Showing posts with label skim. Show all posts
Showing posts with label skim. Show all posts

Monday, 8 April 2013

Skimmers: NCR/Diebold/Wincor

Advert:

Pictures:

Some picture from the youtube video:

Also remember this guys 'pUre' ?
He published a photo of what he do:

Sunday, 11 November 2012

Sunday, 14 October 2012

How i carded myself

After talking to some carders, one told me directly to try carding.
Not a bad idea the magnetic strip always intrigued me, so i've started to think like a carder obviously without the goal to harm people..
Here are some research made by others i've found/learn from:
 La face cachée des tickets RATP (French article)
Explication de la sécurité des bandes magnétiques (French article)
RATP Hacking (French also)
22C3: Magnetic Stripe Technology
Lecture de bandes magnétiques DIY (French)

I've also buy two French ebooks:


A good French television report about skimming "Encore + d'action Arnaques aux faux papiers : révélations sur un scandale"

So... let's start.
Firstly to be familiar with the magnetic strip, i've buy a MSR605:

20 blank cards was with my MSR:

A card to clean the MSR (i don't know what that look like)


Writing a card:

Carder asking question about the MSR605:

The Msr206 is mainly used/recommended by carders because of it popularity and due to encoding softwares.
My Msr605 is compatible Msr206, so i profit of it for do a 'fast' review of "The Jerm" a software coded by carder, for carders:

Settings:

Tracks generator:

Bank Card:

Reconstruct:

There is even a help file:


I was hmm "wow cool he made this because orginal software sucks" so i've do the same for fun.
First time i use the MSComm control of Visual Basic :)
Source code here: http://planetsourcecode.com/vb/scripts/ShowCode.asp?txtCodeId=74498&lngWId=1

I've also view this software on a carding forum and still made in Visual Basic:
How tracks work ?
I've searched a bit and found a clear explanation here is a copy/past:
There are actually up to three tracks on a card.
Track 1 was designed for airline use. It contains your name and usually your account number. This is the track that is used when the ATM greets you by name. There are some glitches in how things are ordered so occasionally you do get "Greetings Bill Smith Dr." but such is life. This track is also used with the new airline auto check in (PSA, American, etc)
Track 3 is the "OFF-LINE" ATM track. It contains security information as your daily limit, limit left, last access, account number, and expiration date. (And usually anything I describe in track 2). The ATM itself could have the ability to rewrite this track to update information.
Track 2 is the main operational track for online use. The first thing on track to is the PRIMARY ACCOUNT NUMBER (PAN). This is pretty standard for all cards, though no guarantee.
Example of Track1: B4888603170607238^Head/Potato^050510100000000001203191805191000000
Example of Track2: 4888603170607238=05051011203191805191

Usually only track1 and track2 are needed to exploit the ATM card.
Let us examine track1.
Take the Credit Card account number from Track 2 in this example it
is:4888603170607238 and add the letter "B" in the front of the number like
this B4888603170607238 then add the cardholder name YOU want to show on the
card B4888603170607238^Head/Potato^(Last name first/First Name)next add the
expiry date and service code (expiry date is YYMM in this case 0505,and in
this case the 3 digit service code is 101 so add 0505101 ,
B4888603170607238^Head/Potato^0505101
No add 10 zero's after service code:
B4888603170607238^Head/Potato^05051010000000000
Next add the remaining numbers from Track2 (after the service code)
B4888603170607238^Head/Potato^050510100000000001203191805191
and then add six zero's (6) zero's
B4888603170607238^Head/Potato^050510100000000001203191805191000000 this is
your Track 1
Track 1:B4888603170607238^Head/Potato^050510100000000001203191805191000000

REMEMEBER THIS IS ONLY FOR VISA AND MASTER CARD(16digits) , AMEX HAS 14
DIGITS, this doesn't work for Amex

FORMAT FOR TRACK2
CC NUMBER: YYMM (SERVICE CODE)(PVV)/(CVV)
Here is the Fleet's credit track2 dump:
4305500092327108=040110110000426
we see card number, an expiration date, 1011 - service code, 0000 is the place for pvn (but it is absent!), and at least 426 is the cvv (do not mix with cvv2)
Now let's take a look on MBNA's track2 dump:
4264294318344118=04021010000044500000
here we see the same - no pvn's and other verification information -just a cvv.

