After yesterday's story about the theft of money from my Sberbank card by cloning the card, I decided to understand how this happens.
And, frankly, I was shocked by two things: that even a schoolchild could easily create a copy of a card and that the United States is simply a paradise for scammers who clone bank cards.
What you will read in this post will surprise many of you.
Warning: this post was written EXCLUSIVELY for informational purposes and to warn the readership about the potential dangers when using bank cards.
Copying your own or others' bank cards is a violation of the law of the Russian Federation and entails criminal liability.
Do not try to use the information from this post to carry out illegal activities such as copying and using bank cards!
Do you know that bank cards are low-capacity rewritable media (about 2 kb)? Actually, a floppy disk. Or rather, an audio cassette! If you have an old cassette recorder, turn it on and run the magnetic stripe of a credit card across the head. You will hear a sound: the tape recorder read the account number, the name of the card owner and additional service information. No, of course, modern bank cards are a little more complicated than a regular tape, but the principle of operation is identical. And as is often the case with many technical solutions that are outdated, but accepted and used everywhere... credit cards actually do not have any serious copy protection!
You can simply rewrite them, like in the distant 80s we rewrote Metallica or Tender May from the cassette of our desk neighbor.
And this is exactly what many scammers around the world are doing, reading information from our cards with skimmers, then recording clone cards and selling them on the giant black market. For example, in South America, theft of data from cards is a constant (in Brazil they are no longer even trying to fight the installation of skimmers on ATMs), and in the USA, the legalization of clone cards is taking place.
What, how and why, read under the cut.
How does a bank card work?
Depending on the bank and the type of card, 3 elements can be installed on it: a magnetic stripe on the back of the card, an EMV chip and RFID (chip and antenna for contactless card reading, the so-called Pay Pass). The most modern map has all three elements. The most unprotected is the one that only has a magnetic stripe. Now, pay attention! ALL cards have a magnetic stripe. That is, all cards can be copied. The next question is whether the copied map can be used. This is more difficult, because they still haven’t learned how to fake a chip, and any bank will tell you that your chip card is protected and they won’t be able to use its clone. It is not true! My chip card was cloned and used. How?
And at this point the USA enters the arena! In this richest country in the world, banks still PRACTICALLY do not issue cards with chips, using cards with a stripe, and even your chip card in a store will be rolled into a stripe in the old fashioned way! Despite the fact that almost all terminals at points of sale can work with chip cards without problems.
This means that to use your super-secure chip card in the US, scammers don’t even have to try to copy your chip! They can easily swipe the magnetic stripe of the card somewhere at a self-service checkout. That is why at the beginning of the post I called the USA a paradise for scammers of this kind.
Why is this happening? It's simple! Nothing personal, just business. All cards in the US are insured against theft of funds, the customer pays for the insurance, so this is just a giant market for insurance companies. So why should banks go to the trouble of spending extra money on more expensive chip cards?
Now let's take a closer look at the card's security elements.
1. Magnetic stripe on the back of the card. in fact, there are three magnetic stripes, the so-called Track 1, 2 and 3.
This is what the strip looks like under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic card! Although it’s easier to find a ready-made, clean one or use an old credit card with an expired date. Fraudsters even use various VISA gift cards and so-called “white plastic” without any prints to record mass clones. The main thing is a magnetic layer suitable for recording.
Bank cards typically use Tracks 1 and 2. In the past, track number 3 stored the PIN code in encrypted form for the ability to work with ATMs offline. But with the development of communication systems and the outright vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Track 3 is not currently used in credit cards. Therefore, scammers need to get a PIN code in a different way, and to do this, they use either an overlay on the ATM keyboard or a small video camera above the ATM in combination with a skimmer. If the PIN code cannot be stolen, the cost of the cloned plastic will be low, because it can only be used to purchase goods, and this is a very high risk. But if you manage to read the card data and PIN code, the cost of such a card increases significantly, because you can withdraw cash from it at any ATM. And, by the way, the bank will not return the money to you for such a fraudulent transaction (if a PIN code was entered) according to VISA rules.
This is what the reading head of a payment terminal looks like. The photo clearly shows three elements for reading tracks.
