3. Carding 101
“Let me repeat the question, how did you get the passwords to other people’s cards?” Galina wasn’t giving up.
“What passwords? Have you any idea what a credit card is?”
“Well, I’ve got one…”
The lawyer tried to laugh it off, but she looked away and admitted defeat, definitely embarrassed.
“To be honest, I’ve no idea about all that IT stuff, I only got the card two weeks ago.”
Her purse’s zipper flashed, and with the rustle of some papers, Galina fished out her credit card.
“You can definitely sleep a peaceful sleep. It is a debit Visa Electron, the most ubiquitous card in Russia and Eastern Europe. You’re safe with this one — carders like me hardly ever care about them.”
“Which ones do you care about, then?”
“The ones that have money on them. Visa Signature, for example. I managed to take $9900 off one in one go. I think the BIN was 414750.”
“That’s massive! How much did you make a month?”
“Uh… About $30,000?” (I had to bite my tongue not to blurt out the real figure, $100,000)
“So, you’re a carder…” Galina said, musingly.
“Yes. Credit card thieves call each other carders. And our victims are cardholders”.
“And what’s ‘Signature’?”
“Visa Signature is a name card for very wealthy people”.
“And the ‘bin’?”
“BIN (that is, Bank Identification Number) is the first six digits of the card’s number that will tell you the issuing bank and the card’s type. All information about BINs is stored in special data bases. For example, BIN 371535 is American Express CENTURION. And if we punch 414750 (that’d be Visa Signature that I’ve mentioned) into the base, we’ll see the following:
BIN: VISA ® 414750 Issuer: Merryl Lynch Bank USA Issuer Phone: 800-637-7455 Country: United States Funding Type: CREDIT Card Type: SIGNATURE
Not only a bank can issue a card. Credit unions and even big retail chains have their own cards (discount cards, in case with the stores).”
“What is the ‘funding type’? You said my Electron was a ‘debit’…”
“All cards are either credit or debit. The credit ones hold the bank’s money that you spend, and then give back to the bank. And the bank charges you a small interest for using their money. When you open a debit card, you’ve got no money in your account, and you will only be able to use the money that you put there. Your own money, that is. In ex-Soviet countries people call any bank card a credit card, but it’s not exactly right.”
“My husband has got some other kind of Visa, a better one, I think…”
“The one that’s better than Electron is called Classic. It’s a card for clients that have used bank cards before. Gold and Platinum cards are prestigious ones, they’re supposed to show off their owner’s money. There are Corporate cards for medium and large companies, whose employees often travel abroad on business trips. These cards make it much easier to monitor their spending. Technically, Classic, Gold, Platinum, and Corporate are basically the same cards with different design and the issue and operation costs. Sometimes you can take much more money off an American Classic than a Gold or a Platinum.”
“I think a lot of Americans, just like Russians, go after Gold and Platinum cards to show off. Classic is quite enough for simple everyday use. However, it’s much easier to pick up a girl at the bar if you casually flash your Visa Platinum. Then again, a Ferrari key will do just as fine.”
“I’ve got a Visa, you mentioned MasterCard… Which one did you have?”
“Me?!” I was taken aback by her naivety. “None. Banks and payment systems can’t provide full protection of your money on their accounts no matter how much they want to. Also, it’s extremely easy to track one’s purchases and travels through his card. And in my line of work it’s best to remain invisible.”
“It’s all very interesting,” the lawyer interrupted me. “But we are digressing. What are the charges against you? ‘Property theft at trade and service enterprises of Minsk through fake credit card data (Visa and MasterCard credit cards) totaling $9,000, directed similar crimes, committed by Voropayev and Batyuk.’ I understand all of that, but what ‘false data’ did you use, and how did you use it?”
“Ordinary people believe that the money is somehow ‘in’ the credit card itself, but that’s wrong — the money isn’t there physically. The card is a kind of a key to an account at the bank that issued that card. In other words, it identifies the account owner and confirms that he or she has the access to some sort of a vault in the bank, where the money is. The seller swipes the card through the POS-terminal (POS stands for the Point of Sale) — a device that reads the information from the card’s magnetic stripe and contacts the bank to carry out the transaction. The bank contacts the credit card processing center and sends there the data from your credit card. Then the processing center contacts the bank that issued the card and receives a coded confirmation or decline. A successful transaction’s code is 00 — APPROVED. Otherwise there’s a ban on the transaction. Visa is a payment system that connects all of the above together and charges up to 3.5% of every transaction.”
“I understand that. But what does it have to do with the ‘fake data’?”
“Easy. The card is counterfeit, I’m not its rightful owner, therefore, any payment I make is fake by default.”
“And the cashiers have no idea the card is not genuine?”
“Of course not. The dump was real, and the money was discarded off a real account. The only fake thing is the card itself that the dump was written off to.”
“What’s a ‘dump’?”
“A dump is all the information from the credit card’s magnetic stripe. It’s composed of three tracks. The first two are necessary to process transactions, the third one holds technical information. The second track is the most important. The first track duplicates the main data of the second one — the card’s number, expire date, CVV-code, and the cardholder’s name.
Track1: В4559907560784214^SMITH/JOHN^1102101000000000000000527000000 Track2: 4559907560784214=11021010000052700000
The 101 after the card’s expire date means that the card is international. If it’s 201 instead, it means that the card is only valid in the country where it was issued. If you have track2, you can easily generate track1, but doing it the other way around is quite troublesome. Track2 is enough to get cash at an ATM.”
