Introduction
This paper is intended to detail how financially motivated
hacking groups convert stolen data to monetary instruments. The
primary premise for this paper is based on Eastern European
hacking groups but in recent months, the “financially motivated”
hacker sub group has expanded to include hackers from the Far and
Middle East Hackers. What the individuals are doing with the
illicit profits of their activities range from childish purchases
to funding terrorist attacks as was detailed in the recent
autobiography, “Aku Melawan Teroris” (Me, Fighting the Terrorists)
by the Bali nightclub bomber. In the chapter “Hacking, Mengapa
Tidak” (Hacking, Why not?), Iman Samura, a computer scientist
provides a primer to Islamic Extremists of how to learn the trade
of credit card fraud and hacking.
To quote BigBoss, from forum.Carderplanet.com, “Carding
shouldn’t be something you do for fun, it is something you do to
survive.”
Financially motivated hackers consider hacking and carding as
their career. The employment opportunities are in their home
countries, particularly those whose salaries are enough to pay for
the life styles these individuals have become accustomed, are
extremely limited. They come from a society where the average pay
is $200 per month but Internet connectivity costs $40 per month.
Thus they are willing to spend one fifth of their monthly salary
to be online. A $1000 profit is more money then most Eastern
European hackers have ever seen at one time.
Though they understand the process of credit cards, most
International hackers do not understand the impact of committing
credit card fraud. Most come from cash economies and the use of a
credit card by regular citizens is extremely uncommon. They feel
the attack is directed at a big corporation and not an individual.
The idea of rising interest rates, chargeback fees or economic
instability are not concepts they can understand nor are they
their concern. Money is the object of their actions.
At the time of the first version of this paper in August
2003, many financially motivated hackers could be found chatting
in the forums of the web sites carderplanet.com, shadowcrew.com
and/or darkprofits.com. These sites are still referenced in this
3
paper because the information provided on the sites are still
relevant.
Since that time, many of the referenced sites have been
shutdown or taken over by script-kiddies and the real profiteers
have moved deeper underground. Many have also become allied with
organized crime groups or created their own hacking teams.
Also at the time of original publication, EFnet and DALnet on
IRC initiated a crackdown on channels dedicated to cyber crime.
Since that time, the criminals have found loop holes in the
crackdown, such as renaming the groups, attaching messages of the
day (MOTD)forbidding criminal activity or making the channels
private. Many of the channels have also gone native; meaning they
are dedicated to a particular language group and all posts to the
channel utilize that language and the corresponding slang for
carding.
The point being, the groups have not gone away. They still
exist and communicate on the Internet by adapting to the rules.
Law Enforcement must now adapt in kind.
By no means is this paper intended to be the end-all
authority on this crime. Comments, questions and revision are
always welcome.
Definitions, Concepts and Statistics
Since the readers of this paper will range from skilled
investigators to neophytes, some basic terms and concepts need to
be set forth:
Hacker - Individual who gains unauthorized access to computer
networks and systems
Carder - Individual who uses stolen data, usually Credit cards, to
fraudulently purchase items or convert the credit into cash.
Credit card - a monetary instrument, often referred to as plastic,
used in place of cash to make purchases. Credit cards are
assigned to entities and have specific monetary limits and an
interest rate associated with payoff. Since credit cards do not
have to be paid off each month, the available limit will
fluctuate. Visa or MasterCard does not issue Visa and MasterCard
credit cards. They are issued by an issuing bank in conjunction
with a use agreement between the bank and Visa or MasterCard.
4
This agreement is for the use of the Visanet or the MasterCard
equivalent for verification and authorization of the card.
Charge card - same as credit card however, a charge card must be
paid off each month or risk an extremely high interest rate or the
card being shutdown.
Debit Card - Card associated with a bank account and limited by
the amount of money in said account, which resembles the credit
card by the method of purchase. However, these cards may only be
used with the owners Personalized Identification Number.