2. EMV (Europay, MasterCard, Visa Chip) chip - similar to a SIM card and having similar electronic characteristics. This chip is responsible for verifying card transactions at EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
One of the reasons that chips cannot be counterfeited is that it is not enough to simply copy the contents of the chip to another card, primarily because there is often simply no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check takes place at the hardware level; there are references on the Internet that the ATM generates a certain number to which the chip must give the correct answer. However, in many banks the check is simply for the presence of an EMV chip from a given bank!!!
In other words, if you write a magnetic strip onto a card without an EMV chip or a card with an EMV chip from another bank, the ATM will not accept such a card, but if you put a strip on an expired card of the same bank with the correct EMV chip, then you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only magnetic cards are still read without EMV. This is especially true for third world countries and, as I said above, the USA!
How are cards with a magnetic stripe copied?
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and have the most software available for them. In general, they are available in any hotel where a magnetic card is used as a key. They are purchased through an online store such as Ebay.
The device operates via a serial COM port interface. The cost ranges from $100 to $300, the devices differ in configuration and design, but there is no fundamental difference between them.
Through TOR you can find many utilities that can be used to read and copy data from magnetic stripes.
This is what the interface of one of them looks like, Jerm
And here is a dialog box for working directly with the map
Read — read the card. The indicator on the MSR206 lights up yellow, the card is read, its contents appear in the ASCII and HEX windows, as well as in the Track 1, 2, 3 fields. If you need to save the image of the received card, use the “File\Save as...” command. If you immediately need to make a duplicate, just Write . All that remains is to swipe the blank card over the MSR206 and that’s it, the card is copied!
Erase Track(s) - if you need to use a card for rewriting that already has some information on it (for example, an expired bank card), then the card must be cleared before using it again. To do this, select all three tracks and press the Erase button. All that remains is to swipe the card across the device.
There is even a batch mode, Batch mode, if you need to record many magnetic cards at once.
How do you get the data to copy a card?
As I said above, scammers only need to read data from a magnetic strip, and they are not interested in the chip at all.
Everyone knows how they do it. Using skimmers that are placed on ATMs.
A skimmer can be a plastic cover attached to a card reader, or a miniature video camera in a brochure holder next to an ATM. Also common are special keyboard overlays that read the PIN code dialing order. Skimmers are attached to ATMs using regular double-sided tape or Velcro. For example, if the keyboard was concave, then a special overlay will make the panel flatter. Also, the skimming device can change the keys themselves: they will either be recessed into the keyboard panel, or, conversely, stick out too much. In recent years, ATM manufacturers have begun installing special devices on ATMs that allow them to recognize skimmers.
It is quite difficult to detect a skimmer on an ATM with the naked eye, so it is recommended to use only those ATMs that are located in bank branches, large shopping centers, or in secured areas.
Yes, a skimmer can only steal information from a magnetic stripe, not from a chip. But this is enough for scammers who then legalize the cards in the USA.
There are also portable skimmers that allow you to make a copy of the card when it is in the hands of an attacker (for example, if he is also a waiter in a restaurant where customers often pay with plastic cards).
From a conversation with someone who has deeply studied this topic, I learned that most of these maps these days are “stolen” in South America. While in Russia and other countries bank security services constantly fight against skimmers, in Brazil and Colombia this is simply not done, which gives fraudsters ample opportunities.
Next, the scammers record the received data on so-called white plastic and sell the cards wholesale to dealers. The cards are sent to the United States and either money is withdrawn from them if the PIN code is removed, or they are sold cheaply on the black market.
Well, there are already some people trying to buy something on the Internet, some in the supermarket, as happened with my card...
PS Yes, and to protect against skimmers, many ATMs install special transparent anti-skimmers, you’ve all seen them. But they are not available everywhere abroad, and that is where you are at greatest risk of having your card copied.
Some materials were used in writing this post.
(c) Sergei Anashkevich
And, frankly, I was shocked by two things: that even a schoolchild could easily create a copy of a card and that the United States is simply a paradise for scammers who clone bank cards.
What you will read in this post will surprise many of you.
Warning: this post was written EXCLUSIVELY for informational purposes and to warn the readership about the potential dangers when using bank cards.