“Where did you get the dumps?”
“There are several ways. You can make, or buy, a portable card reader that, as the name suggests, reads the information off the card’s magnetic stripe. The smallest card readers I’ve seen were as big as a matchbox and were manufactured in Ukraine by engineers from Boa Factory. Those devices are distributed to cashiers at upscale boutiques, waiters and expensive prostitutes, and they simply swipe the client’s card through the reader as well as the legal POS-terminal.
Or you can hack into the processing center of a bank or a large retail chain that operates transactions by actual shops, hotels, and restaurants, and you steal the client database. Or you can simply buy the dumps from people that use one of these two ways.”
“But you have to write the dumps onto the credit card itself…”
“Of course. To do that, you need another piece of equipment, called an encoder. They’re sold legally and cost about $900. You simply connect it to your computer with a USB cord, punch the dump into a simple program, swipe the card — and voila, you’re holding a magnetic copy of some American Richie Rich’s card.”
“And off you go to the shop?” concluded Galina.
“No, it’s a little early for shopping at this point. Your card may be a working copy, but it’s still just a piece of white plastic. A cashier will be really surprised if you try to pay with that.”
“So, what do you do?”
“You make a deal with a cashier at some nice shop. Something along the lines of ‘hey, I’ve got this thing here. What about I buy a laptop and a plasma TV, then we sell them and split the money?’ It works — owners of restaurants, boutiques and casinos gave us up to 50% of the money we cashed, and we told them what to tell their bank if they have problems.”
“Sooner or later the real cardholder will complain. He’ll contact his bank, they will contact Visa, and before you know it the bank that installed the POS-terminal sends security to your doorstep. ‘You’ve been very naughty cashing all those fake cards,’ they’ll say. This is the part where our manager makes a surprised face and says, ‘I don’t know anything. Talk to the girl that was working the register yesterday.’ He calls the girl over. The bank people will ask her,
‘Have you checked the validity period?’
‘And the signature on the back of the card?’
‘Sure. I even made sure it matched the one in his passport. And he put the same signature on the slip.’”
“What slip?” My lawyer had to be explained everything like a preschooler.
“The receipt, that you get after paying for something with a credit card, is called a slip. It holds all the information about the purchase: time, date, organization name, details of the place of the purchase. By the way, the information for the slip is taken from the track1. And while the dump doesn’t care, what name you put on track1 — the actual cardholder’s name or the name from your fake passport — the card number must be real, otherwise the transaction simply won’t work. Would be pretty sweet otherwise, you just need to get a fake passport, take it to any bank in just about any country and get an account with a debit card. As a result you get a card of some John Smith with $5 on it and a passport for the same name with your photo in it. Then you erase all the data from the magnetic stripe, get a dump from the base, change the name in track1 to John Smith and off you go to a bank or a shop. Once this dump runs out of money, you erase it, prepare a new one and record it. That may continue until all those shops and banks all over the world start looking for that John Smith. Then you simply get a new passport and start over. After everyone learns your face, you can get a plastic surgery and go on.”
Galina laughed out.
“When the people from the bank ask the cashier if she made sure the card number and the cardholder name on the receipt matched those on the card, she’ll say ‘sure’. She’ll add that the card wasn’t damaged and didn’t look counterfeit. They won’t have any more questions after that. The bank can suspect all they want, but they have no legal reasons to block the transaction.
Of course, if the cashiers actually checked that the information on the card matched that on the slip, it would be impossible to use the same card multiple times. But in the country of fearless idiots, also known as Belarus, the cashiers didn’t bother to follow the rules, and I could often get away with cashing dumps recorded on genuine, but expired cards, and sometimes even on discount cards. We didn’t ‘milk’ one place too often — the bank may have taken away the terminal and leave us out of job completely.
“What is ‘white plastic’? Is it the same ‘plastic’ that they allegedly found at you place?”
“They got it from Saprykin. And he told the cops I gave it to him along with PIN-codes and asked to get some cash from Minsk ATMs. I hope, you know what a PIN-code is?”
“I do. The four digits that you need to get cash out of an ATM.”
“Where did you get the PINs?”
“The average cardholder is convinced that PIN-codes are impossible to hack or steal, but I could name about ten ways to do just that.”
“Wow! What ways?” Galina wasn’t hiding her interest.
“Can we talk it about next time? It’s a huge topic, and I’m tired, I’d like to go back to the cell.”
“I can pass a letter to your family.”
“Right. Give me a minute to write something.”
“Hello, Foxy! I’m alright, hanging in there. I’m more worried about you. I’ve received your letter and written a reply — you’ll get it soon. Can you please number the letters you write, and I’ll do the same, so we won’t have to guess if everything has been delivered. I also got your care package, thanks a lot. Contact Kaizer, he owes me $10,000, tell him to give it to you. Find the guy from St. Petersburg — he owes me another ten.
About Ilya Saprykin. Tell him to sell the office and return the money I invested, I’m not taking ‘no’ for an answer.
Tell Dmitry to change passwords to all my ICQ accounts (I bet the cops are all over them) and tell the clients to beware of the cops. Do that ASAP. Tell everyone I said Hi. Love you lots.”
“Make sure you hide it well,” I told the lawyer.
“Do you mind if I read it first?”
I nodded. Galina skimmed the note, folded it and put it in her bra.
“Who’s going to search an old woman’s underwear?” she reacted to my surprise.
“I’ll be back tomorrow and we’ll talk more, carder,” she pronounced the last word slowly, as if trying to remember it.