Teacher
Professional
- Messages
- 2,670
- Reaction score
- 780
- Points
- 113
So, you can understand that even with all types of protection, a credit card is not at all dollars or euros and it is much easier to counterfeit it than it seems and, by the way, it is quite possible to make a not very high-quality counterfeit at home. To do this, let's take a look at how cards are made.
Plastic is printed either by a serial method - on an offset and then additionally marked and embossed in a specific institution (this method of issuing cards is slowly dying out). There is another method - this is when the entire card is printed on a special card printer, then embossed and recorded.
So, in order to record a map, we need a device, in principle, akin to the principle of operation of a babin-type tape recorder. This, in general, can be assembled by yourself, but it is better not to try, but to buy the finished one right away - the device is called an encoder.
It is enough to swipe the map through the device and ... voila - all the information is already on the track. I would like to mention several brands that have proven themselves well in the production of encoders: Olivetti, AMC / AMR, IBC, NMR, SmartMAG. Encoder software is usually supplied. If there is no software, I can recommend RenCode or Comm. The cost of the device is $ 300- $ 1500, depending on various parameters.
You can also buy a card printer with the ability to write cards. Here I can recommend Fargo equipment. Eltron devices have proven to be excellent. Card printers differ in basic parameters - resolution, print type, print speed, the possibility of double-sided printing, automatic hologram labeling and the option of lamination of cards, as well as the option of directly encoding cards (writing to them). Accordingly - the more opportunities, the more expensive - prices from $ 2500 - $ 20,000 (sometimes more expensive). I will not go into controversy - an excellent device that I used myself - Eltron 500 series printer (520, 550)
Among the embossers are devices from DataCard, Matica. There are 2 types of embossers - manual and automatic, for the production of cards a manual CCS embosser is quite enough for yourself, if you want bank quality - DataCard 150i ($ 1500- $ 3000) will be the best price / quality ratio. Embossers differ in the number of symbols, the presence of special symbols, the ability to paint the shattered one, etc.
So, the transition from theory to business - all this is good, but an ordinary Russian person who wants to raise some money is unlikely to immediately find 5-8k for equipment. Output? Equipment is mandatory for constant thoughtful work (shopping - how this is done will be explained below). But to begin with, if there is no start-up capital, you can try and earn money for equipment, all in the same ways, but only by releasing handicraft cards - on your knees. It is not as difficult as it seems - for this you need to have:
- iron 1 pc.
- plastic blanks with a magnetic stripe white
- inkjet printer
- a set of holograms (visa, ms; can be bought from vendors of forums)
- a track for recording on a card (will be discussed later)
- a set of thermal paper
- laminator and laminate
Yes, of course the quality will not be right, but with due diligence it will be quite realistic to hand the card to the seller of some small store, some stupid country - in Russia there is nothing to do with such cards - don't even try, the deadline is guaranteed.
We will learn to counterfeit Electron cards due to the lack of an embosser.
So, first, let's launch PhotoShop on the computer - our goal is to create a card design. We look at the issuing bank by the bin of the card. We climb on his site - usually banks post types of their credit cards and their pictures on their sites. We find a suitable bin and try to draw something similar in PhotoGop (no need to be exact). Ready? Everything, we have a "design". We adjust the dimensions in Photoshop for the real map. Next, we put the card number in the most suitable font (OCR), which we take from a previously prepared dump, experience, the owner's name in accordance with how it should be on a real card. Ready? Now we have 2 options - each has its own pros and cons - printing on film and printing on thermal paper. The film can be neatly glued, thermal paper can be neatly translated with an iron, but there are also disadvantages - applying a hologram. When printing on film, the hologram is simply glued on top in the appropriate place (when printing on film, do not forget to turn on the mirror image function in Photoshop - when gluing everything will be the other way around - on the other hand), when printing on thermal paper, this whole story is first translated by an iron, the hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle. a hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle. a hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle.
At one time, another version of the production of cards was also widespread - popularly called "squeezing". It can be implemented, however, only with an embosser and original cards. The essence of the method is that the finished embossed bank card is placed on a slightly warmed surface, and then pressed down with a press from above, wiped with something like White Spirit and then embossed again. Let's take a closer look.
