Hacking the Credit Card Code
gAtO wAs- surfing around and found this information targeted at future cyber gAtIcOs- These are the basic tricks that the bad guy’s are using to game the system. and they share this basic information to help other stupid wanna-bee bad guys. TRUST but VERIFY – be a critical reader and remember that this comes from bad guy’s always trying to trick you. I checked out most of the LINKS and deleted any ones I though may be bad. Some of this is a bullshit, some stupid and some is real from what I can tell – enjoy–gATO oUt
for educational PURPOSES ONLY. – how the Cyber Criminals are using the system for cyber-money laundering.
Cracking The Credit Card Code
Credit Cards 2 BTC-Bitcoin – BTC-Bitcoin 2 Credit Cards
Wasn’t quite sure where to put this, but I decided I’d share some information on the actual code of a credit card.
In reading this you will be able to interpret credit card codes efficiently and actually be able to learn about the card itself. This is all simply by knowing the 16 digits on the front of a card.
The first digit of a card is called the Major Industry Identifier (MII). It designates the category of the entity which issued to card. This is useful in finding what exactly the card is for.
1 and 2 are Airlines,
3 is Travel and Entertainment
4 and 5 are Banking and Financial
6 is Merchandizing and Banking
7 is Petroleum
8 is Telecommunications
9 is a National assignment
The first 6 digits are the Issuer Identification Number (IIN). It will identify the institution that issued the card.
Visa: 4xxxxx
Mastercard: 51xxxx – 55xxxx
Discover: 6011xx, 644xxx, 65xxxx
Amex: 34xxxx, 37xxxx
Cards can be looked up by their IIN. A card that starts with 376211 is a Singapore Airlines Krisflyer American Express Gold Card. 529962 designates a pre-paid Much-Music MasterCard.
The 7th and following digits, excluding the final digit, are the person’s account number. This leaves a trillion possible combinations.
The final digit is the check digit or checksum. It is used to validate the credit card number using the Luhn algorithm
How to use this information to validate a credit card with your brain:
Take the below number (or any credit card number)
4417 1234 5678 9113
Now, double every other digit from the right
(4×2, 1×2, 1×2, 3×2, 5×2, 7×2, 9×2, 1×2)
Add these new digits to the undoubled ones (4, 7, 2, 4, 6, 8, 1, 3)
All double digit numbers are added as a sum of their digits, so 14 becomes 1+4.
8+4+2+7+2+2+6+4+1+0+6+1+4+8+1+8+1+2+3 = 70
If the final sum is divisible by 10, then the credit card number is valid.
If it’s not divisible by 10, the number is invalid or fake.
In this case, 70 is divisible by 10, so the credit card number is indeed valid. This works with every credit card and opens many ideas to the mind.
Credit Cards to BTC-Bitcoin
These are methods that have been discussed on HackBB for cashing CCs into bitcoins. Before I continue let me get this out of the way. No you can not cash your CVV directly into bitcoins. Exchangers know the risk involved in accepting reversible credit for non-reversible currency, and the few that have ever accepted direct CC payments were scammed out of business. There are ways around this issue..
CC -> SLL -> BTC
Editors Note:
VirWox wised up to this method and started forcing users to validate their SL avatars..
http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=49&t=1836
Thought I’d tidy this up a bit with a noob-friendly tutorial on how to buy bitcoins with a CVV through VirWox.
What you will need.
- Valid CVV (any country will do)
- Clean Socks5 proxy as close as possible to cardholder’s address
- Good DNS setup
Ok lets get started.
You’ll need an email account. Go create a new one at yahoo/gmail/whatever…..doesn’t matter which (i wouldn’t use tormail for this……too much of a flag).
Go to https://www.virwox.com/, and create a new account using the email you just set up and the name on the CVV. Just make up a fake SL avatar – you don’t need to validate it.
You will then have to confirm your new account by retrieving the temp password from your email.
First thing to do in Virwox is change your password in the “Change Settings” tab on the left.
Now we’re ready to do some carding. Click “deposit” and scroll down to the Skrill(moneybookers) option. Then enter the max amount for the currency of your card (currently $56 for USA cards) and click the moneybookers logo.
If you have NoScript installed you will have to temporarily allow all this page. Enter the details you have for the CVV and make up a fake date of birth if you dont have a genuine one.
If all goes well, you will then be taken back to the main page with your USD/EUR/GBP balance filled.
On the “exchange” menu left of screen choose USD/SLL to convert to Linden $s, then BTC/SLL to convert to bitcoin.
