Skimmers, officially called magnetic card readers, capture the data on a card’s magnetic strip. Exactly what information is that?
Credit and debit cards have three “tracks” of data. Track 1 stores your name, account number and expiration date, and discretionary data to verify the PIN and security code. This information goes to the point of sale terminal, and allows your receipt to include your name and the last four digits of your account number.
Track 2 stores similar information coded and formatted specifically for the banking industry. This is the data that, from a merchant, goes to the bank via modem. Actually, it goes to an “acquirer,” a middle-man organization that authenticates the account data and guarantees payment to the merchant.
Track 3 was supposed to store biometrics, like a photo and thumbprint, but the banks decided it was too expensive to implement and do not use track 3 at all. It’s sometimes used on non-bank cards: airline cards, hotel and club memberships, etc. Track 3 is also writable.
Legitimate mag-strip readers are everywhere. Illegitimate ones, which I’ll refer to as skimmers, are, too. They may be stuck onto the faces of ATMs or gas pumps (possibly detectable). They may be attached to a merchant’s point-of-sale terminal (undetectable by customer, should be detectable by aware merchant). They have recently been found inside gas pumps (undetectable). Tiny, handheld models are used by waiters and others who swipe credit cards legitimately; they make an additional, criminal swipe through the portable skimmer.
Mag-strip readers are easily, legally purchased. The largest distributor is (no surprise) just outside Las Vegas. Bob met with the owner of the business, and bought a skimmer. The owner claims that his largest customers are schools and libraries, which buy in bulk in order to record attendance and keep track of books. I’ve heard from law enforcement that his biggest customer is the FBI, which buys skimmers, encodes them with trackable ID, and lets them fall into the wrong hands.
Our skimmer, pictured below, captures all three data tracks. Bob could have bought one half the size with twice the storage and a bluetooth interface for twice the price. The kind just pulled from the apron of a waiter at a high-end restaurant at Caesar’s Forum in Las Vegas—a restaurant frequented by a celebrity clientele (i.e. high-limit credit cards).
Whether obtained by an employee using a handheld skimmer, or one attached to stationary equipment, card data is gathered and stored, then collected by wired download or wireless transmission. Then what?
Someone called “afterlife” wrote:
Credit card theft is a growing problem but it does not happen the way most people envision it.Â It’s not the lone hacker who goes it alone to compromise one site and sell the credit card numbers to fraudsters.
These days it’s a network of carders who each have a specific role.Â Roman Vega of Boa Factory fame was known for having lawyers, botnet owners, hackers, traffickers, and pushers all on staff.Â These days the professional carder will knock over several merchants and store the information without using it for up to two years.Â Once they have amassed enough information they join the databases together forming a master datasheet on peoples lives.
Once they join databases with your credit card number and others with your e-mail address they can perform ‘spear phishing’ where they send you a targeted e-mail, with your credit card number, asking for your PIN number.
Credit card fraud is highly organized, en masse. Besides phishing and spear phishing, data is also written to new cards. These new cards can be blank stock, stolen cards (where sometimes the encoded data does not match what is printed—but who notices that?), gift cards, or shared-value cards. Mag-strip writers can be purchased as easily as mag-strip readers; and some models of readers just need a little extra software in order to write.
Everything one needs for credit card fraud can be learned or purchased on “carder sites.” Skimmer “dumps” are sold in lots, with payment made via Western Union. Here’s a typical “ad,” found among Afterlife’s blog comments (link above). This one’s about six months old:
The Best Dumps for a Good Price. Selling USA.
Hello dear friends. I’m a Memfis.
I have USA dumps, and some Asian.…¨I have a good price for it:
USA…¨20 USD CLASSIC, MASTER…¨25 USD VISA GOLD…¨30 USD VISA PLATINUM AND BUSINESS
ASIA…¨80 USD CLASSIC, MASTER…¨100 USD PLATINUM
I have my own base, good approval percent …“ about 90%…¨USA and Asia …“ 101 only. But I dont have EU bins.
USA …“ original track2.…¨Asia …“ both tracks are original, track1 and track2.
Payment is Western Union.…¨I’m sending order only after recieving payment, in 3-24 hours.…¨I have a replace pocily, but i should know what cards declined or holdcall in 24 hours, to replace it, in other time i wont replace.
For real buyers:…¨I can proove my quality, message me my ICQ.
Here’s a good thing: some of these gizmos hidden in gas pumps cause the pump to fail, so they’re found. But there’s bad news, too. Data from skimmers slyly hidden in gas pumps and other good places is often not used for three or four months. Why ruin a good thing if the skimmer is steadily transmitting account numbers and PINs? When credit card holders start reporting fraud, the common merchant on the victims’ accounts will be investigated and the device will be pulled. Has your card already been skimmed? Has mine?