ATM/ Debit Card, Credit Card Fraud

  • By
  • August 23, 2019
  • Cyber Security
ATM/ Debit Card, Credit Card Fraud

Introduction to Payment Card frauds

Note: Only For Educational Purpose 

Use of Plastic cards as a mode of payment is one amongst the foremost wide used and convenient alternatives to money. This mode of payment is currently accessible to the common population of just about all the most important geographical locations on our globe. Such potency can’t be achieved while not the presence of an outsized networked system connected through nodes of assorted procedure devices. But, wherever there area unit computers and networks, their area unit hackers.

The high financial profit concerned during this thieving has attracted the most important on-line cybercriminals and hackers to make their own empire with a tightly unwoven gang of people and teams. Most of the most important payment card frauds area unit financially intended and spans over many months ranging from stealing the user data to conducting actual frauds. This journal goes into the small print of however this complete fraud system functions and the way it’s disrupting this electronic payment trade at an outsized scale.

To start with, allow us to initial provides a fast browse at a number of the key vocabularies which will be used throughout this journal and can be relevant in any understating the key discussion points with the help of Ethical Hacking Classes in Pune.

Key Vocabularies: 

Credit/Debit card:

A financial instrument, typically cited as plastic money, accustomed create a payment for product purchased. Revolving credit is connected with the user’s checking account and might be accustomed to purchase product value price not olympian the quantity of cash within the connected account. 

For Free, Demo classes Call: 7798058777

Registration Link: Click Here!

PIN (Personal Identification Number):

A personal numeric worth accustomed validate the cardboard owner. 


3 or four digit variety wrote on the cardboard. This variety is employed as an extra verification purpose to validate the cardholder

BIN (Bank Identification Number):

the primary six numbers of the cardboard that’s accustomed establish the supplying bank and in sure cases, the sort of card. 

Card brands:

Refers to the approved corporations whose network is employed to facilitate the interaction between acquirer and institution. widespread brands embody Visa, Mastercard and yankee specific (Amex). A card beginning with a four maybe a Visa, with a five may be a Mastercard associated with a three (15 digits long) is an AMEX. 


The cardholder WHO purchases the products and uses the card for payments. 


Goods and repair supplier WHO accepts cards as a mode of payment. 

Acquirer Bank:

The bank liable for process the merchant’s Mastercard transactions with the customer. 

POS (Point Of Sale):

POS machines ar the cardboard reading devices wont to perform the financial dealing between the customer and business person.

The black stripe on the backside of the credit/debit card that stores varied details needed throughout money dealing.


Information on the magnetic strip is saved on tracks one,2 and 3. the primary 2 tracks are usually wont to store the main points like an account range, owner name, etc. The third track is nonmandatory and used for storing further knowledge. 

Card dumps:

The raw un-encrypted knowledge extracted from the temporary storage (RAM) of POS devices. These dumps carry data written on tracks one and a couple of that ar browse by the POS device whereas creating transactions. 

Card reader/Writer:

Is a piece of hardware and computer code that’s wont to write knowledge onto the magnetic strip of the plastic card. MSR-206 is that the preferred encoder used for writing knowledge over cards 


Is the individual WHO uses the purloined plastic card data to hold out dishonorable transactions 

For Free Demo classes Call: 7798058777

Registration Link: Click Here!


EMV or Chip-and-Pin cards ar an alternate resolution to swipe cards, that stores knowledge on a give associate encrypted manner. despite the fact that the storage mechanism is encrypted, POS-based mostly malware will still steal the info once it’s decrypted within the memory. 

Understanding the POS dump data with the help of Ethical Hacking Course in Pune

Now that we have built up a background on how the POS terminals are infected and how the data is stolen, we can now have a brief overview of the data that POS malware steal, how it looks like and how it is intercepted.

Here is an associate example of cleansed up information sent by a POS malware to its C&C server:

Track 1: B4096654104697113^ABHINAV/SINGH^08061012735900521000000

Track 2: 361344212572004=0512052335136; ABHINAV/SINGH Track2 + Track1: 4411037117155348=14111010000013500000;

B4411037117155348^ABHINAV/SINGH^14111010000000135000000? 165430 | 134884 | 2 | 4921817934747226 | 4 | 2008 | 3 | 2010 | | 662 | ABHINAV SINGH | 10 | VARUNA APP | VARANASI | PO139UX 468442/ 165337 | 134815 | 2 | 4921817809597243 | 3 | 2008 | 2 | 2010 | | 185 | ABHINAV SINGH | 10 | VARUNA | VARANASI | PR4 3HB | | Lancs This sounds like some random series of information drop by the malware, however it’s not. so as to form a sense of this information, allow us to initial pay couple of minutes on the structure of magnetic strip and also the format within which it stores information on varied tracks

