Carding
Professional
- Messages
- 2,871
- Reaction score
- 2,344
- Points
- 113
Today we are talking about plastic cards. What exist, their types and features.
Plastic cards today play the role of a settlement instrument, combining also the functions of a deposit and credit nature. Plastic bank cards exist in order to make our life easier with you, namely for carrying out non-cash payments. The card itself is a plastic plate, the standard size of which is 85.6 mm, 53.9 mm, 0.76 mm. The card is made using a special technology from a special plastic that is resistant to mechanical damage and excessive temperature fluctuations.
If we reduce everything to a primitive, then the main function of the card is the identification of the holder with his subsequent possibility of making a non-cash settlement (payment). The vast majority of cards use a 16-digit standard, where the first 6 are the bank identification number, or BIN (bank identification number). The next 9 digits are the individual card number, its account in the system of the issuing bank. The last sign is a control one.
Card payments can be made at any outlet equipped with a POS terminal, as well as online. The payment on a plastic card itself, if viewed in a SIMPLIFIED manner, is divided into the following stages: first, the terminal authenticates the card and verifies its authenticity and the availability of the required funds by connecting to the processing center. Then the funds are debited from the card account and a check is generated. Basically everything.
Then the outlet transfers all the checks collected during the day to the acquiring bank, which, in turn, makes payments, and also transfers information to the processing center about transactions with cards which it is not an issuer.
The processing center, based on the information received, performs all transactions and supplies all parties with the appropriate documentation and reports. Before you start qualifying plastic cards, you need to understand that there are many qualifying signs. In this lecture, we will touch on most of them.
From a technological point of view, cards, in popular language, can be divided into 2 types: with a magnetic stripe and a chip. Cards with a chip are practically not used anywhere. A combined version of the magnetic stripe and the chip is used. Chip cards are also called smart cards.
A magnetic stripe is needed to write information about the card and its holder on it. Magnetic stripe cards come in three formats (ID-1, ID-2, ID-3), but the first format is the most widely used.
There are three tracks (tracks) on the magnetic stripe. Most often, the first two are used, where the card number, its validity period, the name of the cardholder and other related data are recorded.
Those who want to work in real life should know that it is possible to write ANY information to the dump. But first of all, this concerns the name and surname of the holder: we put there any data on which we have an ID with our face, leave the rest of the data to the real holder and go shopping)) But this is a lyrical digression.
Chip cards (EMV, microprocessing) are much more secure. An array of information is recorded on the chip itself, including the PIN code. Thus, for example, opening the pin in front of the reading equipment is not required.
Also, the microprocessor chip is self-sufficient in some cases and does not require a permanent connection with the bank. The main point is that it is practically impossible to copy (dump) the chip. More precisely, it is real in theory, in practice it is impracticable.
In addition to advanced authentication, such cards also assess the risks of a transaction, as well as verify the holder. The main method of verifying the authenticity of a transaction in online transactions is authentication. To do this, there is a special method for generating the ARQC cryptogram by the card itself for each operation separately. This is not entirely true for online scams, but it's good to know.
These cards are considered much safer than just a magnetic stripe card, as it is much more difficult to compromise and counterfeit. All the most common IPS (https://en.wikipedia.org/wiki/Payment_system) today fully support this type of cards, and it, in turn, is trying to actively spread around the world.
The EMV standard is open and you can get acquainted with it on the developer's website. It is unlikely that it will be interesting to anyone, but https://www.emvco.com
Cards with microchips are the most widely distributed in Europe, there are still few of them in USE. The reason is in the banking lobby itself: equipment purchased for decades to fit the old format and the unwillingness of large banks to re-equip the technological base to meet the new requirements.
There are also smart cards with a magnetic stripe and an NFC chip that allow you to contactlessly make a purchase with a POS terminal or a device that can perform such operations. By the way, a card with a chip, it is also microprocessing, it is also an EMV card, appeared not so long ago and developed it, or rather the first to start jointly developing the technology were VISA Inc and MasterCard Worldwide. EMV technology is not the easiest one and, firstly, it is not possible to describe it in detail within the framework of this lecture, and secondly, it does not make sense. We will touch on common truths and the most important things for us. Basically, an EMV microprocessor card is nothing more than a smart card. It is based on ISO / IEC 7816 or ISO / IEC 14443 for the contactless version.
The beauty of microprocessor cards is that they have decently changed the very processing of payments by the bank and other participants in the transaction. I talked about the difference in authentication in the previous lecture. Here I will just repeat that authentication is not identification and the task of this operation is to make sure that the card is authentic. That is, this operation has nothing to do with identifying the holder. This is a technical point, it is quite important (I covered it in more detail in the previous lecture)
So, when performing an operation, the terminal reads the card data and sends them to the payment system through the acquiring bank. Naturally, we are now talking about making a purchase through a POS terminal. When making online purchases, due to the fact that authentication is virtually impossible (such a transaction even has a special CNP classification - card not present), this stage is not performed. In the case of online transit, everything is a little different. Only CVV / CVC remains on the watch for antifraud of fundamental things. This is not counting software methods and tools.
They are trying to actively implement dynamic CVV codes: the so-called DCV (from the word dynamic). But naturally nifiga does not come out and will not come out for a long time. The technological base is outdated, the development of which cost billions of dollars around the world and no one will change anything now.
The nonsense of this idea is that in one of the proposed variants the card should have a graphic display. That, firstly, increases the cost of its production, and secondly, it introduces another technological link in the process of performing an operation with all the ensuing consequences.