Copying your own or others' bank cards is a violation of the law of the Russian Federation and entails criminal liability.
Do not try to use the information from this post to carry out illegal activities such as copying and using bank cards!
Do you know that bank cards are low-capacity rewritable media (about 2 kb)? Actually, a floppy disk. Or rather, an audio cassette! If you have an old cassette recorder, turn it on and run the magnetic stripe of a credit card across the head. You will hear a sound: the tape recorder read the account number, the name of the card owner and additional service information. No, of course, modern bank cards are a little more complicated than a regular tape, but the principle of operation is identical. And as is often the case with many technical solutions that are outdated, but accepted and used everywhere... credit cards actually do not have any serious copy protection!
You can simply rewrite them, like in the distant 80s we rewrote Metallica or Tender May from the cassette of our desk neighbor.
And this is exactly what many scammers around the world are doing, reading information from our cards with skimmers, then recording clone cards and selling them on the giant black market. For example, in South America, theft of data from cards is a constant (in Brazil they are no longer even trying to fight the installation of skimmers on ATMs), and in the USA, the legalization of clone cards is taking place.
What, how and why, read under the cut.
How does a bank card work?
Depending on the bank and the type of card, 3 elements can be installed on it: a magnetic stripe on the back of the card, an EMV chip and RFID (chip and antenna for contactless card reading, the so-called Pay Pass). The most modern map has all three elements. The most unprotected is the one that only has a magnetic stripe. Now, pay attention! ALL cards have a magnetic stripe. That is, all cards can be copied. The next question is whether the copied map can be used. This is more difficult, because they still haven’t learned how to fake a chip, and any bank will tell you that your chip card is protected and they won’t be able to use its clone. It is not true! My chip card was cloned and used. How?
And at this point the USA enters the arena! In this richest country in the world, banks still PRACTICALLY do not issue cards with chips, using cards with a stripe, and even your chip card in a store will be rolled into a stripe in the old fashioned way! Despite the fact that almost all terminals at points of sale can work with chip cards without problems.
This means that to use your super-secure chip card in the US, scammers don’t even have to try to copy your chip! They can easily swipe the magnetic stripe of the card somewhere at a self-service checkout. That is why at the beginning of the post I called the USA a paradise for scammers of this kind.
Why is this happening? It's simple! Nothing personal, just business. All cards in the US are insured against theft of funds, the customer pays for the insurance, so this is just a giant market for insurance companies. So why should banks go to the trouble of spending extra money on more expensive chip cards?
Now let's take a closer look at the card's security elements.
1. Magnetic stripe on the back of the card. in fact, there are three magnetic stripes, the so-called Track 1, 2 and 3.
This is what the strip looks like under a microscope.
Theoretically, armed with scissors, tape, cardboard and a piece of tape, you can make your own magnetic card! Although it’s easier to find a ready-made, clean one or use an old credit card with an expired date. Fraudsters even use various VISA gift cards and so-called “white plastic” without any prints to record mass clones. The main thing is a magnetic layer suitable for recording.
Bank cards typically use Tracks 1 and 2. In the past, track number 3 stored the PIN code in encrypted form for the ability to work with ATMs offline. But with the development of communication systems and the outright vulnerability of this approach, the last ATMs that worked with an offline pin on Track 3 went into oblivion in the mid-90s. Track 3 is not currently used in credit cards. Therefore, scammers need to get a PIN code in a different way, and to do this, they use either an overlay on the ATM keyboard or a small video camera above the ATM in combination with a skimmer. If the PIN code cannot be stolen, the cost of the cloned plastic will be low, because it can only be used to purchase goods, and this is a very high risk. But if you manage to read the card data and PIN code, the cost of such a card increases significantly, because you can withdraw cash from it at any ATM. And, by the way, the bank will not return the money to you for such a fraudulent transaction (if a PIN code was entered) according to VISA rules.
This is what the reading head of a payment terminal looks like. The photo clearly shows three elements for reading tracks.
2. EMV (Europay, MasterCard, Visa Chip) chip - similar to a SIM card and having similar electronic characteristics. This chip is responsible for verifying card transactions at EMV-compatible ATMs and was created by an international group of credit companies in response to the excessive ease of copying credit cards with magnetic tape.