Now withdraw.
Easy Profit.
Note:
- Typically Virwox hold funds for 48 hours before releasing.
- You can process payments a total of 3 times with each card…..one transaction every 24hours.
CC -> Moneygram -> BTC
If you have fulls (ssn, dob, etc) you can try cashing out through moneygram. To do this just go to site and sign up for an account under the cardholders name. Be sure to chain a regional socks5 with your Tor connection so you appear to be from the same country that the cardholder is in [4]. Select Same Day service. It will prompt you for the card details, dob, and the last 4 digits of the ssn. I would suggest running this name through a background check (any background search site will do) in case you have to answer a security question to send the funds over. Don’t try to send over too much. If you accidentally go over the limit or try to send a suspicious amount you risk flagging the account. No more than $300 from each CC. If everything goes smoothly you can try exchanging through https://wm-center.com for bitcoins. You can find more information on WM-Center here: https://en.bitcoin.it/wiki/WM-Center
CC -> Forex -> BTC
The process is actually really simple. I was surprised to find the site. Kinda found it by accident actually.
Site: http://www.rationalfx.com
Using a foreign currency exchange site to change money on a credit card into a foreign currency and to wire transfer the money into a bank account.
In this case, the bank account is at https://mtgox.com
The process goes as follows:
- Make an email account anywhere.
- Make an account at MtGox.
- Make an account at rationalfx.com. (all account info in the name of the cc holder).
- In rationalfx, add account details, addy, card number, MtGox wire info.
- Make a transfer.
Process takes 3-5 business days… It turns a cc transaction into a wire transfer so it takes a couple days… (Note: in the interest of speed and not getting the transaction reversed, Monday/Tuesday is the best day to start the transaction)
Once the money is in MtGox, turn it into bitcoins as quickly as possible and move it into your other bit wallets. Wash the coins if necessary…
Easy huh?
Already pulled it off once. 400GBP through a MC without any issues. rationalfx does not seem to have any real safeguards in place. Tor works fine there (though it is best to use an exit node wherever your card holder lives).
When I was testing it first with a visa, it told me 3 times in a row that the transfer failed. I lowered the amount each time and tried again. After the 3rd time it went through but I didn’t have the Verified by Visa password so I couldn’t continue. BOTH Visa AND MC , it seems, will pop up with a verification thingy if its enabled on the card. (Usually US/UK cards)
Make sure when you deposit to MtGox, you include the account identification info for that spacific account. You can find it on the ‘funding options’ -> ‘Bank wire’ page… If you forget that info you wont get your money..
So there you have it. Its simple as pie.. This is not 100% of the info but ya’ll can figure out the rest..
I know ya’ll prolly wont but if you are feeling generous…
Hope you enjoy..
Cashing Methods
This is a collection of cashing techniques that have been discussed on HackBB. Keep in mind before you get started you will need to know how to chain a socks5 with Tor to avoid tripping a fraud filter [1].
Easy PP/CVV cashout
I will preface this by admitting that I may have something to gain since I sell the tools needed to make this work. My mind played connect the dots when reading the forum and checking my messages, and I realized it’s easy to cash out with a little investment and work ahead of time.
I can’t guarantee this will work, I never tried it. But I do understand the systems involved so I’m as confidant as I can be.
Everybody wants to know how to cash out. Well, that is easy, the hard part is getting away with it. Any fuckin moron can rob a bank, but it takes a genius to do it time and time again while leaving the investigators in a state of mental confusion akin to drinking mercury and pithing their brains with an icepick.
This is not a step-by-step. Google is your friend (unless you’re signed in). I don’t hold hands, if you can’t figure it out on your own from here, it’s not in your scope.
Ingredients:
- EU paypal account
- Fresh email.
- Anon debit card
- CVV’s
- Balls
Ok, Open an EU paypal account from one of the countries below. You can use fakenamegenerator.com or whatever you want. Just make sure is is a merchant and not personal. There are 3 levels, go with the middle. Get an Anonymous debit card, and link it to the paypal, using the CC and not the bank. I know for sure that the bank wont work for US accounts, as it is a deposit only bank account number. Depending on the country and the country’s banking regs, paypal may or may not try to take back the verification amount they sent. Forget that.
Once the paypal and debit card are connected successfully, it is time to get your free money. I don’t know what language you are using in the EU paypal, but it goes something like this: Merchant tools–>Generate Paypal button. Alternatively, you can google “paypal but it now button” in quotes. Figure it out.