Hacker knowledge
Below is the “Beginning Carders Dictionary’” as posted online
by the Russian hacker, KLYKVA on forum.carderplanet.com. It is
presented in its original form to illustrate the level of
knowledge from which these individuals are working.
Bank-emitent (Issuing bank) - bank which has issued the card
Billing address - the card owner address
Drop - innerman. His task is to receive the money or goods and,
accordingly, give the part of the earnings to you.
Drop/Pick-Up guy/Runner - person or location that is setup to
accept packages or to receive the money. He should be paid nicely
for this position.
Billing - office, which has agreement with a bank and assumes
payments for the cards.
COB - Change of Billing address
Card bill - a Bank emitent card bill.
Bank-aquirer - bank, in which the store opens the account.
Merchant account - bank account for accepting credit cards.
Merchant Bank - bank, through which occur the payments between the
buyer and the seller (frequently it is used as synonym “bankequirer”).
Cardholder - owner of the card.
5
Validity - suitability of card.
White plastic - a piece of pure plastic, where the information is
plotted/printed.
CR-80 - rectangular piece of pure white plastic (without the
drawing image) the size of a credit card with the magnetic strip.
Transaction - charge to the credit card
POS terminal (Point Of Sale terminal) - reading card device, which
stands at commercial point.
PIN-code – (Personal Identification Number) the sequence, which
consists of 4-12 numbers, known only to the owner of card. A
simple word password for an ATM and so on.
AVS - the card owner address checking. It is used for the
confirmation of the card belonging exactly to its holder.
“Globe” - card holographic gluing with the image of two
hemispheres (MasterCard).
Pigeon (hen) - card holographic gluing with the image of the
flying pigeon (VISA).
Reader - information reading device for the readout from the
magnetic strip of card.
Encoder - read/write device for the magnetic track of the card.
Embosser - card symbol extrusion device.
Card printer - card information printing device.
Exp.date - card validity period.
Area code - the first of 3 or 6 digits of the card owner’s phone
number.
CVV2, cvv, cvn - 3 or 4 additional numbers, which stand at the end
of the number of card.
ePlus - program for checking the cards.
6
BIN - first 6 numbers of the card number which make it possible to
learn what bank issued the card and what type of card (ATM-card,
credit, gold, etc.). Synonym of word “Prefix”.
Chargeback - the cardholder’s bank voids the removal of money from
its card.
Dump - information, which is written to the magnetic strip of the
card, it consists of 1,2 or 3 tracks.
MMN - Mothers Maiden Name (generally the primary account holders
mother)
Track (road) - a part of the dump with specific information.
Every 1st track is the information about the owner of the card.
2nd track - information about the owner of card and about the bank
who issued the card, etc. 3rd track - it is possible to say -
spare, it is used by stores for the addition of the points and
other.
Slip - synonym to the word “cheque” (conformably to card
settlings).
Card balance – amount of credit remaining for spending in the card
account.
Automated Clearing House (ACH) - the automated clearinghouse. The
voluntary association of depositors, which achieves clearing of
checks and electronic units by the direct exchange of means
between the members of association.
Continuous Acquisition and Life-cycle Support (CALS) - the
integrated system of the production guaranteeing, purchase and
exploitation. This system makes possible to computerize all data
about the design, development, production, servicing and the
propagation of the production.
Debit Card - Card, which resembles the credit card by the method
of using, but making possible to realize direct buyer account
debiting at the moment of the purchase of goods or service.
Delivery Versus Payment (DVP) - the system of calculations in the
operations with the valuable papers, which ensures the mechanism,
that guarantees the delivery will occur only in the case of
payment and at the moment of payment.
7
Direct debit - payment levy method, mainly, with the repetitive
nature (lease pay, insurance reward, etc.) with which the debitor
authorizes his financial establishment to debit his current
account when obtaining calculations on payment from the indicated
creditor.
Electronic Fund Transfer (EFT) - the remittance of means,
initiated from the terminal, telephone or magnetic carrier (tape
or diskette), by transfer of instructions or authorities to
financial establishment, that concern the debiting or crediting of
the account (see Electronic Fund Transfer/Point of Sale -
EFT/POS).