We take a smooth metal surface, heat it up to about 70-80 degrees, put the card on it, press it on top with something else smooth and iron and begin to slowly squeeze the press from above, turn the card over, repeat. Excessive overheating may cause the card to deform. With a positive result, the fact that the map has been embossed will be almost invisible. Now we quickly run to the store and buy White Spirit or any other solvent and wipe the card from the inscriptions that were on it (name, etc.). Happened? We emboss the map on a new one with the data that we have ... Voila ... The finished map, and almost the original ... Didn't work? Bad luck - either you did something wrong or the card came across a new type - printed on a card printer.
2. So, the general concept of credit cards, what they are made of and how to produce them, we got. Let's move on to the more intelligent part - dumps (tracks that are written to the card). The word dump comes from the English dump - if you do not translate literally - a copy (extract). In this part of my story, we will find out in a little more detail what dumps are, how to distinguish good from bad, where to find them and where to use which ones (by country).
2.1. So, as it is already clear from the above - a dump is that valuable information that will allow us to carry out a transaction - and if we also had a PIN code, we could easily withdraw money from an
ATM, for example.
About 8 years ago, in many countries, it was possible to make purchases only if there was a card number and an experience, driving in zeros instead of pvn, and pvn was used only to authenticate the issuance of money at an ATM. However, this chip was quickly caught by many smart people and used for their nefarious purposes - those were the golden times. However, the happiness did not last long and now pvn is also used to authenticate transactions on pos terminals - i.e. when shopping in a store. Therefore, for real shopping with plastic in stores, we definitely need dumps recorded on this same plastic - it's all about pvn.
So we need dumps. Where do we find from?
The easiest way to get hold of dumps is to buy from multiple resellers. At the moment, there is a huge mass of them - however, there are good and bad ones. Before buying from a particular person, make sure that he is really a real reseller or even a baseholder. When buying dumps, you should know that dumps are divided into 2 classes - American (which, for a number of reasons, are much easier to get - for this we we will come back later, and European ones, which are much more expensive). European dumps in Europe.
they work much better, but there are also some nuances - it will be described later, but with the proper skill in Europe, American dumps work well as well. It should also be noted that when buying a dump, it is imperative to check - there is a tendency for banks to cancel dumps by bin lists. In addition, a dishonest reseller can resell the same dumps to many individuals at once for several times - thereby increasing his profit and decreasing yours, however, if the dump has an approved status at the time of purchase, there can be no claims to the seller, no matter how much you want it , so I repeat once again that the seller must be chosen carefully, once and for all - otherwise you risk being thrown for more than one thousand dollars. But this is not the worst thing - with low-quality dumps you can simply end up behind bars - when a dump hangs up at the most crucial moment, believe me, it will arouse suspicion among many. It should be remembered that even if the dump has the status of approval (00), this does not mean that there is money on it and you can buy something for it.
2.2 So, let's understand a little about the work of processors and how the process of purchasing a product takes place. You come to the store to buy goods with already prepared plastic and dumps on it, make a purchase. The merchant passes the card through the pos terminal, the pos terminal connects to the processing center and transfers the data from your card in encrypted form there. The processing connects with the card issuing organization and receives confirmation or denial in the form of a code. Here is an approximate list of codes used:
00 | Approved | Approved And Completed
85 | Card Ok | No Reason to Decline (card is ok - no reason to refuse - when checking a limit or trying to break into payments in some countries)
01 | Call | Refer To Issuer (the seller must call - in many cases it is not dangerous, but you should know that the card that gives this status is no longer worth using)
02 | Call | Refer To Issuer - Special Condition
28 | No Reply | File is temporarily Unavailable
91 | No Reply | Issuer Or Switch Is Unavailable
04 | Hold-call Or Pick Up Card | Pick Up Card (bad - the requirement of the issuing organization to withdraw the card. This means that at the other end they already know that you are shopping or someone else has shopped on your dump before you)
07 | Hold-Call Or Pick up Card | Pick Up Card - Special Condition
41 | Hold-Call Or Pick up Card | Pick Up Card - Lost
43 | Hold-Call Or Pick up Card | Pick Up Card Stolen