I hope to god you got a CVV by now, because that’s whats next. Using the code you got for the BIN button, go to http://htmlpreview.richiebrownlee.com/ Paste the code, click the button, and now you are at a paypal purchase page. Depending on where you are, and I haven’t figured this out yet, you may have an option to pay with CC. It used to be that with USA, you could pay with CC but not sign up. So make sure you have a USA CC. If you registered a simple personal account, paypal will ask buyers to sign up first, and you might as well stop there.
If you see the option to either sign up or pay with CC, you are GOLD.
The amount will be immediately available on the paypal you created. Now, just withdraw funds to the debit card. 3-5 days, it will be there. Go shopping. See the girl with the big titties? Buy her a drink. You win.
I cannot account for moneybookers, as I’ve never used it, but I imagine it would work the same way. To test with moneybookers, I suggest linking to a greendot card with a throw away account, since you need to verify SSN. That can be your legit moneybookers anyway.
Here is a list of countries that SUPPOSEDLY don’t need a VBA, only a CC:
Bulgaria
Chile
Cyprus
Estonia
Gibraltar
Iceland
Indonesia
Latvia
Liechtenstein
Lithuania
Italy
Israel
Liechtenstein
Luxembourg
Malaysia
Malta
Philippines
Poland
Romania
San Marino
Slovakia
Slovenia
Turkey
UAE
Uruguay
I’ll share with you a cashout method
I’ve been using square on my android to cash out cards… All I did was register with jingit com and apply for their visa debit card… I do it this was cause I just watch some ads until I make $2.00 which is the fee for the card… once the card arrives you’ll get an account # and routing # as if it were a checkings account. (when you apply for the jingit card make sure you match FB’s DOB with jingit card on the application form)
now you register on squareup com and link it to the debit card acc. to verify the initial deposit they make don’t wait til you get the statement, call the # on the back of the card and you can get your transaction history over the phone. (I forgot you have to activate the card over the phone. this is why you need the SSN and DOB)
I only do this over open wifi and my android is not activated with any company. Also you must have location services enabled so don’t do it close to your home.
you don’t need the reader, you can charge cards manually entering the card info. you need at least the billing zipcode. transactions under $25 don’t require signature and you can skip the receipt.
I always get another prepaid card to swipe it when I use a new acc for the first time, I never start using an acc entering numbers manually… it’ll raise flags. don’t use your own card linked to your bank… that would be stupid
Beating the Online Casinos/Bookies (uk)
What you need
- 2 machines, or an accomplice to play your dummy account.
- UK non-3DS CVV
- 50 GBP cash
- Access to a William Hill shop
Create 1st account
Setup VM on system 1. I’m not going in to any great detail on how to do this as it’s covered elsewhere on the board. Use something like: Tor -> VM -> [UK]VPN / VPN1 -> VM -> [UK]VPN2.
Download the software and setup an account using either your genuine details, or some fictitious details from the local area of the shop you will be using. The deposit option you are interested in is “Quick Cash”
Off you go to a local William Hill shop to buy your Quick Cash voucher (say 50 GBP for this example). The shop prints 2 vouchers. One they keep which you will have to sign (in your fake name if you’ve used one), the other is given to you and contains the transaction code to enable you to deposit online.
Now either contact your accomplice who will play the other account or:
Create 2nd Account
Setup VM on system 2.
Download the software same as for Account 1, and this time setup the account using the details from your CVV. Deposit using CVV (eg 400 GBP).
Dumping Chips
Again, i’m not going into any great detail on this….if you don’t know how to play poker, then learn…fast. Become familiar with which hands tend to generate the largest pots (eg AA vs KK). 6-handed tables are a good choice (0.50/1 for these amounts).
Over the course of 1-2 hours, pass chips from Account 2 -> Account1, randomly losing some chips to the other players at the table. A reasonable target is for Account 1 to be +300.
Cashing out
Ok, you’re happy with your 300 profit. Click withdraw in the cashier, again choosing the “Quick Cash” option. Print off the voucher, then return to the shop where you were earlier in the day. Present the voucher, sign your name again to verify and walk out the shop 300 GBP richer for a few hours work.
Note: It’s probably not a great idea to use fictitious details if you use a shop in your own local area. No ID should be required for amount <500 GBP. If you’ve dumped chips with enough care, it’s almost impossible to prove you were involved in any fraudulent activity. You’ll have cash in your hand before anyone realizes any fraud has taken place, so no chance of freezing accounts.
Carding Online
Editors Note:
I edited out the “ATTAINING HIGHER LEVELS OF ANONYMITY” section due to it being
obviously wrong and changed the CC check link. Don’t add it in.