A general consensus among issuers for many years has been found long ago: the infrastructure will not be officially changed. Everyone is quite satisfied with the 3-DSecure technology, which is also not very popular, frankly speaking.
Now, regarding the material from which the cards are made: this parameter is essentially no longer relevant, since nowadays cards are made only of plastic. Previously, there were paper (cardboard) maps, but now they are not even uncommon, now they simply are not in the paper version.
The next feature, which by the way is not mutually exclusive, is the purpose of the card. The card can be issued for financial transactions, identification or information.
For example, employees of a large enterprise can receive a card that will act as a pass, have a cash balance that can be spent in a local canteen. Or, another example, in a gym, a card is both an access key and a means of payment (which was previously linked to your paypass by interacting with a proprietary application on your smartphone).
Recently, there has been a clear trend towards combining different functions in plastic cards. It's comfortable.
The next feature is the settlement mechanism: it can be bilateral or multilateral.
In the first case, there is an agreement between the two participants in the settlement / mutual settlement. Typically used in closed networks (bonuses, miles, points) and controlled by the card issuer.
In the second case, the card holder can use it at all kinds of points of sale that accept it as a means of payment (these are exactly those classic payment cards that we know).
The next characteristic is the type of calculations performed. Here, cards are divided into credit and debit cards.
The first are directly related to the opening of a line of credit in a credit institution in the name of the card holder. This enables the holder to temporarily and for a fee use the borrowed funds of the bank in the amount determined by the terms of the contract.
The holder receives a certain credit limit, which he has the right to exhaust and which he is obliged to repay within the period specified in the contract. As a rule, the more a person spends on a credit card, the higher the credit limit he will receive from his bank. In the case of debit cards, only those funds are spent that are directly at the disposal of the holder. In most cases (with a few exceptions in the form of a technical overdraft, for example) such cards do not allow making payments if there are no funds on the card account.
I would also like to highlight prepaid cards (prepaid), they are also “prepaid” - these are cards on the balance of which there are already certain funds and they can be spent as a rule after activating the card in the issuer. I will say a few more words about them later. The next sign: the nature of use: the card can be individual - issued to a specific person, can be of any level; family - issued to family members of the holder; corporate - a card issued to a legal entity for different or specific purposes. So there is a card for purchases, for paying for stationery and so on. Also, these cards can be personalized, issued in the name of the director or chief accountant. In such cases, these persons are opened a bank account linked to the company's main account. Responsibility for these cards is borne not by the persons using the card, but by the legal entity to whom the katu was issued.
The next sign: the scope of use. Everything is simple here - cards can be either universal, which can be used for any payments at any points of sale, or individual, which can only be used to purchase a specific product / service (gas stations, hotels, large mono-brand stores).
The next factor is territorial affiliation: cards can be international (valid in most countries of the world, such as VISA or AmEx), national (valid within one country, such as MIR), local (used in a specific territory within the country).
The next factor: the method of recording information on the card: mainly magnetic stripe coding, embossing, chip and their combinations are distinguished. Although there are a couple of methods such as applying a barcode or QR code for example. But they are in the minority, and therefore do not bother us much.
And the last and very interesting factor is the card categories. Banks and other financial organizations form different financial products based on the market situation and targeting different segments of the population.
Different segments have different card categories. The category of the card, in turn, determines the status of the holder.
As a rule, the higher the status, the more nishtyaks the holder gets and the cooler his card.
According to established international practice, there are three categories of cards globally: electronic, classic and premium.
Electronic cards are the cheapest entry-level cards. They can be either debit or credit. In science, this level is called, for example, Visa Electron for VISA or Mastercard Electoronic or Maestro for Mastercard, respectively. Distinctive features of this level: low cost of annual maintenance, no special programs, no cost overruns.
Another cool feature of this entry-level cards (you probably didn't know) is that they are considered the most secure due to the mandatory requirement for real-time authorization. Until recently, operations on the Internet on them were prohibited by default.
As a rule, such cards are issued as a financial instrument for a salary project, or, for example, some special retail lending programs, or may even be issued free of charge. These are fu-fu-fu cards, and a respectable karder doesn't need them, as you know.
The few electrons that are found in shops are most likely a complete mess. All kinds of Instat Issue cards fall into the same category - these are those that are issued to the client instantly and are not personalized (that is, they do not have the name and surname of the holder on them). The next level (which already suits us) is the classic level: Visa Classic or Mastercard Standard. It can also be both debit and credit. The main client is people with a stable income that does not exceed the average. As a rule, such cards have the most balanced package of services and the most sensible ratio of the cost of service and services provided by the bank.
From practice I will say that on the classics there are more sums than at premium levels, but rather it is a rarity.
Those who are going to drive up to 1k, you can take classics as well. For amounts less than 600-500 bucks, you don't even need to bathe - this level will do.
At this level, the cards are already personalized, embossed: the name of the holder, the expiration date are embossed on the face of the card.
By the way, embossing is a kind of rudiment, now not used for its intended purpose anywhere. Previously, embossing was required for imprinting. Nowadays, cards are no longer skated in this way.
Both online and offline transactions are available with these cards (including cash withdrawals from ATMs).
The next big category of cards is premium cards. My favorite! In the same way, it can be both debit and credit. By the way, loans on premium cards can be impressive: 30-50k will surprise no one.
These cards include Visa Signature and Infinite, as well as World level cards.
On these cards, there are always a number of other services and additional services (such as cashback, all kinds of discounts, information products, insurance, and so on).