 Track 1 and 2 Block Diagram:

Magnetic strips are logically divided into tracks or records that are used for storing the info needed throughout money group action. The logical placement is shown within the following diagram:

Magnetic strips

Tracks ar placed in an exceedingly ordered order wherever Track one is followed by Track a pair of and three. The reading of knowledge conjointly follows a similar order. Track one and a couple of ar largely used for storing crucial knowledge. Track three is employed for storing optional knowledge. counting on the banks alternative, they’ll either store money details either on course one or Track a pair of. each these tracks follow specific format for storing the info.. Let us provides a fast check up on the diagram of each these tracks to grasp the format during which the information is hold on and browse on these tracks:

or Track a pair

Track a pair

For Free Demo classes Call: 7798058777

Registration Link: Click Here!

Both Track one and a pair of store data in blocks wherever every block represents specific price, every having a selected storage limit and separated by delimiters.

Let us take the instance of track one information dump another time and analyze it supported the fields we have a tendency to learnt within the block diagram by Ethical Hacking Training in Pune:

Track 1: B4096654104697113^ABHINAV/SINGH ^08061012735900521000000?

Consider no values for SS and FC, the primary seventeen characters represent the checking account variety (B4096654104697113) followed by the sphere extractor (^) and Account holder’s name (ABHINAV/SINGH). subsequent four characters represent termination period of the cardboard in YYMM format (0806). subsequent few digits follows area unit the Service code (1012735900) and number (521). subsequent few digits area unit the filers for the remaining bytes. equally we will conjointly browse the Track a pair of information.

The point to notice here is that Track one information is sufficient data once handling card dumps. It contains enough data to be reborn into Track two dump in addition. There area unit on-line tools offered in addition to try and do the conversion with ease. Most of the web carding forums sell track two information.

The Underground Shopping Mall

Carding forums (popular name) or dedicated websites for merchandising credit and revolving credit information area unit the foremost fashionable suggests that of connecting with the mass starter and elite of individuals United Nations agency has adopted this fraud as their full-time profession. These forums area unit pretty similar in style and format, however, what sets them apart is their supply of dumps.

For Eg, a preferred underground forum, came into limelight once it absolutely was joined with merchandising dumps purloined from Target business establishment breach (source: Overnight, this store was flooded with tones of information. In my sequence of following this forum for a number of months, I detected some key changes in their merchandising model, that was a result of client complains and method improvement. The forum was re-designed to incorporate a number of choice choices for its consumers

Initially, the dumps were solely classified supported their brands like Visa, Mastercard, Amex, etc.

  • Dumps with Signature and Pt stature were actually costlier than others.


  • Later on, town to that the main points belong conjointly became essential. thus it had been supplementary as a filter criterion.
  • Banks and Payment networks incessantly monitor payment transactions to discover fraud. Hence, oversea usage or out of town usage of card while not notifying the banks was one trigger purpose. this is often wherever shopping for dumps happiness to a selected country and town plays a vital role.


  • Later on a remarkable feature was supplementary that rates the success rate of a given card detail. This rating relies on factors like however recent is that the dump, however shut it’s to its end date, cards stature (platinum, Ti etc.). The CC details with lower success rate were comparatively cheaper compared to those with higher success rate.

For Free Demo classes Call: 7798058777

Registration Link: Click Here!

Later on, these specifications and enhancements were derived over by different carding forums similarly. Multiple outlets started spawning in an exceedingly short amount of your time. Some dumps were half-track back to its vendor forums so as to spot their sources and a few went covert. Last few years has seen AN exponential rise in each sellers and patrons of carding frauds

Offline/In-store Carding

Offline carding or in-store carding is way additional attention-grabbing and involves a far larger cluster to perform it with success. As its name suggests, offline or in-store carding means that swiping the counterfeit cards at the particular stores or POS terminals to create purchases. so as to the present, the customer should convert his dumps into plastic cards. the customer will either have a go at it himself if he has the desired hardware and computer code or he will once more head back to his darkweb to let third party try this for him. There area unit specific stores within the darkweb forums that focus on making counterfeit cards exploitation the dump information. they supply wide verity of choices supported card brands, genre etc. Their neatness and increased customization build them an important a part of this fraud system. however occasionally, there area unit possibilities of a double fraud wherever the pretend card generating store would possibly run away along with your dump details therefore deed you with nothing. name is that the key to the present fraud system.