LEGAL TIDBITS
This FAQ is intended for educational PURPOSES ONLY.
THE BIG QUESTION: WHAT IS CARDING?
- Well, defined loosely, carding is the art of credit card manipulation to access goods or services by way of fraud. But dont let the “politically correct” definition of carding stop fool you, because carding is more than that. Much more.
Although different people card for different reasons, the motive is usually tied to money. Yea, handling a $9,000 plasma television in your hands and knowing that you didnt pay one red cent for it is definitely a rush.
But other factors contribute to your personal reason for carding. Many carders in the scene come from poor countries, such as Argentina, Pakistan, and Lebanon where $50 could mean a weeks pay, on a good day. Real carders (the one that have been in the scene the longest) seem to card for something more, however. The thrill of cc manipulation? The rush that the federalles could bust down your door at any minute? The defiance of knowing that everyday that you are walking among the public is another day that you have gotten away with a federal crime?
Whatever your persona reason for carding is, this tutorial should answer a few noobie questions and take the guessing out of the entire carding game. The resources and techniques mentioned in this tutorial are NOT, I repeat, NOT the only methods of carding. Experience in carding is key. You have to practice your own methods and try out new techniques in carding to really get a system that works for you. This tutorial is meant to get you on your way.
THE BASICS: WHAT DO I NEED AND WHERE DO I GET IT?
Credit Cards: Yes, CCZ.
“do you have any ccz” “where can I hack CCZ” “where can I get a list of valid CCZ?”
You need money to make money. Plain and simple. Which means that the only way your gonna be able to get ccs if you have ABSOLUTELY NO MONEY is if you successfully rip a noobie with 100 cards (but what noobie has 100 cards?), if you have any background in database hacking, if you trade for your shit, or if you know someone that’s willing to give you ccz all day.
I know thats a discouraging statement to all of you, but we have to keep shit realistic. The easiest way to get ccz is to purchase them.
“but I can’t get a job/I don’t wanna work!”
Having a regular 9 to 5 job is not a bad idea in the carding scene. Not only will you have some sort of alliby to why you have all this expensive shit in your house, but you can also use the money (who cant nowadays) to pay bills. You cant card forever, and you cant sustain yourself by carding alone.
If you are REALLY strapped for cash, you have to go through the alternative: trade for your resources. you have to be resourceful in carding, meaning you have to use what you got. Got a psybnc admin account? Offer psybnc user for a cc or two. Got shells? roots? Can you make verification phone calls? just ask yourself “what do I have that might be valuable to someone else?” and work with that. It dosnt have to be big, it just has to get you a few cc’s in your palms.
Once you’ve run your first successful cc scam, DONT SPEND ALL YOUR EARNINGS. Save $200 and re-invest back into the carding community. head to SC and get better cards. If you have level 2 cards, I suggest carding C2it/Paypal and using that $$ to buy ccs. (successful C2it/PP scamming techniques will not be discussed in this tut, sorry)
To other minor pointers on rippers and legit sellers, please scroll down to “SELLERS, TRADERS, AND RIPPERS, OH MY!”
“where can I check my CCZ?”
Knowing wether your cc is valid or not is really important for saving some time and energy. you can check them under http://www.soundcloud.com
The idea way for checking ccz is through an online merchant (authorize.net, linkpintcentral.) These merchants can verify cc amounts without charging your ccs. Good luck finding one. People on IRC want a ridiculous trade for These merchants (cvv lists, cash). So if you run accrosss a legit merc, dont give it out! even to your best buds! online mercs are gold in the world of carding.
Other methods for verifying cc amounts include registering your cc on an online bank. (You will need at least a level 2 card, level 3 for ATM cards). alot of online banks can give you limit, billing addy, ect ect but they require at least a level 2 cc (more info on ccz below)
CREDIT CARD FRAUD: INFORMATION IS KEY.
I want to make something clear right now. The secret to carding is not the number of cards you own, its what you can do with the cards. What do I mean by that? Simple.
Hypotherical situation: My name is Johnny and I have 3 ccs with SSN, DOB, CVV NUMBER, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TELEPHONE NUMBER. I have a friend named Billy. Billy has 300 CCCZ with CVV, MMN, NAME, STREET ADDRESS, CITY, ZIP, AND BILLING TEL. NUMBER. Whos more likely to successfully card something?