One of the reasons that chips cannot be counterfeited is that it is not enough to simply copy the contents of the chip to another card, primarily because there is often simply no information on the chip (sometimes a copy of Track 2 is stored on the chip). The check takes place at the hardware level; there are references on the Internet that the ATM generates a certain number to which the chip must give the correct answer. However, in many banks the check is simply for the presence of an EMV chip from a given bank!!!
In other words, if you write a magnetic strip onto a card without an EMV chip or a card with an EMV chip from another bank, the ATM will not accept such a card, but if you put a strip on an expired card of the same bank with the correct EMV chip, then you can withdraw money.
In any case, EMV only protects the ability to withdraw money from ATMs, and only those that have this function. In the vast majority of payment terminals and ATMs around the world, only magnetic cards are still read without EMV. This is especially true for third world countries and, as I said above, the USA!
How are cards with a magnetic stripe copied?
There is a fairly large range of hardware for working with magnetic cards. The best choice is MSR 206 compatible devices: they are the most common and have the most software available for them. In general, they are available in any hotel where a magnetic card is used as a key. They are purchased through an online store such as Ebay.
The device operates via a serial COM port interface. The cost ranges from $100 to $300, the devices differ in configuration and design, but there is no fundamental difference between them.
Through TOR you can find many utilities that can be used to read and copy data from magnetic stripes.
This is what the interface of one of them looks like, Jerm
And here is a dialog box for working directly with the map
Read — read the card. The indicator on the MSR206 lights up yellow, the card is read, its contents appear in the ASCII and HEX windows, as well as in the Track 1, 2, 3 fields. If you need to save the image of the received card, use the “File\Save as...” command. If you immediately need to make a duplicate, just Write . All that remains is to swipe the blank card over the MSR206 and that’s it, the card is copied!
Erase Track(s) - if you need to use a card for rewriting that already has some information on it (for example, an expired bank card), then the card must be cleared before using it again. To do this, select all three tracks and press the Erase button. All that remains is to swipe the card across the device.
There is even a batch mode, Batch mode, if you need to record many magnetic cards at once.
How do you get the data to copy a card?
As I said above, scammers only need to read data from a magnetic strip, and they are not interested in the chip at all.
Everyone knows how they do it. Using skimmers that are placed on ATMs.
A skimmer can be a plastic cover attached to a card reader, or a miniature video camera in a brochure holder next to an ATM. Also common are special keyboard overlays that read the PIN code dialing order. Skimmers are attached to ATMs using regular double-sided tape or Velcro. For example, if the keyboard was concave, then a special overlay will make the panel flatter. Also, the skimming device can change the keys themselves: they will either be recessed into the keyboard panel, or, conversely, stick out too much. In recent years, ATM manufacturers have begun installing special devices on ATMs that allow them to recognize skimmers.
It is quite difficult to detect a skimmer on an ATM with the naked eye, so it is recommended to use only those ATMs that are located in bank branches, large shopping centers, or in secured areas.
Yes, a skimmer can only steal information from a magnetic stripe, not from a chip. But this is enough for scammers who then legalize the cards in the USA.
There are also portable skimmers that allow you to make a copy of the card when it is in the hands of an attacker (for example, if he is also a waiter in a restaurant where customers often pay with plastic cards).
From a conversation with someone who has deeply studied this topic, I learned that most of these maps these days are “stolen” in South America. While in Russia and other countries bank security services constantly fight against skimmers, in Brazil and Colombia this is simply not done, which gives fraudsters ample opportunities.
Next, the scammers record the received data on so-called white plastic and sell the cards wholesale to dealers. The cards are sent to the United States and either money is withdrawn from them if the PIN code is removed, or they are sold cheaply on the black market.
Well, there are already some people trying to buy something on the Internet, some in the supermarket, as happened with my card...
PS Yes, and to protect against skimmers, many ATMs install special transparent anti-skimmers, you’ve all seen them. But they are not available everywhere abroad, and that is where you are at greatest risk of having your card copied.
Some materials were used in writing this post.
(c) Sergei Anashkevich