As clearly shown above it is possible to generate track1 from track2 using the method shown above. However track2 gen software automates the process.

So i't's simple i've already do a better app than DarkAngel in just 11 lines by just using String Functions of VB:

 If you wonder what 'disco' do on my MSR 605 Utils:

Well that cool, i've read my train tickets, bus, played with leds and shit's...
I've also buy an UV LED flashlight, to view holograms and stuff (i don't really need that but my friend got owned last time):

Security guilloche visible by UV:

After this i've started a more serious project: build a skimmer.
I've do some search on how these device work, what's i need, where, etc...
And figured that making a skimmer was really simple, afterall it's just a simple magnetic swipe reader.
So i've searched on Google a website to buy electronics and found a Chinese company.
For 450$ i've buy the battery, and everything i need to read correctly  and save datas of any magnetic cards. (and the company have pay DHL)

 450$ USD for just 0.200 kg of electronic is a bit expensive, but MSR material have a high cost.
 And yeah, it's very small:



Also fun fact: when i received the package, they don't talk about MSR stuff but about USB cables:


These USB cables:

Although these cables looks like a standard mobile phone cable, it is not.
It contains a USB to Serial Port convertor and a custom pin layout, therefore it cannot be replaced by any other cable made by other manufacturers.
Using other cables can dammage the electronic.

USB Charger Cable charging the battery:

There’s a red LED flickering when the battry is not found.
Once connected, the red LED will be light, when the LED will turn off, it means the battery is full.

Now, the main problem was to get ATM plastic.
Firstly i've thought to build a RepRap and then build my plastic with (a RepRap is a free desktop 3D printer)
Some carders also wanted me to buy their plastics, the prices of one guys:
100$ NCR over anti MCIR
80$ Wincor nano2
100$ Diebold
150$ NCR round
+ DHL 80$, and minimum order: 5 pieces.

For me, that was clearly not possible, to cooperate with a criminal so i've searched another option.
And finally i've found a guys (Once again from China) who can sell me heatpressed Wincor plastic for the cheap price of 66.11$ (DHL included)





It's the original ATM anti-skimming part, not the skimmer version.
but carders have already adapted the work to skim anti-skimmer:
I've asked the guys who sell this for picture he sent me this:

MSR stuff:

 Let's have a look on the electronic CD, a software is provided.
For the first use they ask us a password who can be changed later:

Card dump saved on the electronic:

A video is probably better so...

The price of a complet skimmer are really high on carders forums, when carders on underground forum sell skimmers for ~2000$ i've made myself one (sure it can't be used) for just 516.11$ price is divided by 3.
I can also buy a camera and shit's but i've stopped here (what's i will do with all this material after?)


For the video i thinked to a key chain spy camera:
Take the circuit board and hide it behind a fake visa sticker on the ATM ?
There is another solution if the guys try to cover the pin: fake atm keyboard.
Yeah... it's hard to stay safe these days..

Interview with a guys who work for the French governement (thanks again!):
Quel est le chiffre en France sur la fraude a la carte bancaire s’il y en a ?
A: Selon le rapport annuel d'activité de l'Observatoire de la sécurité des cartes de paiement, le montant total de la fraude à la carte bancaire s’est élevé à 413,2 millions d’euros en 2011.
La fraude par internet connaît le plus fort taux d’augmentation (une étude de l’UFC que Choisir de février 2012 a révélé que, chaque minute, un paiement frauduleux serait réalisé sur Internet en France).