Simply put, I (Johnny) am. Why? Because I have more information that can prove that I am the person who owns this CC than Billy does with his 300 CCVZ. Does that mean Billy’s not gonna card anything? No, that just means Billy’s gonna have a hard time carding anything without verification.
So to sum up this lesson, you have to get information on your mark (the person that youre impersonating.) #1 rule in carding is: the more information you have on a person, the better chances you have for a successful transaction. Here is the information you’re looking for(note: the levels of a card is not a tehcnical carding term, I’ just used L1 L2 L3 to simplify shit throughout the tutorial.) :
NAME: ADDRESS: CITY: STATE: ZIP CODE: TEL. BILLING NUMBER: CARD NUMBER: CARD EXP DATE: CVV CODE:
(LEVEL 1: REGULAR CVV. If you have this much info, youve got yourself a regular cc. Nowadays you need this much info for carding ANYTHING worth mentioning. If you have any less than this information, you’re shit outta luck. :\)
Social Security Number (SSN): Date Of Birth (DOB): Mothers Maiden Name (MMN):
(LEVEL 2: (PARTIAL FULL-INFO) If you have this much info, your ccz are on another level. With this info, you should be able to card PayPal, C2IT, and other sites without too much of a hassle.)
BANK ACCOUNT NUMBER: ROUTING NUMBER: BANK NAME: BANK NUMBER: DRIVERS LICENSE NUMBER: PIN NUMBER (For CC or ATM card)
(LEVEL 3: (true full-info) If you have this info, youre cc is ready to card anything your heart desires)
Now if all you have is a regular cc, dont discourage. Just do some research and build your cards as much as possible:
First, go to whitepages.com and try to lookup your marks street address and phone number. Make sure it matches the info you have on your cc..
Last, but not least, take a quick look in ancestry.com. Ancestry.com is a bit of a pain, but you can lookup DOB and MMN (ie, if your marks name is anthony hawkins, his father is david hawkins and his mothers name is bella donna, Donna is the MMN)
So size up your cards and move on to the next lesson:
DROPS AND VERIFICATION TECHNIQUES:
The right drop is essential to your scamming needs. Finding legitamite drops inside and outside of the US is hard. Many people keep your shit and don’t send, or some people dont pick up the package at all! (theres nothing worse than watching your hard-earned laptop going back to the store because it was refused by the recepient)
If you live inside (or even outside) the USA, you’re better off scoping a drop out on your own. A drop is basically an empty home that looks to be inhabited. This is the shipping address you use for your carding needs. Your items should only picked up at night. As awlays, be sure to have a cover-story in case someone asks why youre snooping around an empty home. “I’m picking up a package for the person that used to live here” is a legit excuse. Or even “my father is the real-estate agent.” is good. Just keep in mind that if you order anything over $500, it will USUALLY need to be signed for, (this statement is based upon FEDEX/UPS policies. I’ve gotten feedback from people that state they have gotten their local UPS employee to drop merchandise worth 1k at thir doorstop using a note, but these are uncomfirmed rumours.) Wether youre willing to sit and wait all day on the doorsteps of your drop, or you rather leave the postman a note that says you’ll pick it up at the nearest postal station, its up to you. (Dont panic if you have to pick up a package at the station. When you walk in, you need to be calm so it dosent arise suspicion. If the clerk asks you to wait more than 3 minutes, PLEASE dont stand there waiting to get busted, tell him/her you have a prior engagement and quickly exit stage left. )
If you live outside the USA, youre just gonna have to trust someone. The easiest way to get a legit drop in the USA is to ask around for people that have had successful experiences with a drop. Most drops hold a 50/50 or “you card something you card me sommething” policy. If you’re talking so someone thats trying to cut themselves in to the deal “Ie yes, I know someone but you have to card me something too” just move on, they’re wasting your time.
Just a quick note, if you’re carding something like a plasma television, you’ll have better luck using a drop from the same state, changing the billing addy (you can change a billing addy with a level 2 card, youll need a L2 card for carding a plasma tv neways) and acting like you just moved. (have that mindset when you call in: I am (name of cardholder) and I just moved from (city a) to (city b)) Once you have the item in your possession, you SHOULD GUESS THAT YOUR DROP HAS BEEN FLAGGED. What does this mean? YOU SHOULD NOT – I REPEAT SHOULD NOT RETURN TO A DROP ONCE YOU’VE CARDED EXPENSIVE SHIT TO IT. Regardless of wether your drop is flagged or not, do you really want to take the chances?
