TechnicalInfoBannerA
TechnicalInfoBannerB
TechnicalInfoBannerC

Frequency-X_BlogEntry

 

DIY Credit Cards

Posted by Gunter Ollmann on June 03, 2008 at 10:02 PM EDT.

Over the last few years, if you’ve been following the Frequency-X blog, you’ve probably gained a fair understanding of the mechanics behind Internet-based credit card cloning and fraud.

All the components needed to conduct this particular crime can be easily uncovered through a little searching of the Internet.

A simple search through discussion forums for the terms “mastercard”, “visa” or “CVV” will reveal plenty of postings made by sellers and traders of stolen credit card details – along with their prices and contact information.

For example, the following post (and minor variations of it – typically with different contact details) can be found on over 1140 Web sites (according to Google).


 
Meanwhile postings that list samples of the credit card credentials available for sale are becoming more popular.

For example, the posting below is common and can be found on multiple Web sites. In fact, just doing a search for some of the credit card numbers listed in that one post revealed that each card could be found on close to 200 different sites – and those are just the ones that allow the search engines to crawl them.


 
So, if someone purchases a batch of credit cards and intends to do more than a few “card not present” transactions (e.g. buying goods online or over the phone), they need to program existing cards or perhaps print new cards.

With a physical card it become possible to withdraw untraceable cash or purchase goods directly from a store (and not need to provide a delivery address – as you typically would for “card not present” purchases).

Magstripe encoders (necessary for programming the magnetic information stored on an existing credit card) are easy to get hold of and can be purchased online for a few hundred dollars (including postage and packaging).

Simple plastic card printers are also relatively cheap and plentiful…


 
…while more expensive printers offer printing functionality such as double-sided printing and magnetic encoders. Just what the fraudster needs for their expanding business.


 
Meanwhile blank cards are available in packs of 100 for a few dollars and, after a little digging, high quality scans of most banks credit cards (missing the card number, expiry date and cardholder name information) are available for a nominal fee. Armed with these, the fraudster can create a very legitimate looking card.

But perhaps the hardest part to faking a credit card for use “in store” is the little hologram on the front that most cards now include – designed as an anti-tampering device as well as validation that the card is not a simple photocopy or printer clone.

Unfortunately those little holograms, containing the Visa dove (or perhaps it’s a pigeon?) or the Mastercard map of the globe, can also be purchased with relative ease via mail order.

The costs vary (don’t they always) but one recent posting was asking $400 for 100 hologram sheets (discounted down to $1300 for 500) along with a few snapshots of their quality and usage.

Finally, a quick search of the web will reveal some manufacturers of the credit card hologram stickers (or heat transfers). For example, the following image shows a China based hologram printing company offering Visa card stickers for as low as 0.5 cents each (with a minimum order quantity of 1000 – and a 10 day delivery).


 
So, what does it all mean? Basically, be aware of how easy it is to create credit cards that will likely pass most levels of visible inspection. Personally, I’d like to see more banks and merchants adopt Chip and PIN technologies – embedding secure chips in the credit cards themselves – to help prevent this kind of cloning and subsequent fraud.

That said, I wonder how easy it is to get hold of blank/reprogrammable cards with chips already? Sadly, probably not that difficult, and likely to be easier as time goes by and the technology become more pervasive.

     
    Copyright 2001-2008 © Gunter Ollmann