EA | Acct Length Err | Verification Error
79 | Already Reversed | Already reversed at switch
13 | Amount Error | Invalid amount
83 | Cant Verify PIN | Can not Verify PIN
86 | Cant Verify PIN | Can not Verify PIN
14 | Card No. Error | Invalid Card Number
82 | Cashback Not App | Cahback limit exceeded
N3 | Cashback Not Avl | Cashback Service Not Available
EB | Check Digit Err | Verification Error
EC | CID Format Error | Verification Error
80 | Date Error | Invalid Date
05 | Decline | Do Not Honor
51 | Decline | Insufficient Funds
N4 | Decline | Exceeds Issuer Withdrawal Limit
61 | Decline | Exceeds Withdrawal Limit
62 | Decline | Invalid Service Code, Restricted
65 | Decline | Activity Limit Exceeded
93 | Decline | Violation, Cannot Complete
81 | Encryption Error | Cryptographic Error
06 | Error xxxx | General Error
54 | Expired Card | Expired Card
92 | Invalid Routing | Destination Not Found
12 | Invalid Trans | Invalid Transaction
78 | No Account | No Account
21 | No Action Taken | Unable To Back Out Transaction
76 | Unsolic Reversal | Unable To Locate, No Match
77 | No Action Taken | Inconsistent Data, Rev. or Repeat
52 | No Check Account | No Checking Account
39 | No Credit Acct | No Credit Account
53 | No Save Account | No Savings Account
15 | No Such Issuer | No Such Issuer
The code is the final, in any case, be it 00 or 05. But before processing, one more important thing happens - the specified amount is frozen in some cases, in some cases it is withdrawn from the cardholder's account. The amount can be quite large and the bank simply may not give permission for it.
In addition, in different countries there are various systems for dividing a whole payment into parts - let's look at this - knowing this will be useful to us in the future. So, when dividing the amount of goods into payments, the issuing organization performs the same sequence of actions, it still issues a confirmation and refusal, and all subsequent changes occur locally in the organization's database. Those. the issuing organization pays the entire amount at once, then the amount is automatically divided into parts, a loan is issued and it is suspended from the cardholder's account. Naturally, the bank takes into account its interest (usually low) and withdraws a portion of the amount from your account every month. "Well, what is all this written for?" - you ask. And everything is simple - when registering goods on credit, as practice has shown, you can get a high probability that that the card will be processed for a large amount. And there is always less suspicion - wealthy people usually live on credit.
2.3 You will say everything perfectly, but there is one small problem - where to get these same dumps.
The answer is: if you are a beginner in all respects - you can only buy these dumps - from whom and how it was described above, but if you are already an experienced and experienced user / carder / hacker - then this part of my work is just for you, my young friend. And I will describe here exactly what many people will later tear their hair out of - I will describe how to break dumps, well ...
How strange it will be for you to hear that you don't need to be a super hacker - you just need to have basic skills and concepts of the functioning of payment systems. So, if someone does not understand, in this part we will talk exactly about how to break dumps from processors, poses, banks and everything else ...
First, we need to understand how the map is processed. The basic principles have been described above, now let's look at individual points. So the card was rolled in the pos-terminal in the store, then there are two variations - if a small POS store calls up directly to the processing center, if it is a larger store, the pos connects to the main server of the store (that, in turn, can connect to the coordinating server of all other branches of the store ) etc. Further, the organization's server connects to the merchant, the issuing bank, etc. to receive confirmation.
So that's it. What am I talking about ... All types of the above organizations break down - a bike that everything is protected there - really a bike. And even the notion that what one person has done can break another with better knowledge is not suitable here ... the slightest failure in the operation of the equipment can stop the operation of the entire system of stores, and a careless sysadmin does not want to answer for this, therefore he does not patch ... In general, this is understandable, let's go further ... We will return to this all later, but for now we will master a few more fundamental concepts:
- What is a merchant is a large service provided by any large banking organization / association with a structure for processing online / offline payments. Simpler structures buy accounts there for themselves and through them connect to the system - most likely, these are VPN-type connections at best (for the victim), at worst - it's just HTML get / post or a certain service on a certain port (still, more often all the same it is encrypted than not). Almost all the merchandise is Internet organizations ... Accordingly, most of the terminals connected to them are also on the Internet.