Electronic Fund Transfer/Point of Sale - EFT/POS - debiting from
the electronic terminal, for the transfer purpose from the account
of a buyer into the payment on the obligations, which arose in the
course of transaction at the point of sale.
Integrated Circuit (IC) Card - It is known also as chip card.
Card equipped with one or several computer micro-chips or
integrated microcircuits for identification and storing of data or
their special treatment, utilized for the establishment of the
authenticity of personal identification number (PIN), for delivery
of permission for the purchase, account balance checking and
storing the personal records. In certain cases, the card memory
renewal during each use (renewed account balance).
Internet - the open world communication infrastructure, which
consists of the interrelated computer networks and provides access
to the remote information and information exchange between the
computers.
International Standardization Organization (ISO) - International
organization, which carries out standardization, with the staff
office in Geneva, Switzerland.
Magnetic Ink Character Recognition (MICR) - System, which ensures
the machine reading of the information, substituted by magnetic
inks in the lower part of the check, including the number of
check, the code of department, sum and the number of account.
RSA - the coding and authentication technology, developed in 1977
in MIT by Rivest, Shamir and Adel’man, which subsequently opened
their own company RSA Data Security, Inc., purchased recently by
the company Security Dynamics Technologies, Inc.
8
Real-Time Gross Settlement (RTGS) - the payment method, with which
the transfer of means is achieved for each transaction in
obtaining instructions about the payment. Decrease the risk with
the payment.
Smart Card - card equipped with integrated circuit and
microprocessor, capable of carrying out the calculations.
System risk - the risk, with which the incapacity of one of the
payment system participants either financial market participants
as a whole to fulfill their obligations, causes the incapacity of
other participants or financial establishments to fulfill its
obligations (including obligations regarding the realization of
calculations in means transfer systems) properly. This failure can
cause significant liquidity or crediting problems and, as result,
it can cause loss to the stability of financial markets (with the
subsequent action on the level of economic activity).
Truncation - procedure, which makes it possible to limit the
physical displacements of a paper document (in the ideal version)
by the bank of the first presentation, by the replacement by
electronic transfer of entire or part of the information, which is
contained on this document (check).
Card Balance - Current used Credit
Avail Credit - Actual credit avail for Spending
Cash Advance Avail - Actual amount avail as Cash for ATM usage.
Integrated Circuit (IC) Card - It is known also as chip card.
Card equipped with one or several computer micro-chips or
integrated microcircuits for identification and storing of data or
their special treatment, utilized for the establishment of the
authenticity of personal identification number (PIN), for delivery
of permission for the purchase, account balance checking and
storing the personal records. In certain cases, the card memory
renewal during each use (renewed account balance).
LE - Law Enforcement, Coppers, Piggies, The Fuzzzzzzzzzzzz
Lappie- Laptop
Communication Methods
As in all endeavors, hackers and carders need a means or
several means of communication. Given the international make-up
9
of most hacking groups and the fact of Cyber crime being truly
borderless, the communication methods chosen by these groups must
be internationally accessible, cost effective and have a high
level of anonymity. Listed below are several of the primary
communications methods used by hackers and carders:
IRC - Internet Relay Chat, a series of interconnected computer
servers on various network which enable users to chat in channels
and one to one. The channels are also referred to as rooms and
are controlled by the user who first established the room.
ICQ - America Online (AOL) owned peer-to-peer chat application.
Chat rooms can be established within the ICQ network but entrance
is by invitation only.
AIM- AOL Instant Messenger
Forums - Website sponsored bulletin boards where public and
private messages can be posted about various topics. Examples:
forum.carderplanet.com, eraser.hostmos.ru, www.darkprofits.com
and www.carderclan.net
Email - Electronic mail
A Credit Card (VISA) Transaction
There are two parts to every transaction. First, a customer
presents a Visa product, usually a card, to a merchant, who needs
immediate authorization of the transaction. Second, at the end of
the day, the merchant needs to receive the funds for the
transaction via its financial institution and ultimately from the
customer’s issuer. The specifics will vary depending on
transaction type, complexity, technology, and processing services
but the typical flow is illustrated here.
