Credit Cards:

Credit Card as we all know is a card issued by a financial

company giving the holder an option to borrow funds, usually at point of
sale.
Cardholder :
An individual to whom a credit card is issued. Typically,
this individual is also responsible for payment of all charges made
to that card. Corporate cards are an exception to this rule.

Card Issuer:
An institution that issues credit cards to cardholders.
This institution is also responsible for billing the cardholder for
charges. Often abbreviated to "Issuer".

Card Accepter:
An individual, organization, or corporation that
accepts credit cards as payment for merchandise or services. Often
abbreviated "Accepter" or "merchant".

Acquirer:
An organization that collects (acquires) credit authorization requests from
Card Accepters and provides guarantees of payment. Normally, this will be
by agreement with the Issuer of
the card in question.
Basic Terminologies
Credit Cards:

Credit Card as we all know is a card issued by a financial

company giving the holder an option to borrow funds, usually at point of
sale.
Cardholder :
An individual to whom a credit card is issued. Typically,
this individual is also responsible for payment of all charges made
to that card. Corporate cards are an exception to this rule.

Card Issuer:
An institution that issues credit cards to cardholders.
This institution is also responsible for billing the cardholder for
charges. Often abbreviated to "Issuer".

Card Accepter:
An individual, organization, or corporation that
accepts credit cards as payment for merchandise or services. Often
abbreviated "Accepter" or "merchant".

Acquirer:
An organization that collects (acquires) credit authorization requests from
Card Accepters and provides guarantees of payment. Normally, this will be
by agreement with the Issuer of
the card in question.
Credit Card Fraud (C.C.F):

“The fraudulent use of a credit card account through the theft of the
account holder’s card number, card details and personal information
through a wide variety of methods in order to perform unauthorized
transactions from the compromised account”.
Types Of Credit Card Frauds
Stolen Cards:

It is possible for a thief to make unauthorized purchases on that card up until the card is
cancelled. In the absence of other security measures, a thief could potentially purchase
thousands of dollars in merchandise or services before the card holder or the bank realize
that the card is in the wrong hands.
Identity Theft:

Application Fraud:
Application fraud occurs when criminals use stolen or fake documents to open an
account in someone else's name. Criminals may try to steal documents such as
utility bills and bank statements to build up useful personal information.
Alternatively, they may create counterfeit documents.
Account Takeover:
Account takeover involves a criminal trying to take over another person's account,
first by gathering information about the intended victim, then contacting their
bank or credit issuer faking as the genuine cardholder asking for mail to be
redirected to a new address. The criminal then reports the card lost and asks for a
replacement to be sent. The replacement card is then used fraudulently.
Skimming:

Skimming is the theft of credit card information used in an otherwise legitimate transaction. It is
typically an "inside job" by a dishonest employee of a legitimate merchant, and can be as simple as
photocopying of receipts.
Carding:

Carding is a term used for a process to verify the validity of stolen card data.
The thief presents the card information on a website that has realtime
transaction processing. If the card is processed successfully, the thief knows
that the card is still good. The purchase is usually for a small monetary
amount, both to
avoid using the card's credit limit, and also to avoid attracting the bank's
attention. A website known to be susceptible to carding is known as a
cardable website.
d be
at this
t do
BPO Scams:
Botnets:

When Botnets are used to fraud credit card payments then botmasters (cyber criminals) carryout
their operation in a way that compromised computers show no symptoms of an infection. A typical
credit card fraud can be a simple purchase of an item using a stolen credit card number.
Dumpster Diving:

Stealing credit card information from discarded receipts or account statements from people’s
trash is what defines Dumpster Diving.
 Case Study:
BANGALORE BASED WHIZKID
BEHIND BARS

An urge to make fast bucks turned a whiz kid hacker into a Criminal
behind Bars.

True Story of Palavarma Kamal Kumar.

http://www.bangaloremirror.com/article/1/201206132012061305404
17375844123f/Whizkid-whoonce-provided-cyber-security-turned-
into-skimming-mastermind.html
 Palavarma Kamal Kumar
Qualification : MS Degree in Cyber and
Computer Forensics from London.

His clients once included hundreds of

multinational companies across the
world.

With an MS degree in cyber & computer forensics from London, Kamal

was in demand among tech firms. But a chance telephone intercept by
the cops led to the revelation that he was the kingpin of a gang which
cheated thousands and looted crores of rupees.
The significance of the Credit Card
Number:
 The first digit is the Major Industry Identifier. It designates
the category of the organization
that issued the card.

1, 2 ----> Airlines
3 ----> Travel and Entertainment
4, 5 ----> Banking and Financial
6 ----> Merchandizing and Banking
7 ----> Petroleum
8 ----> Telecommunications
9 ----> National Assignment

The first 6 digits are the Issuer Identification Number. It will identify the organization that issued the
card.