(everything is very simplified for better understanding - everything looks much more complicated, depending on which point of view you look at)
- What is processing - processing, it is most likely either the processing center of the organization itself, which processes card transactions, or close to it, a subsidiary. Connections to terminal processing vary from the internal policy of the organization, however, connecting promos to processing through no is far from a fantasy - this happens often ...
The processing itself is most likely connected to other processors, banks and issuing organizations through networks such as X.25 ( we will discuss this later).
- What is a pos-terminal (POS - from the English POS - Point of Sale) - is a device that performs basic client-server-server client operations between a human cashier / seller (and his equipment_ and higher organizations for processing payments. Posses are connected via a telephone line, they can also be connected through special channels, or they can easily be connected via the Internet ...
In general, we already have a basic understanding of the work process - believe me, most likely you will not need more. Everything else is acquired with experience and varies from case to case, and, if you have a certain experience, intuition will tell you everything.
Let's go ... So, we have everything at hand. Everything is ready for hacking. All combat software is configured, for work we need:
- GREAT PATIENCE
- Linux / Unix
- ISS / Nessus (vulnerability scanner)
- Exploit collection
- nmap (utility, or rather not a utility, but a port scan utility, except for a port scan it can do a lot - RTFM)
- pandora (in my opinion, a very convenient resource scanner)
- dedicated or a corresponding server 100Mbit internet connection (Cardena vlet)
- set of dugsong (DSniff and ilk - very useful set for sniff grids disruption sessions etc)
- cryptographic program (to decrypt the received content)
- regularly growing hands head with the general content weighing not less than 0.3 kg and a properly built, working neural network
Is everything ready? Fireeeeeee!
Hacking anything - it is a hack, but in order to carry it out you need to know what to break. Probably, in our case, this will be the most difficult thing. Paradoxically, the most difficult thing is to find what to break - let's figure it out ... Breaking a merchant is quite difficult, and there is no guarantee that there will be dumps, not plain cardboard. Processings must be looked for, and the target is not easy either, but there are a lot of posov and they are shitty protected - so we will look for them. In general, ideally, it is best to find a processing center of some large retail network ... But it all depends on your luck.
Let's get down to business - no matter how funny it sounds, prompts are searched for by a global (or not entirely global) scan of the Internet or a subnet of specific organizations ... A little theory: let's say there is processing X, which connects clients via the Internet - it allocates a certain one to each of its terminals an IP address from their own spectrum ... However, it can be different - the client connects on his own and connects to the processing.
In the days of all this big top, everything was done very simply - Pandora was launched on some dedicated server, and the space for scanning was set. In addition, nmap was launched and ports 135 and 139 were scanned. The names of dns hosts were collected, analyzed for the presence of the word pos (and everything that matched was broken). In addition, a scan was carried out for shared resources - there are resources - to check for the presence of certain software, there is software - we go there. Unfortunately, the idyll did not last long and by now it is difficult to find something with shared resources, but finding a terminal with the name pos812-a.cs.europay.net (this is an example) is quite real. We will proceed from this - we will scan the subnets of organizations responsible, as you think, for processing dumps. Did not work out. We start scanning more extensively, etc. Found ...? Read on.
A completely different type of hacking is processing hacking. Here the goal is, in principle, known - it remains to find a computer that has access, both to no, and to the internal network, or a computer responsible for processing transactions of clients from the net - for this you can, for example, try to become a client of this processing - how is it done - I leave come up with you.
So the goal is known. (I want to say that I will not describe in detail how to hack - a lot has been written about this, I will explain only general tactics) First, we need to find out (at best) what operating system is installed on the attacked computer and what OS is installed. The nmap utility is great for this. Run: nmap -sS -O <targethost>. As a result, at best, we get a list of open ports and the type of the operating system, as well as analytical information on the possibility of a session breakdown (it also happens that the administrator, when applying certain settings, may make you think that there are completely wrong services installed and the wrong OS and can even simulate the presence of bugs in these non-existent services) ... We dial into these ports in order to install the services installed on them. Our goal is to find out the type, service name and version. Have you installed it? We are looking for a suitable exploit ...