Many skilled carders like generating counterfeit cards in-house to avoid escape of their purchased dumps. so as to try and do this, there area unit some specific hardware and computer code necessities.


  • Plain plastic cards or pretend counterfeit cards with none information on magnetic strip.
  • Magnetic card reader/writer.
  • Software to jot down Track one, two and three information onto the plastic cards.


plastic cards

Briefly, following steps ar concerned in generating counterfeit cards victimisation the higher than mentioned needs and purchased CC details:

  • The method begins by buying the counterfeit cards or plain plastic cards with magnetic strips.
  • Once the cardboard is obtainable, the carder currently needs a mix of Encoder hardware and package to jot down knowledge onto the magnetic strip.
  • There are multiple variants of hardware offered without delay on in style ecommence websites and underground hacking forums. the foremost in style encoder amongst the community is that the MSR206. It works fine with most versions of OS and compatible with in style encryption softwares like “thejerm” and “Exeba”.
  • The method of writing knowledge to Magnetic strip is incredibly abundant obvious. The carder must offer Track1 or Track a pair of or each the track data from the dumps into the encoder package.
  • Once the package is given these details, the hardware must be found out and also the card must be properly placed within the encoder hardware. Once the writing method is complete, the cardboard is currently reading for looking

Offline or in-store carding might sound a small amount risky however it’s higher success rate compared to on-line carding. Swipe and use could be a convenient mode of payment for the merchants still so that they sometimes do-not consider such card usage as suspicious. On the contrary, on-line looking involves pc primarily based authentication and authorization that the possibilities of failure are high.

Carders additionally keep an eye fixed on searching for ways in which for an additional unhazardous offline carding. a number of the foremost mentioned and widely used techniques include:

  • Using the cardboard at self-service gas stations or self-service grocery stores. sometimes there’s no payment machine supervisor gift at the self-service payments and also the carder will simply swipe even a white plastic card and create the payment.
  • Choosing stores that do-not have enough security measures like CCTV camera or the supervisor isn’t terribly active in checking the cardboard and ID before payment. 

Future Scope, Challenges, and Solutions: 

Credit card fraud has been around for years currently and with time, the model has adult stronger and higher with every passing day. additional and additional criminals have gotten attracted towards it, therefore, resulting in the formation of a brand new quite underground mafia cluster. As additional and additional newbies and computer guru nevertheless fired folks get attracted towards this model, it’ll still grow at a similar pace.

The major challenge that this system faces is double fraud, ie, fraud inside fraud. Many times, the customer purchases the dumps, uses it and once it’s blocked, they once more place it purchasable onto totally different forums. conjointly there are faux sellers whose main motive is to draw in patrons and in-return rips them of their cash. there are no thanks to verifying the originality of dumps prior to. Since most of those dealings ar in cryptocurrencies, they can’t be caterpillar-tracked back simply. name plays a key role here. Sellers and patrons with smart name ar sure additional compared to a brand new or unknown trafficker. other challenges embody dominant the abuse, keeping the operation concealing, avoiding being caught, etc.

The payment business has been handling this issue seriously, however, the matter lies within the widespread reach of card usage. it’s demanding for them likewise to enforce sure changes in a very go.

EMV or Chip-and-Pin cards are introduced as a brand new replacement for Magnetic strips. The EMV card stores data on a give associate encrypted manner, therefore, creating it tough to skim the knowledge. EMV cards also are tough to counterfeit, as faking a chip on high of the cardboard won’t be simple. however, EMV cards are still vulnerable to POS memory scraping.

Introduction of Contactless RFID cards also is the point lately. It permits the cardboard owner to merely wave the cardboard ahead of the POS terminal so as to complete the payment dealings. each EMV and RFID have their own set of protocols and security measures outlined in a very definite manner to insure most security of the client

To conclude, this has proved to be yet one more cat and mouse battle wherever the mouse has continuously been a step ahead. Cybercriminals are continuously trying to find new ways that to create simple cash by exploiting the weaknesses that they’re continuously ahead to find. Bob Russo, head of Payment Card business Security Standards Council says, “There is not any single answer to securing payment card data”. Certainly, building a 100% secure model isn’t attainable, however progressive steps and learning from previous mistakes will at least build things harder and difficult for the criminals from stealing the hard-earned cash of the someone.



Rajesh Manwar

For Free Demo classes Call: 7798058777

Registration Link: Click Here!

Call the Trainer and Book your free demo Class for now!!!

call icon

© Copyright 2019 | Sevenmentor Pvt Ltd.

Submit Comment

Your email address will not be published. Required fields are marked *