Visa: 4xxxxx
Master Card: 51xxxx – 55xxxx
Discover: 6011xx, 644xxx,
65xxxx
American Express: 34xxxx,
37xxxx
The 7th and the following digits(except the last digit) is
the Cardholders Account Number.

The final digit is the check digit or checksum digit. Which is used to
validate using Luhn’s Algorithm.
Case Study:
They installed skimmers at many ATMs in most of the areas. They also
monitored movement at ATMs and a few days after the installation,
collected the data of debit cards belonging to thousands.
Now lets Crack the Credit Card
Number…;-)
 Cracking the Credit Card Number:

Now, let’s consider the above credit card number or any other credit card number.

4000 0012 3456 7899

And double every alternate digit from the right with respect to the first number i.e.

4000 0012 3456 7899

So, now the result would be:

8 0 0 2 6 10 14 18
Now add these new digits to the undoubled ones i.e.

4000 0012 2456 7899

So, then now the result would be:

8+0+0+0+0+0+2+2+6+4+1+0+6+1+4+8+1+8+9
This comes up to:

60
This is divisible by 10, Hence this card is a valid card. If the final number obtained is not divisible by 10, then it is invalid or fake.
Cracking the PIN Number:
The PVV(PIN Verification Value) is derived from the output of the
encryption process, which is a 8 byte string. The four digits of the PVV
(from left to right) correspond to the first four decimal digits (from left to
right) of the output from DES when considered as a 16 hexadecimal
character (16 x 4 bit = 64 bit) string.

Card Number: 4000 0012 3456

7899
Output from DES:
0FAB9CDEFFE7DCBA
Then the PIN Value will be:
A=0
B=1
0975
C=2
D=3
E=4
F=5
Luhn’s Algorithm:
(Mod 10 Algorithm)

The Luhn algorithm or mod 10 algorithm, is a simple checksum

formula used to validate a variety of identification numbers, such
as Credit Card Numbers, IMEI numbers, National Provider Identifier
numbers in US and Canadian Social Insurance Numbers. It was
created by IBM scientist Hans Peter Luhn.
Case Study:

Then downloaded the data from the skimmers, which was then
analysed by Zameer. Then the skimmed data was sent to Alex
Rosenberg using a file sharing website. Then they would receive the
decrypted data back after sometime.
Case Study:

The Later
Story:
With the decrypted information they got back from Russia, they
started preparing the Cloned Cards of the decrypted data received.

Then withdrew money from various ATM’s around the city and
even in various other cities.
Faking a Credit Card
Step 0:

Firstly you should know that this process will need huge
amount of money as the machineries required to carry
out this task are really very expensive.
Step 1:

Getting the Images of the Original Cards.

 Step 2:

Printing those Images onto white Plastic Cards.

Possible by Plastic Card Printers. But are quite expensive as
they would give you exact finishing look of the Original Cards.

Plastic card printers have 3 primary colors which combine together

to give the combination of various colors.
Step 3:

Then the Hologram is fixed onto the Fake Credit Cards.

Step 3 (cont’d):
Step 4:
Embossing the details on the card
Inner view of the machine:
Silver Foil Tipping
Final Step:

Magnetic Card Hi-Co Reader/Writer which would be connected

to the computer and has the ability to read/write the data onto
the magnetic stripe of the card.
ATM Hacks
 ATM Vomiting Cash

Was demonstrated by Barnaby Jack at “Black Hat”.

He used his key to unlock a compartment in the ATM that had

standard USB slots. He then inserted a program he had written
into one of them, commanding the ATM to dump its vaults.
 OS Migration from IBM OS/2 to
Windows based OS

The reason for Migration:

Market Pressure from creditors such as MC and VISA to introduce

stronger Triple DES.

Pressure from US Regulators to introduce new features for Disabled

Users.
Do you know the OS being used in
most of the ATM’s today in India..?
Physical Security Issues:

Malicious Implementation of Skimmers at the ATM’s.

Other types of Skimmers :
Fixing the Issues:
Hiring Security Personal at ATM’s.

Educating the Security Personal about various issues

related to ATM Frauds.

Making the Physical Ports inaccessible.

Educating the Bank Personal as well.

Case Study:
How they got Busted:

It was a chance telephone call that blew Kamal‟s lid. One of his
accomplices, Ajay Lal, had a girlfriend in Hyderabad who was
implicated in a cheating case. Hyderabad police were following her
movements by tapping her mobile phone. They couldn't believe their
ears when they heard Ajay telling her not to worry about money and
talking about their skimming operations in Bangalore and Hyderabad.

Bangalore police said no one knows why such a brilliant man became
a cheat. According to them, he needed big money as he had
borrowed lakhs from different people.
But wait…
The Story isn’t over yet…

After Getting
Busted…!!!

In his statement to the cops, Kamal revealed that when he asked

Alex Rosenberg in Russia for more skimming machines, he
declined as he had many more orders, mainly from India. Which
means that there are many other such gangs active in India.