Plastic is printed either by a serial method - on an offset and then additionally marked and embossed in a specific institution (this method of issuing cards is slowly dying out). There is another method - this is when the entire card is printed on a special card printer, then embossed and recorded.
So, in order to record a map, we need a device, in principle, akin to the principle of operation of a babin-type tape recorder. This, in general, can be assembled by yourself, but it is better not to try, but to buy the finished one right away - the device is called an encoder.
It is enough to swipe the map through the device and ... voila - all the information is already on the track. I would like to mention several brands that have proven themselves well in the production of encoders: Olivetti, AMC / AMR, IBC, NMR, SmartMAG. Encoder software is usually supplied. If there is no software, I can recommend RenCode or Comm. The cost of the device is $ 300- $ 1500, depending on various parameters.
You can also buy a card printer with the ability to write cards. Here I can recommend Fargo equipment. Eltron devices have proven to be excellent. Card printers differ in basic parameters - resolution, print type, print speed, the possibility of double-sided printing, automatic hologram labeling and the option of lamination of cards, as well as the option of directly encoding cards (writing to them). Accordingly - the more opportunities, the more expensive - prices from $ 2500 - $ 20,000 (sometimes more expensive). I will not go into controversy - an excellent device that I used myself - Eltron 500 series printer (520, 550)
Among the embossers are devices from DataCard, Matica. There are 2 types of embossers - manual and automatic, for the production of cards a manual CCS embosser is quite enough for yourself, if you want bank quality - DataCard 150i ($ 1500- $ 3000) will be the best price / quality ratio. Embossers differ in the number of symbols, the presence of special symbols, the ability to paint the shattered one, etc.
So, the transition from theory to business - all this is good, but an ordinary Russian person who wants to raise some money is unlikely to immediately find 5-8k for equipment. Output? Equipment is mandatory for constant thoughtful work (shopping - how this is done will be explained below). But to begin with, if there is no start-up capital, you can try and earn money for equipment, all in the same ways, but only by releasing handicraft cards - on your knees. It is not as difficult as it seems - for this you need to have:
- iron 1 pc.
- plastic blanks with a magnetic stripe white
- inkjet printer
- a set of holograms (visa, ms; can be bought from vendors of forums)
- a track for recording on a card (will be discussed later)
- a set of thermal paper
- laminator and laminate
Yes, of course the quality will not be right, but with due diligence it will be quite realistic to hand the card to the seller of some small store, some stupid country - in Russia there is nothing to do with such cards - don't even try, the deadline is guaranteed.
We will learn to counterfeit Electron cards due to the lack of an embosser.
So, first, let's launch PhotoShop on the computer - our goal is to create a card design. We look at the issuing bank by the bin of the card. We climb on his site - usually banks post types of their credit cards and their pictures on their sites. We find a suitable bin and try to draw something similar in PhotoGop (no need to be exact). Ready? Everything, we have a "design". We adjust the dimensions in Photoshop for the real map. Next, we put the card number in the most suitable font (OCR), which we take from a previously prepared dump, experience, the owner's name in accordance with how it should be on a real card. Ready? Now we have 2 options - each has its own pros and cons - printing on film and printing on thermal paper. The film can be neatly glued, thermal paper can be neatly translated with an iron, but there are also disadvantages - applying a hologram. When printing on film, the hologram is simply glued on top in the appropriate place (when printing on film, do not forget to turn on the mirror image function in Photoshop - when gluing everything will be the other way around - on the other hand), when printing on thermal paper, this whole story is first translated by an iron, the hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle. a hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle. a hologram is glued, and only then all this is laminated with a layer of a thin film (it is better to buy a self-adhesive film, but thin and transparent; a film that is glued at a temperature is not suitable - when heated in a laminator, the plastic base of the card is deformed). Ready? We make the reverse side in the same way, only without applying the film - when applying the film, it will be noticeable to the touch. Ready? Let's encode the map. All - we are ready for battle.
At one time, another version of the production of cards was also widespread - popularly called "squeezing". It can be implemented, however, only with an embosser and original cards. The essence of the method is that the finished embossed bank card is placed on a slightly warmed surface, and then pressed down with a press from above, wiped with something like White Spirit and then embossed again. Let's take a closer look.