Gold cards are preferred, and platinum cards are even cooler - they receive an extended service package, but on even more favorable and convenient terms.
In the USA and Europe, the premium level of cards is available only to those who really earn much higher than average (you can go and get yourself platinum with us).
I would like now to go through the maps in more detail directly in the United States, since most of us will work in this particular country.
As we know, there is a Federal Reserve System in the USA (https://en.wikipedia.org/wiki/Federal_Reserve), something like our Central Bank, but cooler.
In addition to it, there are both the Ministry of Railways and many credit organizations of a national and local scale. Many of them have permission (license) to issue and maintain plastic cards, make non-cash payments and carry out clearing operations and acquiring.
These systems are all different and differ among themselves in many ways. First of all, we will look at those organizations that serve the cards.
The relevant permits to organizations are issued by the licensing authority in each state separately.
Of course, it's worth starting with VISA. As we know, VISA is ubiquitous and in the USA it also shares a pedestal with Mastercard.
VISA is an international payment system that provides safe and uninterrupted cash flow through plastic cards of the same name.
At the time of this writing, more than 20,000 lending institutions around the world have been connected to the system. This is the type of 20,000 banks so that.
More than 200,000,000 transactions are processed per day, and the processing speed of one request is about 1.5 seconds.
As I already wrote in one of the previous lectures, the activities and procedures of the Ministry of Railways are regulated by its rules and regulatory legal acts.
Below is a quick look at the most basic card categories:
Classic - the very base, standard functions (such as withdrawing cash, replenishing the balance at ATMs, making purchases online, etc.)
Gold - the first stage of premium cards, has certain requirements for a potential holder. In turn, it gives more privileges: increased limits on cash withdrawals, all kinds of discounts and loyalty programs, depending on the specifics of a particular product. Platinum is the next step up the hierarchical ladder. It has everything the same as the previous two, only more advanced features. Accordingly, the requirements for the holder are the same. Yes, they are increasing.
Signature is, in general, the apotheosis of the buzz. This product has it all. It provides the maximum possible withdrawal limits, as well as all possible bonuses, a bunch of travel options and other highs. The requirement for the holder (and the amount of annual maintenance) is appropriate.
Infinite is the same as signatures, only even more exclusive. Infinity holders are really very wealthy people.
Black is ilita ilit. I don't even know if such cards exist in real life or not, but in visa services it is. This is a direct exclusive of exclusives. Issued for a special occasion. And not everyone. I beat something like that. I did not notice the difference. Signatures and just gold are better IMHO.
Regarding cards for business (issued by a visa), there are several products. And prepaid and credit, and signatures and whatever:
they are issued in the same way as physicists - depending on the size of the organization, its financial performance and needs. There is an opinion that business cards are the best. This is not true.
Now let's move on to Mastercard. As far as you know, this is a competing firm. It's hard to say who is “bigger”. Different IPS dominate in different regions.
In fact, they are about the same in their distribution. Now about the cards. The main maps of this IPS are as follows:
Maestro is an analogue of Electron from VISA. Terrible horror and crazy bullshit. Standard - analogue of Classic from VISA
Gold - analogue of Gold from VISA
Platinum - analogue of Platium from VISA
World - premium travel product (it is not desirable to drive in from it)
Elite - analogue of Infinite from VISA
Next comes American Express or AmEx - itself a premium IPS. Anyone with an Amex card is already considered a successful white person.
The cards are cool, the holders are even cooler. I strongly advise you to work. Amex has a poor product line:
The standard Card Card is nothing remarkable, just a card and a card (with ameks like round-the-clock voice support for example).
Gold card - the level of service is higher than that of the standard one: the availability of bonus programs, participation in insurance programs, concierge service
Platinum card - like gold, only it is still much cooler. The heights are shorter.
And of course I can't fail to mention Centurion. This is a straight cosmic squared card: the rarest card in the world. The trick of the card is that at the end of the calendar month, according to the contract, the holder is obliged to extinguish the entire credit line, which by the way has no limit)) And the annual card service costs about 2k) To be able to apply to the Centurion, you must spend at least 250k per year on the card. Think about it.
Now a few words about authentication.
Authentication is a purely technical process through which it is confirmed that the card was issued by a bank that has authorization for this action by the relevant international payment system (hereinafter IPS) and that it is an original card issued and issued to the holder, and not its clone ( dump). Technically, it happens this way: the payment card data is sent by the terminal to the issuing bank through the acquiring bank and the payment system.
Having received this data, the issuer either confirms the transaction or does not pass it. Magnetic cards are quite simple (and silly) to authenticate: they use statistics that do not change throughout the life of the card. These data are transmitted to the issuing bank and that simply by checking the data confirms the transaction. Thus, with a complete copy of the magnetic stripe, you can easily “copy” the card itself. What real people actively use.
By the way, this is done in an elementary way, literally in a second, swipe and voila - the dump, count, is in your hands.
This is exactly the safety moments that I talked about. This is all that made us develop and implement a new standard for chip cards, which is unrealistic to dump stupidly.
The risk of a fraudulent transaction is traditionally high on magnetic cards and the terminal does not de facto assess the risks.
While, for example, in the case of EMV cards, when buying offline, the terminal will most likely ask you to enter a PIN code, thereby identifying the owner. The main vulnerability of the EMV standard is precisely the ability to conduct a transaction without directly affecting the chip - it is stupid to copy the magnetic stripe.