How a Purchase is Made
Authorization at the Point of Sale
Maria presents a Visa card (credit or debit) at ABC Stores.
ABC uses an electronic terminal or the telephone to request an
authorization from its financial institution (DEF Merchant
Services).
DEF checks to see if the account is valid and has sufficient
funds. It sends an authorization request message, including
10
owner’s account, merchant account and transaction details, through
VisaNet to GHI Bank, Maria’s Visa issuer.
GHI reviews the request and makes a decision to approve or
decline the request. GHI’s response message is sent back through
VisaNet to ABC within seconds.
In some cases, when an issuer is unavailable for
authorization, VisaNet will authorize the transaction as part of a
Stand-In Processing Service. This is done to further enhance
payment system efficiency. The entire authorization process, when
done electronically, takes about two seconds.
How the Merchant Gets Paid
Clearing and Settlement
At the end of the day, ABC Stores delivers all its sales
draft information (including Maria’s purchase) to DEF Merchant
Services. Each draft will contain the credit card number and the
merchant account number. DEF credits the merchant account of ABC
Stores for the net amount of all its sales. This is how ABC Stores
obtains its funds from Maria’s purchase.
Next, DEF’s processing center creates an electronic version
of all drafts for all the merchants it supports, including ABC
Stores. The electronic drafts, which may include transactions from
numerous Visa account holders in various countries, are sent
through VisaNet to one of Visa’s data centers.
Visa routes these drafts to the financial institutions of the
Visa account holders, for instance, Maria’s transaction is sent to
her issuing bank, GHI Bank. Visa consolidates all transactions for
each issuer into an electronic file that includes currency
conversions, fees, net settlement amounts, and required reporting
information.
GHI’s processing center receives the file and prepares the
transactions for posting to its cardholders’ accounts including
Maria’s.
GHI Bank transfers all the funds owed that day by its
cardholders, including Maria, to a settlement bank, which is
responsible for delivering the funds to the merchant acquirers
such as DEF Merchant Services. This is how DEF gets paid for the
amount it paid ABC Stores in step #2.
11
At the end of the billing period, GHI Bank produces a statement to
Maria. This is how GHI settles with Maria.
Statistics
Visa annual worldwide sales volume exceeds US$2.4 trillion.
There are 1.2 billion Visa, Visa Electron, Visa Cash, Interlink
and PLUS cards worldwide. But only 49,413 legally issued cards in
Central Europe, the Middle East and Africa.
Visa is accepted in more than 150 countries.
As of March 31, 2003, MasterCard’s gross dollar volume for
credit and debit programs was US$285.7 billion, an increase of
7.31% over the same period in 2002.
MasterCard has 32 million acceptance locations; no payment
card is more widely accepted globally.
Cardholders can obtain cash with the card at bank branches and at
all ATMs in the global MasterCard/Maestro/Cirrus ATM Network,
among the largest ATM networks in the world with more than 892,000
ATM locations worldwide on all seven continents.
Most Eastern European law enforcement officers do not own,
use or understand a credit card. This is important when
requesting information from certain parts of the world. All
requests must be highly detailed and precise.
What to Steal
Everything is worth stealing to these individuals. These
hackers are financially motivated and highly educated. They are
not the typical hackers found in the U.S. Hacking and Carding is
a business for them. They hack to steal databases, which in turn
are provided to carders. Carders, utilizing various schemes
convert the stolen credit cards to cash or equipment then, provide
the cards freely online in carding related IRC chat rooms. The
intention of the free cards is to spread the information as widely
as possible thus making it difficult for law-enforcement to track
who originally committed the hack.