Combien de carders on été arrêté en France en 2011 ou depuis le début de l’année ?
A: Depuis 2012, trois grandes affaires ont été recensées en France concernant l’arrestation de carders :

Avril 2012 : Un groupe de cybercriminel originaire d’Europe de l’Est (des Estoniens, des Lituaniens, des Lettons, des Géorgiens et un Tchétchène) est arrêté sur la Côte d’Azur. Ces derniers achetaient sur des forums underground les données contenues dans les pistes magnétiques des cartes bancaires. Ces données piratées étaient ensuite encodées dans des cartes bancaires vierges.
Grâce à ces cartes bancaires contrefaites, le groupe criminel réalisait des achats de grandes valeurs dans l’industrie du luxe (notamment à Cannes). Près de 900 transactions, correspondant à un montant d'environ 200 000 euros ont pu être comptabilisées par l’OCLCTIC.

Juin 2012 : L'OCLCTIC arrête une quinzaine de ressortissants du Nigéria, accusés d'avoir causé d'importantes pertes financières à la SNCF.
Le mode opératoire du groupe était simple : acheter en ligne des billets SNCF avec des numéros de cartes bancaires piratés puis les revendre directement sur des sites spécialisés dans l'offre de voyages discount.
Des investigations sur ce groupe criminel ont permis de découvrir que ces derniers commandaient également de nombreux produits de luxe en ligne, dont la revente leur procurait de confortables revenus.

Juillet 2012 : Le serveur d'un restaurant, doté d’une excellente mémoire visuelle, mémorisait les détails des numéros des cartes bancaires de ses clients puis les revendait à des complices dans la région parisienne.
Des achats frauduleux étaient alors réalisés sur Internet, le préjudice total étant estimé à près de 500 000 euros.
Néanmoins, les 300 utilisations frauduleuses recensées pourraient être beaucoup plus nombreuses, car de nombreux clients étrangers n'ont pas porté plainte.
De telles escroqueries se multiplient en France, mais la réponse pénale reste encore insuffisante.

En France ce type de criminalité est-elle en expansion ?
A: La cybercriminalité étant en constante évolution au niveau mondial, ce type de criminalité ne fait, par expansion, que progresser en France.

En général est-ce que les carders sont faciles à attraper ?
A: Plusieurs facteurs empêchent d’identifier et d’arrêter les carders :
- Manque de coopération internationale (certains cybercriminels sont réfugiés dans de véritables « paradis numériques »)
- Difficulté d’identification (les carders bénéficient de multiples outils leur permettant de s’anonymiser totalement = proxy, VPN, serveur offshore)
- Difficulté d’accéder ou de récupérer un nombre de preuves suffisantes à l’encontre du carder.

La plupart des carders opérant en France sont-ils d’origine française ?
A: Oui et non : des carders d’Europe de l’Est ou de certains pays d’Afrique (Nigéria, Cameroun, Côte d’Ivoire) opèrent directement en France, car cela leur permet de mener leurs méfaits beaucoup plus facilement.
Cependant, tous les carders ne sont pas étrangers, une fréquentation de forums cybercriminels ayant permis de relever une présence française non négligeable. De plus, un important revendeur de numéros de cartes bancaires se faisait passer pour un citoyen russe a pu être identifié comme de nationalité française.
Exemple ci-dessous d’une copie d’écran issue de certains de ces forums :

Avec le dédouanement de colis en France et ce que beaucoup de fausse carte/skimmer sont stoppés avant utilisation ?
A: De nombreuses annonces proposent l’achat de skimmer ou fausse carte bancaire, livrables partout dans le monde. Il est très probable que la plupart de ces colis ne soient pas interceptés par les douanes, ces dernières ne vérifiant d’un infime pourcentage du nombre de colis arrivant de l’étranger sur le territoire français (seul 2 à 3% des colis sont contrôlés).

Certains vendent des faux papiers (en général fausse CNI/Permis de conduire) risque-t-il plus qu’un carder ?
A: La fabrication et l’usage de faux documents administratifs (carte d'identité, certificat de nationalité, passeport,...) est punis d’une peine de 5 ans de prison et/ou de 80.000 euros d’amende.

Le fait d'accéder ou de se maintenir, frauduleusement, dans tout ou partie d'un système de traitement automatisé de données est puni de deux ans d'emprisonnement et de 30000 euros d'amende.