So, if the card is dumped, the issuing bank has no technological ability to establish whether the card is the original or someone else's dump.
In one of the previous lectures, I said that one of the main components in payment transactions with cards is authentication. It should not be confused with the identification of the holder (holder).
All hope is for a POS terminal, which can (and should!) Ask for a transaction using a chip. However, there are (and the regulations provide for!) Situations where you can make transactions from EMV cards by using the magnetic stripe (for example, if the chip is damaged). But these are all regulations and theory, in practice, if you give a dump WITHOUT a chip, and the POS asks for a tranche on the chip, then at least the seller will ask for another card. As a maximum - trash and bottle (crossed out) bullpen. With regard to cards with a chip, authentication occurs through the use of a digital signature of the statistical data of the card and data of the transaction itself.
What does this mean in human language?
The digital signature (also known as the secret key of the chip) is written into the memory of this chip at the manufacturing stage. This digital signature is unique and cannot be retrieved without compromising the integrity of the chip. A distinctive feature of EMV cards is that the issuing bank can “communicate” with the card: initiate mutual authentication (send your cryptogram to the card) or update the card data (block or update the limit). By the way, when the new standard was introduced (namely, from January 1, 2005), issuing banks shifted responsibility for fraudulent fraud and lost funds to the business entities that made the sale or the bank itself if the fraud was committed using cards that do not support EMV standard.
Now let's understand the intricacies of working with maps. There are many considerations. I will try to fit everything into one lecture. Before I get lost, I would like to tell you something about prepaid cards. There is one interesting feature. In addition to those issued by a financial institution (for example, a bank) and which can be replenished in the future, prepaid cards with a fixed cost and balance are very popular in the USA. Such preps are sold literally at every step and there are a huge number of vendors. So, you can easily buy prep from Amazon, Walmart or Verizon. The popularity of these preps is due to several interesting facts.
Firstly, when buying such a card and using it on the Internet for further purchases, a person does not shine his main card, which, you must admit, is dangerous these days (gygygs). By the way, I will say that there are actually a lot of paranoid people in the states.
Those who fundamentally do not buy anything online, just not to show their card number. The second reason is that such preps are often used as a gift. Giving cash is not fashionable (and not always appropriate), but such a card is the very thing.
A man gave such a card to his 13-year-old nephew, and he took it and bought himself a subscription to PornHub and everyone is happy: we didn’t get his card number from his uncle, the nephew was playing furiously and PornHub and VIS earned it. Just some kind of global happiness and love!
Yes, just a few words about how prepacks work with a certain balance: you buy, hand over the card (optional) or keep it for yourself, the beneficiary activates the card online and voila, you can use it. In many payment services, such cards will be blocked.
Thus, it will be possible to use it only on the service that issued it. That is, in fact, the person simply credited the service that issued the card.
In fact, if you call a spade a spade, any debit is a dumb prep. For us in the hierarchy of cards, these occupy the very last place because by their nature they are extremely finished and their holders or illegal immigrants who have not been given a credit card (by the way, what do you need to be a finished fucking fuck, so that you are not given the simplest credit card in the states!) or a pimply jerk off 15 years old, who for objective reasons cannot have a credit card.
Regarding EMV cards, there are a number of common and important questions. I decided not to give a separate lecture, but to include them in this one, since the topics are still the same.
Question: Is it possible to copy data from one chip card to another?
Purely in theory (technically) this is realizable. Provided that we have a card with a clean application (not personalized). But there is another point: since it is impossible to make a copy of the card keys, the application will always generate incorrect transaction signatures. At this point, it’s just what happens - any online transactions (not to be confused with online purchases!) Will be rejected by the issuer. And due to the fact that there are no keys, it will also be impossible to carry out CDA / DDA authentication. The only vulnerability is SDA offline authentication. But there are complications here: this method, as the only authentication method, is unacceptable due to the fact that it is considered outdated and dangerous.
Question: Can EMV application data be copied to magnetic stripe?
Yes, you can. Tracks for the magnetic stripe are easily compiled from the EMV application data, except for one small parameter: Service Code (aka service code).
In the case of EMV cards, the Service Code indicates to the POS terminal that the transaction should be carried out using the chip. If you take and copy this code to the magnetic track, the terminal will try in vain to perform the operation using the chip (EMV application).
To be fair, of course, I will say that there is still one cool gap in these miracle cards. I wrote earlier that manufacturers and issuers have not yet reached a general consensus, and therefore there are standards and compatibility modes for combined cards: these are those that have both a chip and a magnetic stripe (well, that is, ALL).
So, it is possible to copy the data of one magnetic strip to a card with a non-working chip and perform an operation called fallback. Quite officially, if there is no way to read the chip, the terminal transmits through the magnetic stripe. A number of banks will reject such transactions for obvious reasons. Where they are accepted, the risk of these transactions will be borne by the acquirer.
There is also an interesting question about NFC cards and the ability to make payments without the knowledge of the holder, for example, walking between the rows in a cinema or public transport.
I will write a separate lecture about this, but in a nutshell I will say the following: you can, for example, organize an online payment by creating a channel between the card (which is, for example, in the victim's pocket or in a backpack) and a mobile phone that will emulate the operation of an NFC card (HCE application).
For this, two of the cheapest mobile phones with NFC support are required, a host with a white IP to forward traffic online between mobile phones, and clear work within the team.
But here the problem is in the limits without entering a PIN.
That is, one person is standing next to the victim reading her card, and the second is laying his phone at the checkout in ZARA hahahaha))
In fact, in a separate lecture, I will cover in detail all possible options for working with NFC. From fantastic to real!
