a magnetic stripe, and they are not interested in the chip at all.
Everyone knows how they do it. With the help of skimmers that are placed on ATMs.
The skimmer can be a plastic pad attached to the card reader, or a miniature video camera in a brochure holder next to the ATM. Also common are special pads on the keyboard that read the order of dialing the PIN code. Skimmers are attached to ATMs using conventional double-sided tape or Velcro fasteners. For example, if the keyboard was concave, then a special overlay will make the panel flatter. The skimming device can also change the keys themselves: they will either be sunk into the keyboard panel, or, conversely, they will bulge too much. ATM manufacturers in recent years have started installing special devices on ATMs that allow them to recognize skimmers.
It is quite difficult to detect a skimmer on an ATM with the naked eye, so it is recommended to use only those ATMs that are located in bank branches, large shopping centers, or in a protected area.
Yes, the skimmer can only steal information from the magnetic stripe, not from the chip. But for scammers who then legalize their cards in the United States, this is enough.
There are also portable skimmers that allow you to make a copy of the card when it is in the hands of an attacker (for example, if he is also a waiter in a restaurant where customers often pay with plastic cards).
From a conversation with a person who has studied this topic in depth, I learned that most of these cards are now “stolen” in South America. While in Russia and other countries, bank security services constantly struggle with skimmers, in Brazil and Colombia this is simply not done, which gives fraudsters ample opportunities.
Then the scammers write down the received data on the so-called white plastic and sell the cards in bulk to dealers. The cards are sent to the United States and either withdraw money from them if they manage to remove the PIN code, or they are sold cheap on the black market.
Well, there is already someone on the Internet trying to buy something, someone in the supermarket, as happened with my card…
PS Yes, and to protect against skimmers, many ATMs install special transparent anti-skimmers, you've seen them all. But they are not available everywhere abroad, and that is where you are most at risk of having your card copied.
When writing the post, some materials were used.
(c) https://medium.com/life-travel/как-копируют-банковские-карты-30313990c242