Lorsqu'il en est résulté soit la suppression ou la modification de données contenues dans le système, soit une altération du fonctionnement de ce système, la peine est de trois ans d'emprisonnement et de 45000 euros d'amende. (Article 323-1 du Code Pénal)

Est puni des mêmes peines le fait, commis de mauvaise foi, d'intercepter, de détourner, d'utiliser ou de divulguer des correspondances émises, transmises ou reçues par la voie des télécommunications ou de procéder à l'installation d'appareils conçus pour réaliser de telles interceptions. (Article 226-15 paragraphe 2 du Code Pénal)

Concernant la bande démantelée surprise en train de braquer un distributeur de la caisse d’épargne avec une ‘fourchette’, maintenant que la faille sur les distributeurs NCR a été dévoilée, le pire est  à venir ?
A: Pour le moment, aucune solution ne semble avoir été trouvée afin de mettre fin à ce stratagème.

Les banques n’ont pas communiqué sur le montant réel de leurs pertes, certains articles de presse ayant avancé le chiffre de un million d’euros (invérifiable).

Est-il légal de cloner sa carte bancaire pour avoir un double ?
A: Certainement pas = cloner sa carte bancaire pourrait être assimilé à un délit de contrefaçon.

La technologie RFID a tel de l’avenir dans le carding ?
A: Énormément = cf cet article de presse

http://www.01net.com/editorial/571737/le-scandale-des-nouvelles-cartes-bancaires/

Un français a pu faire la démonstration de cette impressionnante faille de sécurité (Renaud Lifchitz)

Après les distributeurs automatiques est-ce que les pompes à essence sont les plus visées  par les skimmers ?
A: Les pompes à essence sont en effet une cible de choix, car elles échappent à toute surveillance (il est aisé d’y déposer un skimmer et de venir le récupérer en toute discrétion).

Les cameras dôme anti-vandale placé à côté des distributeurs sont-elles réellement dissuasives ?
A: Dissuasive dans une certaines mesure car le cybercriminel risque d’être identifié par la caméra. Cependant, ces derniers envoient généralement un tiers récupérer l’argent à leur place dans les distributeurs automatiques, échappant ainsi à tout risque d’identification.

Les « volontaires » acceptant de prendre le risque peuvent garder un pourcentage significatif de la somme retirée.

Est-ce que les bandes magnétiques ne sont pas un peu dépassées comme technologie depuis le temps ?
A: Elles sont dépassées dans la mesure beaucoup d’informations sensibles y sont stockées (nom du titulaire de la carte/PAN/date d’expiration). Cependant, pour des soucis de retro compatibilité les bandes magnétiques sont pour le moment conservées.

Cf document = http://rafale.org/~mattoufoutu/ebooks/Rafale-Mag/Rafale03/Rafale3.01.HTML

Est-ce que j’ai plus de chance de me faire piéger par un terminal de point de vente compromis ou par un distributeur automatique qui possède une fausse façade ? ?
A: Par un terminal de point de vente compromis. La majeure partie des numéros de cartes bancaires vendus sur Internet provient de terminaux piratés.

Si on se fait agresser en retirant de l'argent, tapé sont code PIN à l’envers permettrait de le signalé a la police, info/intox ?
A: Grosse intox :)

Le phishing rapport -il plus que le cardage réel ?
A: Il est difficile de répondre à cette question, car certains carders ne gagnent que quelques centaines d’euros par mois alors que d’autres des millions. La problématique est le même pour le phishing, tout dépend de l’importance avec laquelle une campagne de phishing sera propagée (combien de boîtes mails par exemple).

Un site qui possède une connexion SSL n’est pas plus sécurisé qu’un site qui n’en possède pas ?
A: La connexion SSL permet de communiquer de manière confidentielle entre l'utilisateur et le serveur Web. Elle empêche l'écoute passive ou active d'un attaquant localisé sur le même réseau local que sa victime.