Plastic cards today play the role of a settlement instrument, combining also the functions of a deposit and credit nature. Plastic bank cards exist in order to make our life easier with you, namely for carrying out non-cash payments. The card itself is a plastic plate, the standard size of which is 85.6 mm, 53.9 mm, 0.76 mm. The card is made using a special technology from a special plastic that is resistant to mechanical damage and excessive temperature fluctuations.
If we reduce everything to a primitive, then the main function of the card is the identification of the holder with his subsequent possibility of making a non-cash settlement (payment). The vast majority of cards use a 16-digit standard, where the first 6 are the bank identification number, or BIN (bank identification number). The next 9 digits are the individual card number, its account in the system of the issuing bank. The last sign is a control one.
Card payments can be made at any outlet equipped with a POS terminal, as well as online. The payment on a plastic card itself, if viewed in a SIMPLIFIED manner, is divided into the following stages: first, the terminal authenticates the card and verifies its authenticity and the availability of the required funds by connecting to the processing center. Then the funds are debited from the card account and a check is generated. Basically everything.
Then the outlet transfers all the checks collected during the day to the acquiring bank, which, in turn, makes payments, and also transfers information to the processing center about transactions with cards which it is not an issuer.
The processing center, based on the information received, performs all transactions and supplies all parties with the appropriate documentation and reports. Before you start qualifying plastic cards, you need to understand that there are many qualifying signs. In this lecture, we will touch on most of them.
From a technological point of view, cards, in popular language, can be divided into 2 types: with a magnetic stripe and a chip. Cards with a chip are practically not used anywhere. A combined version of the magnetic stripe and the chip is used. Chip cards are also called smart cards.
A magnetic stripe is needed to write information about the card and its holder on it. Magnetic stripe cards come in three formats (ID-1, ID-2, ID-3), but the first format is the most widely used.
There are three tracks (tracks) on the magnetic stripe. Most often, the first two are used, where the card number, its validity period, the name of the cardholder and other related data are recorded.
Those who want to work in real life should know that it is possible to write ANY information to the dump. But first of all, this concerns the name and surname of the holder: we put there any data on which we have an ID with our face, leave the rest of the data to the real holder and go shopping)) But this is a lyrical digression.
Chip cards (EMV, microprocessing) are much more secure. An array of information is recorded on the chip itself, including the PIN code. Thus, for example, opening the pin in front of the reading equipment is not required.
Also, the microprocessor chip is self-sufficient in some cases and does not require a permanent connection with the bank. The main point is that it is practically impossible to copy (dump) the chip. More precisely, it is real in theory, in practice it is impracticable.
In addition to advanced authentication, such cards also assess the risks of a transaction, as well as verify the holder. The main method of verifying the authenticity of a transaction in online transactions is authentication. To do this, there is a special method for generating the ARQC cryptogram by the card itself for each operation separately. This is not entirely true for online scams, but it's good to know.
These cards are considered much safer than just a magnetic stripe card, as it is much more difficult to compromise and counterfeit. All the most common IPS (https://en.wikipedia.org/wiki/Payment_system) today fully support this type of cards, and it, in turn, is trying to actively spread around the world.
The EMV standard is open and you can get acquainted with it on the developer's website. It is unlikely that it will be interesting to anyone, but https://www.emvco.com
Cards with microchips are the most widely distributed in Europe, there are still few of them in USE. The reason is in the banking lobby itself: equipment purchased for decades to fit the old format and the unwillingness of large banks to re-equip the technological base to meet the new requirements.
There are also smart cards with a magnetic stripe and an NFC chip that allow you to contactlessly make a purchase with a POS terminal or a device that can perform such operations. By the way, a card with a chip, it is also microprocessing, it is also an EMV card, appeared not so long ago and developed it, or rather the first to start jointly developing the technology were VISA Inc and MasterCard Worldwide. EMV technology is not the easiest one and, firstly, it is not possible to describe it in detail within the framework of this lecture, and secondly, it does not make sense. We will touch on common truths and the most important things for us. Basically, an EMV microprocessor card is nothing more than a smart card. It is based on ISO / IEC 7816 or ISO / IEC 14443 for the contactless version.
The beauty of microprocessor cards is that they have decently changed the very processing of payments by the bank and other participants in the transaction. I talked about the difference in authentication in the previous lecture. Here I will just repeat that authentication is not identification and the task of this operation is to make sure that the card is authentic. That is, this operation has nothing to do with identifying the holder. This is a technical point, it is quite important (I covered it in more detail in the previous lecture)
So, when performing an operation, the terminal reads the card data and sends them to the payment system through the acquiring bank. Naturally, we are now talking about making a purchase through a POS terminal. When making online purchases, due to the fact that authentication is virtually impossible (such a transaction even has a special CNP classification - card not present), this stage is not performed. In the case of online transit, everything is a little different. Only CVV / CVC remains on the watch for antifraud of fundamental things. This is not counting software methods and tools.
They are trying to actively implement dynamic CVV codes: the so-called DCV (from the word dynamic). But naturally nifiga does not come out and will not come out for a long time. The technological base is outdated, the development of which cost billions of dollars around the world and no one will change anything now.
The nonsense of this idea is that in one of the proposed variants the card should have a graphic display. That, firstly, increases the cost of its production, and secondly, it introduces another technological link in the process of performing an operation with all the ensuing consequences.