We take a smooth metal surface, heat it up to about 70-80 degrees, put the card on it, press it on top with something else smooth and iron and begin to slowly squeeze the press from above, turn the card over, repeat. Excessive overheating may cause the card to deform. With a positive result, the fact that the map has been embossed will be almost invisible. Now we quickly run to the store and buy White Spirit or any other solvent and wipe the card from the inscriptions that were on it (name, etc.). Happened? We emboss the map on a new one with the data that we have ... Voila ... The finished map, and almost the original ... Didn't work? Bad luck - either you did something wrong or the card came across a new type - printed on a card printer.
2. So, the general concept of credit cards, what they are made of and how to produce them, we got. Let's move on to the more intelligent part - dumps (tracks that are written to the card). The word dump comes from the English dump - if you do not translate literally - a copy (extract). In this part of my story, we will find out in a little more detail what dumps are, how to distinguish good from bad, where to find them and where to use which ones (by country).
2.1. So, as it is already clear from the above - a dump is that valuable information that will allow us to carry out a transaction - and if we also had a PIN code, we could easily withdraw money from an
ATM, for example.
About 8 years ago, in many countries, it was possible to make purchases only if there was a card number and an experience, driving in zeros instead of pvn, and pvn was used only to authenticate the issuance of money at an ATM. However, this chip was quickly caught by many smart people and used for their nefarious purposes - those were the golden times. However, the happiness did not last long and now pvn is also used to authenticate transactions on pos terminals - i.e. when shopping in a store. Therefore, for real shopping with plastic in stores, we definitely need dumps recorded on this same plastic - it's all about pvn.
So we need dumps. Where do we find from?
The easiest way to get hold of dumps is to buy from multiple resellers. At the moment, there is a huge mass of them - however, there are good and bad ones. Before buying from a particular person, make sure that he is really a real reseller or even a baseholder. When buying dumps, you should know that dumps are divided into 2 classes - American (which, for a number of reasons, are much easier to get - for this we we will come back later, and European ones, which are much more expensive). European dumps in Europe.
they work much better, but there are also some nuances - it will be described later, but with the proper skill in Europe, American dumps work well as well. It should also be noted that when buying a dump, it is imperative to check - there is a tendency for banks to cancel dumps by bin lists. In addition, a dishonest reseller can resell the same dumps to many individuals at once for several times - thereby increasing his profit and decreasing yours, however, if the dump has an approved status at the time of purchase, there can be no claims to the seller, no matter how much you want it , so I repeat once again that the seller must be chosen carefully, once and for all - otherwise you risk being thrown for more than one thousand dollars. But this is not the worst thing - with low-quality dumps you can simply end up behind bars - when a dump hangs up at the most crucial moment, believe me, it will arouse suspicion among many. It should be remembered that even if the dump has the status of approval (00), this does not mean that there is money on it and you can buy something for it.
2.2 So, let's understand a little about the work of processors and how the process of purchasing a product takes place. You come to the store to buy goods with already prepared plastic and dumps on it, make a purchase. The merchant passes the card through the pos terminal, the pos terminal connects to the processing center and transfers the data from your card in encrypted form there. The processing connects with the card issuing organization and receives confirmation or denial in the form of a code. Here is an approximate list of codes used:
00 | Approved | Approved And Completed
85 | Card Ok | No Reason to Decline (card is ok - no reason to refuse - when checking a limit or trying to break into payments in some countries)
01 | Call | Refer To Issuer (the seller must call - in many cases it is not dangerous, but you should know that the card that gives this status is no longer worth using)
02 | Call | Refer To Issuer - Special Condition
28 | No Reply | File is temporarily Unavailable
91 | No Reply | Issuer Or Switch Is Unavailable
04 | Hold-call Or Pick Up Card | Pick Up Card (bad - the requirement of the issuing organization to withdraw the card. This means that at the other end they already know that you are shopping or someone else has shopped on your dump before you)
07 | Hold-Call Or Pick up Card | Pick Up Card - Special Condition
41 | Hold-Call Or Pick up Card | Pick Up Card - Lost
43 | Hold-Call Or Pick up Card | Pick Up Card Stolen