The cellular phone: The anonymous cell phone is the carders sword. With it, you will make several calls to several companies using several names. You should keep this cellular phone for carding ONLY. (just in case you become confused and forget who youre talking to.) If you have a phone phreaking connection, youre a lucky SOB. For the rest of us, we gotta go out and get a pre-paid cellular phone. (a phone which dosent require much info to purchase and use.)
THE SITES: WHATS CARDABLE AND WHATS NOT?
Ok, so you got your ccs, your drop and youre as anonymous as you can make yourself. Now what sites are cardable? This is the easiest question I have to answer on this FAQ.
-ANY AND ALL SITES ARE CARDABLE- (THX CIA AND `Q_)
Why do I say that? because it’s true. Like I said in chapter two of this little tutorial, its not about how many cards you have, its what you can do with them. Alot of this has to do with your mindset as well.
If you have a card from Johnny Knoxville from Texas, you must be Johnny Knoxville from texas. Depending on the information that you have acquired from Johnny Knoxvile, you must convince merchants and I-stores that you A R E Johnny Knoxville.
When approaching these I-stores, you want to scope things out first. Ask yourself a few questions:
-whats their policy on different shipping address than billing addess?
If they have a “must call” policy, make sure to give them an anonymous number where you can be reached (have your anon cell phone ready for this.)
-do they accept other payments besides credit?
If they accept other payment methods, sometimes its easier to card with a different payment method. (Ive had more luck on Dell.com with online checks that I have with credit cards.)
Whatever you card, make sure that you have all your info prepped before carding it. If youre carding something over 1k, get on your anonymous celly and call up the banking institution of the person’s card youre holding. Make sure to let them know that youre making a purchase of a large limit, so they dont deny your card.
Know Thy Enemy: What the CC Payment Gateways Check for Fraud
These are the measures taken by CardPay which is a payment gateway to rate fraud. It wouldn’t be really hard to imagine that other gateways take the same measures. Although we all know the rules of thumbs, I thought it would be interesting to see what they *actually* measure to evaluate high risk of fraud. The amount of information that they actually collect is mind blowing.
Fraud Screening system of CardPay Inc. Payment gateway performs comprehensive analysis of transaction data, using several techniques simultaneously. Data from external systems used during screening process, also as internal transactions history and various lists.
Transaction passes through so called “pipeline”, consisting of following steps:
- Rules system
- Card and cardholder’s data analysis using automated fraud screening service
- Multivariate regression analysis of in-house transactions database.
- The above mentioned subsystems are described in more details in the following section.
Rules system: Fraud rules logic implemented in stored procedures by Oracle DBMS, which enables adding and modifying rules without service downtime. Before passing order through rules chain, additional information retrieved from MaxMind credit card fraud prevention service. MaxMind returns to gateway following data:
- Cardholder located in high-risk country. At a moment following countries recognized as high risk: Egypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco, Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine, or Vietnam.
- Whether country of IP address matches billing address country (mismatch = higher risk)
- Country Code of the IP address
- Distance from IP address to Billing Location in kilometers (large distance = higher risk)
- Estimated State/Region of the IP address
- Estimated City of the IP address
- Estimated Latitude of the IP address
- Estimated Longitude of the IP address
- ISP of the IP address
- Organization of the IP address
- Whether IP address is behind an anonymous proxy(anonymous proxy = very high risk)
- Likelihood of IP Address being an open proxy(transparent)
- Whether e-mail is from free e-mail provider
- Whether e-mail is in database of high risk e-mails
- Whether usernameMD5 input is in database of high risk usernames.
- Whether passwordMD5 input is in database of high risk passwords.
- Whether country of issuing bank based on BIN number matches billing address country
- Country Code of the bank which issued the credit card based on BIN number
- Whether name of issuing bank matches entered BIN name. A return value of Yes provides a positive indication that cardholder is in possession of credit card
- Name of the bank which issued the credit card based on BIN number
- Whether customer service phone number matches BIN phone. A return value of Yes provides a positive indication that cardholder is in possession of credit card.
- Customer service phone number listed on back of credit card.
- Whether the customer phone number is in the billing zip code.
- Whether shipping address is in database of known mail drops.
- Whether billing city and state match ZIP code.
- Whether shipping city and state match ZIP code.
After gathering of all data, rules in chain applies to order data sequentially, increasing or decreasing total fraud score.