A general consensus among issuers for many years has been found long ago: the infrastructure will not be officially changed. Everyone is quite satisfied with the 3-DSecure technology, which is also not very popular, frankly speaking.
Now, regarding the material from which the cards are made: this parameter is essentially no longer relevant, since nowadays cards are made only of plastic. Previously, there were paper (cardboard) maps, but now they are not even uncommon, now they simply are not in the paper version.
The next feature, which by the way is not mutually exclusive, is the purpose of the card. The card can be issued for financial transactions, identification or information.
For example, employees of a large enterprise can receive a card that will act as a pass, have a cash balance that can be spent in a local canteen. Or, another example, in a gym, a card is both an access key and a means of payment (which was previously linked to your paypass by interacting with a proprietary application on your smartphone).
Recently, there has been a clear trend towards combining different functions in plastic cards. It's comfortable.
The next feature is the settlement mechanism: it can be bilateral or multilateral.
In the first case, there is an agreement between the two participants in the settlement / mutual settlement. Typically used in closed networks (bonuses, miles, points) and controlled by the card issuer.
In the second case, the card holder can use it at all kinds of points of sale that accept it as a means of payment (these are exactly those classic payment cards that we know).
The next characteristic is the type of calculations performed. Here, cards are divided into credit and debit cards.
The first are directly related to the opening of a line of credit in a credit institution in the name of the card holder. This enables the holder to temporarily and for a fee use the borrowed funds of the bank in the amount determined by the terms of the contract.
The holder receives a certain credit limit, which he has the right to exhaust and which he is obliged to repay within the period specified in the contract. As a rule, the more a person spends on a credit card, the higher the credit limit he will receive from his bank. In the case of debit cards, only those funds are spent that are directly at the disposal of the holder. In most cases (with a few exceptions in the form of a technical overdraft, for example) such cards do not allow making payments if there are no funds on the card account.
I would also like to highlight prepaid cards (prepaid), they are also “prepaid” - these are cards on the balance of which there are already certain funds and they can be spent as a rule after activating the card in the issuer. I will say a few more words about them later. The next sign: the nature of use: the card can be individual - issued to a specific person, can be of any level; family - issued to family members of the holder; corporate - a card issued to a legal entity for different or specific purposes. So there is a card for purchases, for paying for stationery and so on. Also, these cards can be personalized, issued in the name of the director or chief accountant. In such cases, these persons are opened a bank account linked to the company's main account. Responsibility for these cards is borne not by the persons using the card, but by the legal entity to whom the katu was issued.
The next sign: the scope of use. Everything is simple here - cards can be either universal, which can be used for any payments at any points of sale, or individual, which can only be used to purchase a specific product / service (gas stations, hotels, large mono-brand stores).
The next factor is territorial affiliation: cards can be international (valid in most countries of the world, such as VISA or AmEx), national (valid within one country, such as MIR), local (used in a specific territory within the country).
The next factor: the method of recording information on the card: mainly magnetic stripe coding, embossing, chip and their combinations are distinguished. Although there are a couple of methods such as applying a barcode or QR code for example. But they are in the minority, and therefore do not bother us much.
And the last and very interesting factor is the card categories. Banks and other financial organizations form different financial products based on the market situation and targeting different segments of the population.
Different segments have different card categories. The category of the card, in turn, determines the status of the holder.
As a rule, the higher the status, the more nishtyaks the holder gets and the cooler his card.
According to established international practice, there are three categories of cards globally: electronic, classic and premium.
Electronic cards are the cheapest entry-level cards. They can be either debit or credit. In science, this level is called, for example, Visa Electron for VISA or Mastercard Electoronic or Maestro for Mastercard, respectively. Distinctive features of this level: low cost of annual maintenance, no special programs, no cost overruns.
Another cool feature of this entry-level cards (you probably didn't know) is that they are considered the most secure due to the mandatory requirement for real-time authorization. Until recently, operations on the Internet on them were prohibited by default.
As a rule, such cards are issued as a financial instrument for a salary project, or, for example, some special retail lending programs, or may even be issued free of charge. These are fu-fu-fu cards, and a respectable karder doesn't need them, as you know.
The few electrons that are found in shops are most likely a complete mess. All kinds of Instat Issue cards fall into the same category - these are those that are issued to the client instantly and are not personalized (that is, they do not have the name and surname of the holder on them). The next level (which already suits us) is the classic level: Visa Classic or Mastercard Standard. It can also be both debit and credit. The main client is people with a stable income that does not exceed the average. As a rule, such cards have the most balanced package of services and the most sensible ratio of the cost of service and services provided by the bank.
From practice I will say that on the classics there are more sums than at premium levels, but rather it is a rarity.
Those who are going to drive up to 1k, you can take classics as well. For amounts less than 600-500 bucks, you don't even need to bathe - this level will do.
At this level, the cards are already personalized, embossed: the name of the holder, the expiration date are embossed on the face of the card.
By the way, embossing is a kind of rudiment, now not used for its intended purpose anywhere. Previously, embossing was required for imprinting. Nowadays, cards are no longer skated in this way.
Both online and offline transactions are available with these cards (including cash withdrawals from ATMs).
The next big category of cards is premium cards. My favorite! In the same way, it can be both debit and credit. By the way, loans on premium cards can be impressive: 30-50k will surprise no one.
These cards include Visa Signature and Infinite, as well as World level cards.
On these cards, there are always a number of other services and additional services (such as cashback, all kinds of discounts, information products, insurance, and so on).