The hack occurs in three parts, reconnaissance, theft and
dump. During the reconnaissance portion, the hackers steal
everything. This information is used to identify the important
parts of the network, the location of the databases and user names
This paper is intended to detail how financially motivated
hacking groups convert stolen data to monetary instruments. The
primary premise for this paper is based on Eastern European
hacking groups but in recent months, the “financially motivated”
hacker sub group has expanded to include hackers from the Far and
Middle East Hackers. What the individuals are doing with the
illicit profits of their activities range from childish purchases
to funding terrorist attacks as was detailed in the recent
autobiography, “Aku Melawan Teroris” (Me, Fighting the Terrorists)
by the Bali nightclub bomber. In the chapter “Hacking, Mengapa
Tidak” (Hacking, Why not?), Iman Samura, a computer scientist
provides a primer to Islamic Extremists of how to learn the trade
of credit card fraud and hacking.
To quote BigBoss, from forum.Carderplanet.com, “Carding
shouldn’t be something you do for fun, it is something you do to
survive.”
Financially motivated hackers consider hacking and carding as
their career. The employment opportunities are in their home
countries, particularly those whose salaries are enough to pay for
the life styles these individuals have become accustomed, are
extremely limited. They come from a society where the average pay
is $200 per month but Internet connectivity costs $40 per month.
Thus they are willing to spend one fifth of their monthly salary
to be online. A $1000 profit is more money then most Eastern
European hackers have ever seen at one time.
Though they understand the process of credit cards, most
International hackers do not understand the impact of committing
credit card fraud. Most come from cash economies and the use of a
credit card by regular citizens is extremely uncommon. They feel
the attack is directed at a big corporation and not an individual.
The idea of rising interest rates, chargeback fees or economic
instability are not concepts they can understand nor are they
their concern. Money is the object of their actions.
At the time of the first version of this paper in August
2003, many financially motivated hackers could be found chatting
in the forums of the web sites carderplanet.com, shadowcrew.com
and/or darkprofits.com. These sites are still referenced in this
3
paper because the information provided on the sites are still
relevant.
Since that time, many of the referenced sites have been
shutdown or taken over by script-kiddies and the real profiteers
have moved deeper underground. Many have also become allied with
organized crime groups or created their own hacking teams.
Also at the time of original publication, EFnet and DALnet on
IRC initiated a crackdown on channels dedicated to cyber crime.
Since that time, the criminals have found loop holes in the
crackdown, such as renaming the groups, attaching messages of the
day (MOTD)forbidding criminal activity or making the channels
private. Many of the channels have also gone native; meaning they
are dedicated to a particular language group and all posts to the
channel utilize that language and the corresponding slang for
carding.
The point being, the groups have not gone away. They still
exist and communicate on the Internet by adapting to the rules.
Law Enforcement must now adapt in kind.
By no means is this paper intended to be the end-all
authority on this crime. Comments, questions and revision are
always welcome.
Definitions, Concepts and Statistics
Since the readers of this paper will range from skilled
investigators to neophytes, some basic terms and concepts need to
be set forth:
Hacker - Individual who gains unauthorized access to computer
networks and systems
Carder - Individual who uses stolen data, usually Credit cards, to
fraudulently purchase items or convert the credit into cash.
Credit card - a monetary instrument, often referred to as plastic,
used in place of cash to make purchases. Credit cards are
assigned to entities and have specific monetary limits and an
interest rate associated with payoff. Since credit cards do not
have to be paid off each month, the available limit will
fluctuate. Visa or MasterCard does not issue Visa and MasterCard
credit cards. They are issued by an issuing bank in conjunction
with a use agreement between the bank and Visa or MasterCard.
4
This agreement is for the use of the Visanet or the MasterCard
equivalent for verification and authorization of the card.
Charge card - same as credit card however, a charge card must be
paid off each month or risk an extremely high interest rate or the
card being shutdown.
Debit Card - Card associated with a bank account and limited by
the amount of money in said account, which resembles the credit
card by the method of purchase. However, these cards may only be
used with the owners Personalized Identification Number.