Rules chain consists of following rules:
- Cardholder country rating(global list)
- Cardholder country rating(as set up by merchant)
- Cardholders IP found in black lists
- Cardholders IP range found in black list
- Cardholders email found in merchants black list
- Cardholders email found in global black list
- Cardholders email found in forbidden email providers list
- Card PAN doesnt present in global black list
- Card PAN doesnt present in merchants black list
- Cardholders address not in global black list
- Cardholders address not in merchants black list
- Order amount doesnt exceeds global purchase limit
- Order amount doesnt exceeds local(merchant) purchase limit
- Single PAN daily turnover doesnt exceeds global daily limit
- Single PAN daily turnover doesnt exceeds local(merchant) daily limit
- Billing address daily turnover doesnt exceeds global daily limit
- Billing address daily turnover doesnt exceeds local(merchant) daily limit
- PAN number brute force check
- Expiry date brute force check
- CVV brute force check
This is base rules set. Our fraud officer constantly monitors transaction flow and modifies existing rules and implements new ones to gain maximum fraud prevention efficiency.
Transaction history analysis(in-house service): After successful rules checking, transaction data verified against pool of existing transactions, enabling most accurate results and fraud decisions possible. If this routine detects no reasons to block further processing.
Transaction history analysis(external service): If in-house transaction history doesn’t shows signs of fraud, external database enters into business.
Online Verification Procedures
Over the years, I’ve come across dozens of procedure lists for top-tier merchants regarding online transations and fraud reduction. I’ll detail several companies verification procedures below.
While most virtual carders are aware of the various procedures in place to verify orders placed online, few actually understand the implementation of fraud scoring, and the order in which these verification methods are used.
The Risk Management Toolkit
- AVS
- CVV
- IP/GEO/BIN
- Cardholder Authentication (VbV/MSC)
- Phone Verifications
- Manual Order Reviews
- Chargebacks & Representments
- PCI Compliance & Data Security
AVS – Address Verification Service
How It Works
- Provides a Match or Non-Match Result for only the Billing Street # and Billing Zip Code… not the actual address. (i.e. “1234 Test Street” is parsed into “1234” just the same as “1234 Wrong Way” would be).
Implementation
- Available on any Internet merchant account and virtually any Payment Gateway.
- Most gateways provide an AVS configuration area where you can specify whether you want to automatically“decline” (i.e. do not settle) an authorization that has an AVS mis-match or non-match.
Benefits
- Easy to implement Limitations
- Works only for U.S., CND, U.K. cardholders so this does not help you scrub most international transactions.
- A growing % of compromised credit cards – especially those obtained through inside jobs or hacked databases– will also contain the necessary information to provide a valid AVS match result.
Recommendation
- If you handle a mix of int’l and U.S. sales, you will want consider scrubbing with AVS on the U.S. transactions but do NOT scrub via AVS for any international transactions as they will always fail. AVS should not beconsidered a primary means of verifying the validity of a transaction. Nearly 20% of the fraud can potentially be eliminated by scrubbing “Non-Matched” AVS match results.
CVV – Card Verification Value
How It Works
- A service with many names – CVV2, CVC2, CID – but the premise is the same for all.
- Provides a Match or Non-Match Result for the 3-digit or 4-digit number embossed on the back of the cardholder’s card. The CVV is NOT generally encoded on the magnetic stripe and therefore is less likely to be captured as part of a card skimming tactic.
Implementation
- Available on any Internet merchant account and virtually any Payment Gateway.
- Most gateways provide an CVV configuration area where you can specify whether you want to automatically “decline” (i.e. do notsettle) an authorization that has an CVV non-match or non-entry.
Benefits
- Works for virtually ALL cardholder accounts – both U.S. and international.
- There is no valid reason why a legitimate cardholder, in possession of the card, would not be able to enter a 100% matching numberfor this.
- Merchants are not allowed to store CVV and as such the CVV # is less vulnerable than the data used for AVS.
Limitations
- CVV data can only be used for a real-time transaction. CVV data can not be stored and therefore can not be utilized for Recurring Transactions.
Recommendation
- CVV is a recommended service to utilize for ALL initial transactions processed. Based on our internal charge-back analysis, merchants can reduce their fraud ratesby as much as 70% by simply requiring a matching CVV result.
IP/GEO/BIN Scrubbing
How It Works
- Compares the IP address of the customer purchasing with their stated geographic location (i.e. why is the customer from California ordering from Europe?)
- Compares the BIN # (first 6 digits) of the credit card with the IP or stated geographic location of the customer (i.e. the customer isusing an US-issued credit card but they are from Europe?)
- Based on the IP and BIN # and other customer-inputted data, a vast amount of information can be returned on the transaction.