Gold cards are preferred, and platinum cards are even cooler - they receive an extended service package, but on even more favorable and convenient terms.
In the USA and Europe, the premium level of cards is available only to those who really earn much higher than average (you can go and get yourself platinum with us).
I would like now to go through the maps in more detail directly in the United States, since most of us will work in this particular country.
As we know, there is a Federal Reserve System in the USA (https://en.wikipedia.org/wiki/Federal_Reserve), something like our Central Bank, but cooler.
In addition to it, there are both the Ministry of Railways and many credit organizations of a national and local scale. Many of them have permission (license) to issue and maintain plastic cards, make non-cash payments and carry out clearing operations and acquiring.
These systems are all different and differ among themselves in many ways. First of all, we will look at those organizations that serve the cards.
The relevant permits to organizations are issued by the licensing authority in each state separately.
Of course, it's worth starting with VISA. As we know, VISA is ubiquitous and in the USA it also shares a pedestal with Mastercard.
VISA is an international payment system that provides safe and uninterrupted cash flow through plastic cards of the same name.
At the time of this writing, more than 20,000 lending institutions around the world have been connected to the system. This is the type of 20,000 banks so that.
More than 200,000,000 transactions are processed per day, and the processing speed of one request is about 1.5 seconds.
As I already wrote in one of the previous lectures, the activities and procedures of the Ministry of Railways are regulated by its rules and regulatory legal acts.
Below is a quick look at the most basic card categories:
Classic - the very base, standard functions (such as withdrawing cash, replenishing the balance at ATMs, making purchases online, etc.)
Gold - the first stage of premium cards, has certain requirements for a potential holder. In turn, it gives more privileges: increased limits on cash withdrawals, all kinds of discounts and loyalty programs, depending on the specifics of a particular product. Platinum is the next step up the hierarchical ladder. It has everything the same as the previous two, only more advanced features. Accordingly, the requirements for the holder are the same. Yes, they are increasing.
Signature is, in general, the apotheosis of the buzz. This product has it all. It provides the maximum possible withdrawal limits, as well as all possible bonuses, a bunch of travel options and other highs. The requirement for the holder (and the amount of annual maintenance) is appropriate.
Infinite is the same as signatures, only even more exclusive. Infinity holders are really very wealthy people.
Black is ilita ilit. I don't even know if such cards exist in real life or not, but in visa services it is. This is a direct exclusive of exclusives. Issued for a special occasion. And not everyone. I beat something like that. I did not notice the difference. Signatures and just gold are better IMHO.
Regarding cards for business (issued by a visa), there are several products. And prepaid and credit, and signatures and whatever:
they are issued in the same way as physicists - depending on the size of the organization, its financial performance and needs. There is an opinion that business cards are the best. This is not true.
Now let's move on to Mastercard. As far as you know, this is a competing firm. It's hard to say who is “bigger”. Different IPS dominate in different regions.
In fact, they are about the same in their distribution. Now about the cards. The main maps of this IPS are as follows:
Maestro is an analogue of Electron from VISA. Terrible horror and crazy bullshit. Standard - analogue of Classic from VISA
Gold - analogue of Gold from VISA
Platinum - analogue of Platium from VISA
World - premium travel product (it is not desirable to drive in from it)
Elite - analogue of Infinite from VISA
Next comes American Express or AmEx - itself a premium IPS. Anyone with an Amex card is already considered a successful white person.
The cards are cool, the holders are even cooler. I strongly advise you to work. Amex has a poor product line:
The standard Card Card is nothing remarkable, just a card and a card (with ameks like round-the-clock voice support for example).
Gold card - the level of service is higher than that of the standard one: the availability of bonus programs, participation in insurance programs, concierge service
Platinum card - like gold, only it is still much cooler. The heights are shorter.
And of course I can't fail to mention Centurion. This is a straight cosmic squared card: the rarest card in the world. The trick of the card is that at the end of the calendar month, according to the contract, the holder is obliged to extinguish the entire credit line, which by the way has no limit)) And the annual card service costs about 2k) To be able to apply to the Centurion, you must spend at least 250k per year on the card. Think about it.
Now a few words about authentication.
Authentication is a purely technical process through which it is confirmed that the card was issued by a bank that has authorization for this action by the relevant international payment system (hereinafter IPS) and that it is an original card issued and issued to the holder, and not its clone ( dump). Technically, it happens this way: the payment card data is sent by the terminal to the issuing bank through the acquiring bank and the payment system.
Having received this data, the issuer either confirms the transaction or does not pass it. Magnetic cards are quite simple (and silly) to authenticate: they use statistics that do not change throughout the life of the card. These data are transmitted to the issuing bank and that simply by checking the data confirms the transaction. Thus, with a complete copy of the magnetic stripe, you can easily “copy” the card itself. What real people actively use.
By the way, this is done in an elementary way, literally in a second, swipe and voila - the dump, count, is in your hands.
This is exactly the safety moments that I talked about. This is all that made us develop and implement a new standard for chip cards, which is unrealistic to dump stupidly.
The risk of a fraudulent transaction is traditionally high on magnetic cards and the terminal does not de facto assess the risks.
While, for example, in the case of EMV cards, when buying offline, the terminal will most likely ask you to enter a PIN code, thereby identifying the owner. The main vulnerability of the EMV standard is precisely the ability to conduct a transaction without directly affecting the chip - it is stupid to copy the magnetic stripe.
So, if the card is dumped, the issuing bank has no technological ability to establish whether the card is the original or someone else's dump.