Quel et le nom de la cellule de veille qui s’occupe de la fraude en France ?
A: L’Office Central de Lutte contre la Criminalité liée aux Technologies de l'Information et de la Communication

Un conseil quand on et face a un distributeur pour détecter si celui-ci n’est pas compromis ?
A: De plus en plus de mesure de sécurité permettent de détecter automatiquement lorsqu’un matériel inconnu est intégré à un distributeur de billets. Néanmoins, les précautions d’usages doivent toujours être respectées : taper son code PIN en cachant le clavier et vérifier qu’aucun matériel suspect ne soit intégré dans la partie permettant d’insérer sa carte bancaire.

English version:
What are the statistics on bank card fraud in France, if there are any?
A: According to the annual activity report of the French Observatory for Payment Cards Security, bank card fraud losses totalled €413.2 million in 2011.

Internet fraud has seen the biggest increase (a study by the French consumer group UFC Que Choisir in February 2012 revealed that a fraudulent payment is made online every minute in France).

How many card fraudsters were arrested in France in 2011, or have been arrested since the start of the year?
A: So far in 2012, there have been three major arrests of card fraudsters in France:

April 2012: A group of cybercriminals from Eastern Europe (Estonians, Lithuanians, Latvians, Georgians and a Chechen) were arrested on the French Riviera. They were buying the data stored on the magnetic strips of bank cards on underground forums. The stolen data was then transferred to blank bank cards.
The criminal gang used the counterfeit bank cards to buy expensive luxury goods, primarily in Cannes. Nearly 900 transactions, with a total value of around €200,000, have been identified by the OCLCTIC [French Central Office for the Fight against Crime Related to Information Technology and Communication].

June 2012: The OCLCTIC arrested fifteen or so Nigerian nationals, who are accused of causing the SNCF [France’s national state-owned railway company] significant financial losses.
The gang’s modus operandi was simple: buy SNCF tickets online using stolen card details and then sell them on websites specializing in low-cost travel.
Investigations into the criminal gang have revealed that they also ordered large numbers of luxury goods online and earned a comfortable living from selling them on.

July 2012: A restaurant waiter who has an excellent visual memory memorized his customers’ card details and then sold them on to accomplices in and around Paris.
Fraudulent purchases were then made online, causing losses estimated at nearly €500,000.
However, there could be many more than the 300 fraudulent uses identified because many foreign customers haven’t filed a complaint.
This kind of fraud is rising in France, but the criminal justice system is still slow to respond.

Is this type of crime on the increase in France?
A: As cybercrime is constantly increasing around the world, this type of crime is, by extension, increasing in France.

Are card fraudsters easy to catch generally?
A: There are several obstacles to identifying and arresting card fraudsters:
– Lack of international cooperation (some cybercriminals have fled to "digital havens")
– Difficulty in identifying card fraudsters (they have access to several tools that make them totally anonymous = proxy, VPN, offshore server, etc.)
– Difficulty in accessing or gathering enough evidence against card fraudsters.

Are most of the card fraudsters operating in France French?
A: Yes and no: card fraudsters from Eastern Europe or some African countries (Nigeria, Cameroon and the Ivory Coast) operate in France because it’s much easier for them to do their deals here.
However, not all card fraudsters are foreigners and visiting cybercriminal forums reveals a French presence that’s not insignificant. What’s more, a major seller of bank card details who claimed he was Russian was, in fact, a French national.
Example below of a screenshot from one of these forums:

With the customs clearance of packages in France, are many fake card/skimmers stopped before being used?
A: There are lots of adverts selling fake cards or skimmers, which can be delivered to anywhere in the world. In all likelihood, most of these packages aren’t intercepted by customs as they only check a tiny proportion of the packages coming into France from abroad (only 2 to 3% of packages are checked).

Do sellers of fake documents (generally identity cards/driving licences) have more to lose than a card fraudster?
A: Making and using fake administrative documents (identity cards, certificates of nationality, passports, etc.) is punishable by five years in prison and/or a €80,000 fine.
Fraudulently accessing or using all or part of an automated data processing system is punishable by two years in prison and a €30,000 fine.
If the data stored by the system is deleted or changed, or how the system works is altered, the punishment is three years in prison and a €45,000 fine (Article 323-1 of the French Penal Code).
The same punishment applies to intercepting, hijacking, using or disclosing information that is generated, transmitted or received by telecommunications carriers or installing devices designed for that purpose (Article 226-15 Paragraph 2 of the French Penal Code).