Implementation
- Custom direct integration into a service such as MaxMind.com
- Use an existing integration that is part of a Shopping Cart such as X-Cart, LiteCommerce, osCommerce, ZenCart,ASPDotNetStorefront.
- Use an existing integration that is part of a Billing System such as WHMCompleteSolution, ClientExec or Ubersmith.
•Use an existing integration that is part of a Payment Gateway such as the Quantum Payment Gateway.
Benefits
- Fast, Cost Effective and Non-Intrusive
- Provides merchants with an excellent “do the pieces fit consistently?” analysis.
- Can block up to 89% of all fraud if properly implemented
Limitations
- Generally not reliable for AOL users due to the way that AOL routes its traffic (AOL users require a merchant-specific approach)
- Proxy database is always in a real-time process of being updated as new proxies open up.
Recommendation
- IP/GEO/BIN fraud scores should be used in the order evaluation process more as a means of flagging transactions as “high risk” formore intensive scrubbing vs. being an outright decline.
Examples of what IP Geo-Location can tell you:
YELLOW ALERTS
- Free E-mail Address: is the user ordering from a free e-mail address?
- Customer Phone #: does the customer phone # match the user’s billing location? (Only for U.S.)
- BIN Country Match: does the BIN # from the card match the country the user states they are in?
- BIN Issuing Bank Name: does the user’s inputted name for the bank match the database for that BIN?
- BIN Phone Match: does the customer service phone # given by the user match the database for that BIN?
RED ALERTS
- Country Match: does the country that the user is ordering from match where they state they are ordering from?
- High Risk Country: is the user ordering from one of the designated high risk countries?
- Anonymous Proxy & Proxy Score: what is the likelihood that the user is utilizing an anonymous proxy?
- Carder E-mail: is the user ordering from an e-mail address that has been used for fraudulent orders?
- High Risk Username/Passwords: is the user utilizing a username or password used previously for fraud?
- Ship Forwarding Address: is the user specifying a known drop shipping address
IP/GEO/BIN Scrubbing (Continued)
Open/Anonymous Proxies: an open proxy is often a compromised “zombie” computer running a proxy service that was installed by a computer virus or hacker. The computer is then used to commit credit card fraud or other illegal activity. In some circumstances, an open proxy may be a legitimate anonymizing service that is simply recycling its IP addresses. Detecting anonymous proxies is always an on going battle as new ones pop up and may remain undetected for some time.
26% of orders placed with from open proxies on the MaxMind min Fraud service ended up being fraudulent. Extra verification steps are strongly recommended for any transaction originating from anopen/anonymous proxy.
High-Risk Countries: these are countries that have a disproportionate amount of fraudulent orders, specificallyEgypt, Ghana, Indonesia, Lebanon, Macedonia, Morocco,Nigeria, Pakistan, Romania, Serbia and Montenegro, Ukraine and Vietnam. 32% of orders placed through the MaxMind min Fraud service from high-risk countries were fraudulent. Extra verification steps should be required for any transaction originating from a high risk country.
Country Mismatch: this takes place when the IP geolocation country of the customer does not match their billing country. 21% of orders placed with a country mismatch on the MaxMind m******* service ended up being fraudulent. Extra verification steps are recommended for any transaction with a country mismatch.
Results that speak for themselves:
ChangeIP – is a DNS and domain name registration provider. The company provides free and custom Dynamic DNS services to more than 50,000 users. Before implementing MaxMind, ChangeIP was losing as much as $1,000 per month because it sold instantly delivered digital goods and could not recover the losses if the purchase turned out to be fraudulent. After implementing MaxMind, losses were reduced by 90%.
MeccaHosting – is a Web hosting company based in Colorado. Since integrating MaxMind, Mecca Hosting has not received a single chargeback. On average, 12-15 fraudulent orders pass through the in-house checks each month but are flagged by MaxMind. Over the last 5 months, this has saved MeccaHosting atleast 60 chargebacks and $6,000 in unnecessary costs.
Red Fox UK – is a Web hosting provider and software development company based in the UK which offers solutions for smalland medium sized businesses all over the world. By using MaxMind, Red Fox UK was able to increase its revenue by 4% while reducing its chargebacks by 90%.
365 Inc. – is a digital media and e-tailer specializing in soccer & rugby with a large international customer base that processes over 10,000 transactions per month. By integrating MaxMind, chargebacks were reduced byover 96% from more than $10,000 per month to less than $500 per month. At this point, most charge backs are general order disputes as opposed to fraud.
Whew. A lot of editing. I’ll post the remainder in a bit.