In one of the previous lectures, I said that one of the main components in payment transactions with cards is authentication. It should not be confused with the identification of the holder (holder).
All hope is for a POS terminal, which can (and should!) Ask for a transaction using a chip. However, there are (and the regulations provide for!) Situations where you can make transactions from EMV cards by using the magnetic stripe (for example, if the chip is damaged). But these are all regulations and theory, in practice, if you give a dump WITHOUT a chip, and the POS asks for a tranche on the chip, then at least the seller will ask for another card. As a maximum - trash and bottle (crossed out) bullpen. With regard to cards with a chip, authentication occurs through the use of a digital signature of the statistical data of the card and data of the transaction itself.
What does this mean in human language?
The digital signature (also known as the secret key of the chip) is written into the memory of this chip at the manufacturing stage. This digital signature is unique and cannot be retrieved without compromising the integrity of the chip. A distinctive feature of EMV cards is that the issuing bank can “communicate” with the card: initiate mutual authentication (send your cryptogram to the card) or update the card data (block or update the limit). By the way, when the new standard was introduced (namely, from January 1, 2005), issuing banks shifted responsibility for fraudulent fraud and lost funds to the business entities that made the sale or the bank itself if the fraud was committed using cards that do not support EMV standard.
Now let's understand the intricacies of working with maps. There are many considerations. I will try to fit everything into one lecture. Before I get lost, I would like to tell you something about prepaid cards. There is one interesting feature. In addition to those issued by a financial institution (for example, a bank) and which can be replenished in the future, prepaid cards with a fixed cost and balance are very popular in the USA. Such preps are sold literally at every step and there are a huge number of vendors. So, you can easily buy prep from Amazon, Walmart or Verizon. The popularity of these preps is due to several interesting facts.
Firstly, when buying such a card and using it on the Internet for further purchases, a person does not shine his main card, which, you must admit, is dangerous these days (gygygs). By the way, I will say that there are actually a lot of paranoid people in the states.
Those who fundamentally do not buy anything online, just not to show their card number. The second reason is that such preps are often used as a gift. Giving cash is not fashionable (and not always appropriate), but such a card is the very thing.
A man gave such a card to his 13-year-old nephew, and he took it and bought himself a subscription to PornHub and everyone is happy: we didn’t get his card number from his uncle, the nephew was playing furiously and PornHub and VIS earned it. Just some kind of global happiness and love!
Yes, just a few words about how prepacks work with a certain balance: you buy, hand over the card (optional) or keep it for yourself, the beneficiary activates the card online and voila, you can use it. In many payment services, such cards will be blocked.
Thus, it will be possible to use it only on the service that issued it. That is, in fact, the person simply credited the service that issued the card.
In fact, if you call a spade a spade, any debit is a dumb prep. For us in the hierarchy of cards, these occupy the very last place because by their nature they are extremely finished and their holders or illegal immigrants who have not been given a credit card (by the way, what do you need to be a finished fucking fuck, so that you are not given the simplest credit card in the states!) or a pimply jerk off 15 years old, who for objective reasons cannot have a credit card.
Regarding EMV cards, there are a number of common and important questions. I decided not to give a separate lecture, but to include them in this one, since the topics are still the same.
Question: Is it possible to copy data from one chip card to another?
Purely in theory (technically) this is realizable. Provided that we have a card with a clean application (not personalized). But there is another point: since it is impossible to make a copy of the card keys, the application will always generate incorrect transaction signatures. At this point, it’s just what happens - any online transactions (not to be confused with online purchases!) Will be rejected by the issuer. And due to the fact that there are no keys, it will also be impossible to carry out CDA / DDA authentication. The only vulnerability is SDA offline authentication. But there are complications here: this method, as the only authentication method, is unacceptable due to the fact that it is considered outdated and dangerous.
Question: Can EMV application data be copied to magnetic stripe?
Yes, you can. Tracks for the magnetic stripe are easily compiled from the EMV application data, except for one small parameter: Service Code (aka service code).
In the case of EMV cards, the Service Code indicates to the POS terminal that the transaction should be carried out using the chip. If you take and copy this code to the magnetic track, the terminal will try in vain to perform the operation using the chip (EMV application).
To be fair, of course, I will say that there is still one cool gap in these miracle cards. I wrote earlier that manufacturers and issuers have not yet reached a general consensus, and therefore there are standards and compatibility modes for combined cards: these are those that have both a chip and a magnetic stripe (well, that is, ALL).
So, it is possible to copy the data of one magnetic strip to a card with a non-working chip and perform an operation called fallback. Quite officially, if there is no way to read the chip, the terminal transmits through the magnetic stripe. A number of banks will reject such transactions for obvious reasons. Where they are accepted, the risk of these transactions will be borne by the acquirer.
There is also an interesting question about NFC cards and the ability to make payments without the knowledge of the holder, for example, walking between the rows in a cinema or public transport.
I will write a separate lecture about this, but in a nutshell I will say the following: you can, for example, organize an online payment by creating a channel between the card (which is, for example, in the victim's pocket or in a backpack) and a mobile phone that will emulate the operation of an NFC card (HCE application).
For this, two of the cheapest mobile phones with NFC support are required, a host with a white IP to forward traffic online between mobile phones, and clear work within the team.
But here the problem is in the limits without entering a PIN.
That is, one person is standing next to the victim reading her card, and the second is laying his phone at the checkout in ZARA hahahaha))
In fact, in a separate lecture, I will cover in detail all possible options for working with NFC. From fantastic to real!