Hacker knowledge
Below is the “Beginning Carders Dictionary’” as posted online
by the Russian hacker, KLYKVA on forum.carderplanet.com. It is
presented in its original form to illustrate the level of
knowledge from which these individuals are working.
Bank-emitent (Issuing bank) - bank which has issued the card
Billing address - the card owner address
Drop - innerman. His task is to receive the money or goods and,
accordingly, give the part of the earnings to you.
Drop/Pick-Up guy/Runner - person or location that is setup to
accept packages or to receive the money. He should be paid nicely
for this position.
Billing - office, which has agreement with a bank and assumes
payments for the cards.
COB - Change of Billing address
Card bill - a Bank emitent card bill.
Bank-aquirer - bank, in which the store opens the account.
Merchant account - bank account for accepting credit cards.
Merchant Bank - bank, through which occur the payments between the
buyer and the seller (frequently it is used as synonym “bankequirer”).
Cardholder - owner of the card.
5
Validity - suitability of card.
White plastic - a piece of pure plastic, where the information is
plotted/printed.
CR-80 - rectangular piece of pure white plastic (without the
drawing image) the size of a credit card with the magnetic strip.
Transaction - charge to the credit card
POS terminal (Point Of Sale terminal) - reading card device, which
stands at commercial point.
PIN-code – (Personal Identification Number) the sequence, which
consists of 4-12 numbers, known only to the owner of card. A
simple word password for an ATM and so on.
AVS - the card owner address checking. It is used for the
confirmation of the card belonging exactly to its holder.
“Globe” - card holographic gluing with the image of two
hemispheres (MasterCard).
Pigeon (hen) - card holographic gluing with the image of the
flying pigeon (VISA).
Reader - information reading device for the readout from the
magnetic strip of card.
Encoder - read/write device for the magnetic track of the card.
Embosser - card symbol extrusion device.
Card printer - card information printing device.
Exp.date - card validity period.
Area code - the first of 3 or 6 digits of the card owner’s phone
number.
CVV2, cvv, cvn - 3 or 4 additional numbers, which stand at the end
of the number of card.
ePlus - program for checking the cards.
6
BIN - first 6 numbers of the card number which make it possible to
learn what bank issued the card and what type of card (ATM-card,
credit, gold, etc.). Synonym of word “Prefix”.
Chargeback - the cardholder’s bank voids the removal of money from
its card.
Dump - information, which is written to the magnetic strip of the
card, it consists of 1,2 or 3 tracks.
MMN - Mothers Maiden Name (generally the primary account holders
mother)
Track (road) - a part of the dump with specific information.
Every 1st track is the information about the owner of the card.
2nd track - information about the owner of card and about the bank
who issued the card, etc. 3rd track - it is possible to say -
spare, it is used by stores for the addition of the points and
other.
Slip - synonym to the word “cheque” (conformably to card
settlings).
Card balance – amount of credit remaining for spending in the card
account.
Automated Clearing House (ACH) - the automated clearinghouse. The
voluntary association of depositors, which achieves clearing of
checks and electronic units by the direct exchange of means
between the members of association.
Continuous Acquisition and Life-cycle Support (CALS) - the
integrated system of the production guaranteeing, purchase and
exploitation. This system makes possible to computerize all data
about the design, development, production, servicing and the
propagation of the production.
Debit Card - Card, which resembles the credit card by the method
of using, but making possible to realize direct buyer account
debiting at the moment of the purchase of goods or service.
Delivery Versus Payment (DVP) - the system of calculations in the
operations with the valuable papers, which ensures the mechanism,
that guarantees the delivery will occur only in the case of
payment and at the moment of payment.
7
Direct debit - payment levy method, mainly, with the repetitive
nature (lease pay, insurance reward, etc.) with which the debitor
authorizes his financial establishment to debit his current
account when obtaining calculations on payment from the indicated
creditor.
Electronic Fund Transfer (EFT) - the remittance of means,
initiated from the terminal, telephone or magnetic carrier (tape
or diskette), by transfer of instructions or authorities to
financial establishment, that concern the debiting or crediting of
the account (see Electronic Fund Transfer/Point of Sale -
EFT/POS).