EA | Acct Length Err | Verification Error
79 | Already Reversed | Already reversed at switch
13 | Amount Error | Invalid amount
83 | Cant Verify PIN | Can not Verify PIN
86 | Cant Verify PIN | Can not Verify PIN
14 | Card No. Error | Invalid Card Number
82 | Cashback Not App | Cahback limit exceeded
N3 | Cashback Not Avl | Cashback Service Not Available
EB | Check Digit Err | Verification Error
EC | CID Format Error | Verification Error
80 | Date Error | Invalid Date
05 | Decline | Do Not Honor
51 | Decline | Insufficient Funds
N4 | Decline | Exceeds Issuer Withdrawal Limit
61 | Decline | Exceeds Withdrawal Limit
62 | Decline | Invalid Service Code, Restricted
65 | Decline | Activity Limit Exceeded
93 | Decline | Violation, Cannot Complete
81 | Encryption Error | Cryptographic Error
06 | Error xxxx | General Error
54 | Expired Card | Expired Card
92 | Invalid Routing | Destination Not Found
12 | Invalid Trans | Invalid Transaction
78 | No Account | No Account
21 | No Action Taken | Unable To Back Out Transaction
76 | Unsolic Reversal | Unable To Locate, No Match
77 | No Action Taken | Inconsistent Data, Rev. or Repeat
52 | No Check Account | No Checking Account
39 | No Credit Acct | No Credit Account
53 | No Save Account | No Savings Account
15 | No Such Issuer | No Such Issuer
The code is the final, in any case, be it 00 or 05. But before processing, one more important thing happens - the specified amount is frozen in some cases, in some cases it is withdrawn from the cardholder's account. The amount can be quite large and the bank simply may not give permission for it.
In addition, in different countries there are various systems for dividing a whole payment into parts - let's look at this - knowing this will be useful to us in the future. So, when dividing the amount of goods into payments, the issuing organization performs the same sequence of actions, it still issues a confirmation and refusal, and all subsequent changes occur locally in the organization's database. Those. the issuing organization pays the entire amount at once, then the amount is automatically divided into parts, a loan is issued and it is suspended from the cardholder's account. Naturally, the bank takes into account its interest (usually low) and withdraws a portion of the amount from your account every month. "Well, what is all this written for?" - you ask. And everything is simple - when registering goods on credit, as practice has shown, you can get a high probability that that the card will be processed for a large amount. And there is always less suspicion - wealthy people usually live on credit.
2.3 You will say everything perfectly, but there is one small problem - where to get these same dumps.
The answer is: if you are a beginner in all respects - you can only buy these dumps - from whom and how it was described above, but if you are already an experienced and experienced user / carder / hacker - then this part of my work is just for you, my young friend. And I will describe here exactly what many people will later tear their hair out of - I will describe how to break dumps, well ...
How strange it will be for you to hear that you don't need to be a super hacker - you just need to have basic skills and concepts of the functioning of payment systems. So, if someone does not understand, in this part we will talk exactly about how to break dumps from processors, poses, banks and everything else ...
First, we need to understand how the map is processed. The basic principles have been described above, now let's look at individual points. So the card was rolled in the pos-terminal in the store, then there are two variations - if a small POS store calls up directly to the processing center, if it is a larger store, the pos connects to the main server of the store (that, in turn, can connect to the coordinating server of all other branches of the store ) etc. Further, the organization's server connects to the merchant, the issuing bank, etc. to receive confirmation.
So that's it. What am I talking about ... All types of the above organizations break down - a bike that everything is protected there - really a bike. And even the notion that what one person has done can break another with better knowledge is not suitable here ... the slightest failure in the operation of the equipment can stop the operation of the entire system of stores, and a careless sysadmin does not want to answer for this, therefore he does not patch ... In general, this is understandable, let's go further ... We will return to this all later, but for now we will master a few more fundamental concepts:
- What is a merchant is a large service provided by any large banking organization / association with a structure for processing online / offline payments. Simpler structures buy accounts there for themselves and through them connect to the system - most likely, these are VPN-type connections at best (for the victim), at worst - it's just HTML get / post or a certain service on a certain port (still, more often all the same it is encrypted than not). Almost all the merchandise is Internet organizations ... Accordingly, most of the terminals connected to them are also on the Internet.