About the gang caught robbing a Caisse d’Épargne cash machine with a fork, now that the flaw in NCR cash machines has been made public, is the worst yet to come?
A: At the present time, there doesn’t appear to be any way of stopping it.
Banks haven’t published their actual losses although some press articles have put forward the figure of €1 million (impossible to verify).

Is it legal to clone a bank card to have two copies?
A: Absolutely not = cloning a bank card could be considered counterfeiting.

Will we see RFID technology in bank card fraud in the future?
A: Very much so = see this press article:
http://www.01net.com/editorial/571737/le-scandale-des-nouvelles-cartes-bancaires/
A Frenchman has demonstrated this blatant security flaw (Renaud Lifchitz)

After cash machines, are fuel pumps the biggest target for skimmers?
A: Fuel pumps are a popular target because they’re not watched (it’s easy to install a card skimmer and then come back and collect it without being seen).

Are the anti-vandal dome cameras placed alongside cash machines a real deterrent?
A: Yes up to an extent, because there’s a danger that the cybercriminal will be identified by the camera. However, they tend to send someone else to collect the money from the cash machines for them, ruling out the risk of being identified.
The "volunteers" agree to take the risk for a significant percentage of the amount being drawn out.

Aren’t magnetic strips a bit outdated as technology has improved?
A: They’re outdated insofar as lots of sensitive information is stored on them (name of the cardholder/PIN number/expiry date). However, for compatibility reasons magnetic strips are being kept on for the time being.
See the document = http://rafale.org/~mattoufoutu/ebooks/Rafale-Mag/Rafale03/Rafale3.01.HTML

Do I have more chance of being caught out by a compromised payment terminal in a shop or a cash machine with a false front panel?
A: By a compromised payment terminal in a shop. Most of the bank card details sold online come from pirated payment terminals.

Fact or fiction: if you’re threatened whilst drawing out money, putting in your PIN code backwards will alert the police?
A: Big fat fiction :)

Does phishing bring in more money than actual bank card fraud?
A: It’s difficult to answer that question because some card fraudsters only earn a few hundred euros a month whilst others get millions. It’s the same problem for phishing because everything depends on the scale of the phishing (how many inboxes, for example).

Is a website with an SSL connection more secure than a website without one?
A: An SSL connection provides secure communications between the user and server. It prevents a hijacker on the same local network as the victim from gaining access or taking over.

What’s the name of the authority monitoring fraud in France?
A: The OCLCTIC [French Central Office for the Fight against Crime Related to Information Technology and Communication]

How can we tell if a cash machine has been compromised?
A: More and more security measures automatically detect when unusual devices are attached to a cash machine. Nevertheless, we should still take the same precautions when using one: shield the keypad when you enter your PIN number and check that nothing suspicious looking has been stuck onto the card slot.
I've also asked my bank advisor if i can interview her about credit card/skimming general but she was embarrassed, so i've leave.

A surprise when i've go to my bank:

I think it's more a dysfonctionnement than a skimming failure, the bank was closed so i got no answer.

For information, when a carder want to use French hacked cards, they don't do it in France.
They go to Italia because French atm require a chip (http://en.wikipedia.org/wiki/Smart_card).
See 'Interview with a carder' for more infs (http://www.xylibox.com/2012/01/interview-with-carder.html)
After there is something called Basic Card® but i've not looked how i can copy the chip for the moment, i've just read some docs on Multi-System & Internet Security Cookbook and that all.
For my 'skimmer' i will just keep it on my cybercrime object collections.
And i will probably have a look on RFID technology if my contract of employment will be renewed...





Sorry for my lame English if there is mistakes, take me long to write this and especially to translate the interview i've did.
Broken ATM photo by Mike Hillman.