Electronic Fund Transfer/Point of Sale - EFT/POS - debiting from
the electronic terminal, for the transfer purpose from the account
of a buyer into the payment on the obligations, which arose in the
course of transaction at the point of sale.
Integrated Circuit (IC) Card - It is known also as chip card.
Card equipped with one or several computer micro-chips or
integrated microcircuits for identification and storing of data or
their special treatment, utilized for the establishment of the
authenticity of personal identification number (PIN), for delivery
of permission for the purchase, account balance checking and
storing the personal records. In certain cases, the card memory
renewal during each use (renewed account balance).
Internet - the open world communication infrastructure, which
consists of the interrelated computer networks and provides access
to the remote information and information exchange between the
computers.
International Standardization Organization (ISO) - International
organization, which carries out standardization, with the staff
office in Geneva, Switzerland.
Magnetic Ink Character Recognition (MICR) - System, which ensures
the machine reading of the information, substituted by magnetic
inks in the lower part of the check, including the number of
check, the code of department, sum and the number of account.
RSA - the coding and authentication technology, developed in 1977
in MIT by Rivest, Shamir and Adel’man, which subsequently opened
their own company RSA Data Security, Inc., purchased recently by
the company Security Dynamics Technologies, Inc.
8
Real-Time Gross Settlement (RTGS) - the payment method, with which
the transfer of means is achieved for each transaction in
obtaining instructions about the payment. Decrease the risk with
the payment.
Smart Card - card equipped with integrated circuit and
microprocessor, capable of carrying out the calculations.
System risk - the risk, with which the incapacity of one of the
payment system participants either financial market participants
as a whole to fulfill their obligations, causes the incapacity of
other participants or financial establishments to fulfill its
obligations (including obligations regarding the realization of
calculations in means transfer systems) properly. This failure can
cause significant liquidity or crediting problems and, as result,
it can cause loss to the stability of financial markets (with the
subsequent action on the level of economic activity).
Truncation - procedure, which makes it possible to limit the
physical displacements of a paper document (in the ideal version)
by the bank of the first presentation, by the replacement by
electronic transfer of entire or part of the information, which is
contained on this document (check).
Card Balance - Current used Credit
Avail Credit - Actual credit avail for Spending
Cash Advance Avail - Actual amount avail as Cash for ATM usage.
Integrated Circuit (IC) Card - It is known also as chip card.
Card equipped with one or several computer micro-chips or
integrated microcircuits for identification and storing of data or
their special treatment, utilized for the establishment of the
authenticity of personal identification number (PIN), for delivery
of permission for the purchase, account balance checking and
storing the personal records. In certain cases, the card memory
renewal during each use (renewed account balance).
LE - Law Enforcement, Coppers, Piggies, The Fuzzzzzzzzzzzz
Lappie- Laptop
Communication Methods
As in all endeavors, hackers and carders need a means or
several means of communication. Given the international make-up
9
of most hacking groups and the fact of Cyber crime being truly
borderless, the communication methods chosen by these groups must
be internationally accessible, cost effective and have a high
level of anonymity. Listed below are several of the primary
communications methods used by hackers and carders:
IRC - Internet Relay Chat, a series of interconnected computer
servers on various network which enable users to chat in channels
and one to one. The channels are also referred to as rooms and
are controlled by the user who first established the room.
ICQ - America Online (AOL) owned peer-to-peer chat application.
Chat rooms can be established within the ICQ network but entrance
is by invitation only.
AIM- AOL Instant Messenger
Forums - Website sponsored bulletin boards where public and
private messages can be posted about various topics. Examples:
forum.carderplanet.com, eraser.hostmos.ru, www.darkprofits.com
and www.carderclan.net
Email - Electronic mail
A Credit Card (VISA) Transaction
There are two parts to every transaction. First, a customer
presents a Visa product, usually a card, to a merchant, who needs
immediate authorization of the transaction. Second, at the end of
the day, the merchant needs to receive the funds for the
transaction via its financial institution and ultimately from the
customer’s issuer. The specifics will vary depending on
transaction type, complexity, technology, and processing services
but the typical flow is illustrated here.