(everything is very simplified for better understanding - everything looks much more complicated, depending on which point of view you look at)
- What is processing - processing, it is most likely either the processing center of the organization itself, which processes card transactions, or close to it, a subsidiary. Connections to terminal processing vary from the internal policy of the organization, however, connecting promos to processing through no is far from a fantasy - this happens often ...
The processing itself is most likely connected to other processors, banks and issuing organizations through networks such as X.25 ( we will discuss this later).
- What is a pos-terminal (POS - from the English POS - Point of Sale) - is a device that performs basic client-server-server client operations between a human cashier / seller (and his equipment_ and higher organizations for processing payments. Posses are connected via a telephone line, they can also be connected through special channels, or they can easily be connected via the Internet ...
In general, we already have a basic understanding of the work process - believe me, most likely you will not need more. Everything else is acquired with experience and varies from case to case, and, if you have a certain experience, intuition will tell you everything.
Let's go ... So, we have everything at hand. Everything is ready for hacking. All combat software is configured, for work we need:
- GREAT PATIENCE
- Linux / Unix
- ISS / Nessus (vulnerability scanner)
- Exploit collection
- nmap (utility, or rather not a utility, but a port scan utility, except for a port scan it can do a lot - RTFM)
- pandora (in my opinion, a very convenient resource scanner)
- dedicated or a corresponding server 100Mbit internet connection (Cardena vlet)
- set of dugsong (DSniff and ilk - very useful set for sniff grids disruption sessions etc)
- cryptographic program (to decrypt the received content)
- regularly growing hands head with the general content weighing not less than 0.3 kg and a properly built, working neural network
Is everything ready? Fireeeeeee!
Hacking anything - it is a hack, but in order to carry it out you need to know what to break. Probably, in our case, this will be the most difficult thing. Paradoxically, the most difficult thing is to find what to break - let's figure it out ... Breaking a merchant is quite difficult, and there is no guarantee that there will be dumps, not plain cardboard. Processings must be looked for, and the target is not easy either, but there are a lot of posov and they are shitty protected - so we will look for them. In general, ideally, it is best to find a processing center of some large retail network ... But it all depends on your luck.
Let's get down to business - no matter how funny it sounds, prompts are searched for by a global (or not entirely global) scan of the Internet or a subnet of specific organizations ... A little theory: let's say there is processing X, which connects clients via the Internet - it allocates a certain one to each of its terminals an IP address from their own spectrum ... However, it can be different - the client connects on his own and connects to the processing.
In the days of all this big top, everything was done very simply - Pandora was launched on some dedicated server, and the space for scanning was set. In addition, nmap was launched and ports 135 and 139 were scanned. The names of dns hosts were collected, analyzed for the presence of the word pos (and everything that matched was broken). In addition, a scan was carried out for shared resources - there are resources - to check for the presence of certain software, there is software - we go there. Unfortunately, the idyll did not last long and by now it is difficult to find something with shared resources, but finding a terminal with the name pos812-a.cs.europay.net (this is an example) is quite real. We will proceed from this - we will scan the subnets of organizations responsible, as you think, for processing dumps. Did not work out. We start scanning more extensively, etc. Found ...? Read on.
A completely different type of hacking is processing hacking. Here the goal is, in principle, known - it remains to find a computer that has access, both to no, and to the internal network, or a computer responsible for processing transactions of clients from the net - for this you can, for example, try to become a client of this processing - how is it done - I leave come up with you.
So the goal is known. (I want to say that I will not describe in detail how to hack - a lot has been written about this, I will explain only general tactics) First, we need to find out (at best) what operating system is installed on the attacked computer and what OS is installed. The nmap utility is great for this. Run: nmap -sS -O <targethost>. As a result, at best, we get a list of open ports and the type of the operating system, as well as analytical information on the possibility of a session breakdown (it also happens that the administrator, when applying certain settings, may make you think that there are completely wrong services installed and the wrong OS and can even simulate the presence of bugs in these non-existent services) ... We dial into these ports in order to install the services installed on them. Our goal is to find out the type, service name and version. Have you installed it? We are looking for a suitable exploit ...
