Carding

The stolen or lost card can be used by criminals only as long as the owner does not inform his bank about the loss, or in offline operations. Most banks provide a 24-hour telephone line for such messages.

The main protective measure is the presence of a signature on the card and the requirement to sign checks. In some stores, when paying with a card, identification documents are required. However, requiring a document in some jurisdictions is illegal.

Stolen cards can be used in some self-service terminals (for example, at gas stations) that do not require entering a PIN code.

In Europe, most EMV cards are equipped with a chip that usually asks for a 4-digit digital PIN code when making purchases. If the code is not intercepted, the fraudster will be able to use it only in operations where the code is not required, for example, in online (electronic) transactions, or in POS terminals equipped only with a magnetic stripe reader.

There are software systems and a set of organizational measures aimed at preventing or complicating possible fraudulent transactions. For example, a large transaction made far from the owner’s place of residence - as an option - in another country, may be recognized as failed or even lead to temporary blocking of the card.

A transaction requires only some of the data written on the card. Typically, a card contains (in the form of an inscription and on a magnetic stripe): owner’s name, card number ( PAN ), month and year of expiration, verification code ( CVV2 ).

There are operations in which the physical presence of a card is not required, and a transaction is carried out only according to data from it. The minimum required set of information is the card number, often also requires an expiration date, a little less often - a verification code.

An attacker can copy this data if he conspires with people who have access to cards, for example, a waiter or a cashier. Data can be photographed or retrieved from the video. It is also possible to obtain such data using a virus installed on a user's computer, using social engineering methods (imitating a call from a bank) or by hacking online stores or systems that service cards. Then the criminals use the data in operations without the presence of a card.

Some protection against such crimes is provided by the introduction of operational notifications of operations. 3-D Secure , MasterCard Security Code, Verified by Visa technologies also partially protect against such fraud, in which the operation requires an additional code to be received at the bank’s office, through an ATM, via SMS or using a hardware code generator (token).

A special case of carding is skimming (from skim - skim cream), in which a skimmer is used - an attacker’s tool for reading, for example, a magnetic track of a payment card . When carrying out this fraudulent operation, a complex of skimming devices is used:

• a tool for reading a magnetic track of a payment card — it is a device installed in a card reader and a card reader on the entrance door to the customer service area in the bank premises. It is a device with a magnetic read head, an amplifier - converter, memory and an adapter for connecting to a computer. Skimmers can be portable, miniature. The main idea and task of skimming is to read the necessary data (contents of a track / track) of the magnetic strip of the card for subsequent playback on a fake one. Thus, when registering a transaction with a fake card, an authorization request and deduction of funds for a fraudulent transaction will be carried out from the account of the original, “skimmed” card.
• a miniature video camera installed on an ATM and sent to the input keyboard in the form of an ATM visor or extraneous overlays, for example, advertising materials - is used together with a skimmer to receive a PIN holder, which allows you to receive cash at ATMs using a fake card (having track data and original PIN) .
• Using malicious code embedded in an ATM . Dumps of bank cards are recorded without the use of special equipment and it is impossible to recognize such a way for the average person, but it is extremely rare and in most cases prevails among small banks . Then, with the help of dumps, copies of maps are created.

These devices are powered by autonomous energy sources - miniature power batteries, and, to make detection difficult, are usually made and disguised as the color and shape of the ATM.

Skimmers can accumulate stolen information about plastic cards or remotely transmit it over the air to attackers in the vicinity. After copying the information from the card, fraudsters make a duplicate of the card and, knowing the PIN, withdraw all money within the limits of the issuance limit, both in Russia and abroad. Also, fraudsters can use the information received on a bank card to make purchases at retail outlets.

Protection Measures

To prevent illegal debit by credit card, the following security measures are recommended:

• Do not transfer your card into the wrong hands, make sure that the card is used only for its intended purpose (so that it would be impossible to use a portable skimming device hidden under clothes, for example, a waiter or a gas station employee, a store seller, etc.).
• be vigilant and careful when using an ATM, pay attention to non-standard structural elements - an on-board keyboard used to read a PIN . In the case of skimming, such a keyboard is usually located above the level of the ATM case, it is easily separated from it and, often, part of the original is visible under the invoice.
• pay attention to the installed micro-video cameras on the ATM itself, which can be mounted both in the visor of the ATM and disguised as items accompanying the ATM, for example, advertising materials.
• minimize the use of a credit card in places of suspicion; if possible, use a credit card in well-viewed rooms.
• cash withdrawals and other banking operations carried out with the help of ATMs, if possible, be made in the same ATM, remembering its appearance. As a rule, standard technical modifications of ATMs of one bank rarely affect their appearance.
• if possible, dial PINs quickly, by memorized movements and, preferably, using several fingers at once, so it will be more difficult for attackers to recognize your movements. If possible, cover the PIN-collecting hand with the other hand, handbag, or any other object.
• if the issuing bank of the bank card has the service of quick notification of the card holder about the facts of debiting (SMS alerts) in its service, connect it for the quickest response to illegal debiting.
• use bank cards with a built-in microchip , if possible ^[2] .

In the early 2010s, in the United States, out of 5.6 billion valid bank cards, only about 20 million are smart cards (contain a chip). During the period from 2007 to 2011, the US Secret Service arrested more than 5 thousand criminals involved in skimming ^[3] . Losses for 2012 are estimated at 11.3 billion dollars. ^[4] About 20 thousand skimmers are discovered in the country per year ^[5] .

In the UK, from 2001 to 2011, fraud with plastic cards led to losses of 300-600 million pounds annually ^[6] . A significant proportion of the crimes were carried out according to the card in transactions in which the presentation of the card is not required (for example, a purchase through the Internet). Losses from skimming, amounting to from 100 to 170 million pounds annually in 2001-2008, significantly decreased in 2010-2011, to 47-36 million pounds due to the widespread introduction of chip cards and chips with support for iCVV and DDA ^[6] .

According to official figures, in Russia in the 2010s, thousands of crimes are committed with plastic cards per year. ^[7] In 2011, damage from carding was estimated by Group-IB at $ 400 million. ^[8]

• Phishing

• The History of Carderplanet // Hacker, Number 08/2006 (92), pp. 092-086-1