How a Purchase is Made
Authorization at the Point of Sale
Maria presents a Visa card (credit or debit) at ABC Stores.
ABC uses an electronic terminal or the telephone to request an
authorization from its financial institution (DEF Merchant
Services).
DEF checks to see if the account is valid and has sufficient
funds. It sends an authorization request message, including
10
owner’s account, merchant account and transaction details, through
VisaNet to GHI Bank, Maria’s Visa issuer.
GHI reviews the request and makes a decision to approve or
decline the request. GHI’s response message is sent back through
VisaNet to ABC within seconds.
In some cases, when an issuer is unavailable for
authorization, VisaNet will authorize the transaction as part of a
Stand-In Processing Service. This is done to further enhance
payment system efficiency. The entire authorization process, when
done electronically, takes about two seconds.
How the Merchant Gets Paid
Clearing and Settlement
At the end of the day, ABC Stores delivers all its sales
draft information (including Maria’s purchase) to DEF Merchant
Services. Each draft will contain the credit card number and the
merchant account number. DEF credits the merchant account of ABC
Stores for the net amount of all its sales. This is how ABC Stores
obtains its funds from Maria’s purchase.
Next, DEF’s processing center creates an electronic version
of all drafts for all the merchants it supports, including ABC
Stores. The electronic drafts, which may include transactions from
numerous Visa account holders in various countries, are sent
through VisaNet to one of Visa’s data centers.
Visa routes these drafts to the financial institutions of the
Visa account holders, for instance, Maria’s transaction is sent to
her issuing bank, GHI Bank. Visa consolidates all transactions for
each issuer into an electronic file that includes currency
conversions, fees, net settlement amounts, and required reporting
information.
GHI’s processing center receives the file and prepares the
transactions for posting to its cardholders’ accounts including
Maria’s.
GHI Bank transfers all the funds owed that day by its
cardholders, including Maria, to a settlement bank, which is
responsible for delivering the funds to the merchant acquirers
such as DEF Merchant Services. This is how DEF gets paid for the
amount it paid ABC Stores in step #2.
11
At the end of the billing period, GHI Bank produces a statement to
Maria. This is how GHI settles with Maria.
Statistics
Visa annual worldwide sales volume exceeds US$2.4 trillion.
There are 1.2 billion Visa, Visa Electron, Visa Cash, Interlink
and PLUS cards worldwide. But only 49,413 legally issued cards in
Central Europe, the Middle East and Africa.
Visa is accepted in more than 150 countries.
As of March 31, 2003, MasterCard’s gross dollar volume for
credit and debit programs was US$285.7 billion, an increase of
7.31% over the same period in 2002.
MasterCard has 32 million acceptance locations; no payment
card is more widely accepted globally.
Cardholders can obtain cash with the card at bank branches and at
all ATMs in the global MasterCard/Maestro/Cirrus ATM Network,
among the largest ATM networks in the world with more than 892,000
ATM locations worldwide on all seven continents.
Most Eastern European law enforcement officers do not own,
use or understand a credit card. This is important when
requesting information from certain parts of the world. All
requests must be highly detailed and precise.
What to Steal
Everything is worth stealing to these individuals. These
hackers are financially motivated and highly educated. They are
not the typical hackers found in the U.S. Hacking and Carding is
a business for them. They hack to steal databases, which in turn
are provided to carders. Carders, utilizing various schemes
convert the stolen credit cards to cash or equipment then, provide
the cards freely online in carding related IRC chat rooms. The
intention of the free cards is to spread the information as widely
as possible thus making it difficult for law-enforcement to track
who originally committed the hack.
The hack occurs in three parts, reconnaissance, theft and
dump. During the reconnaissance portion, the hackers steal
everything. This information is used to identify the important
parts of the network, the location of the databases and user names