Copy Link
Add to Bookmark
Report
Phrack Inc. Volume 04 Issue 44 File 20
==Phrack Magazine==
Volume Four, Issue Forty-Four, File 20 of 27
[** NOTE: The following file is presented for informational and
entertainment purposes only. Phrack Magazine takes NO
responsibility for anyone who attempts the actions
described within. **]
****************************************************************************
SSSSS AAAAA FFFFF EEEEE AAAAA N N DDDD EEEEE AAAAA SSSSS Y Y
S A A F E A A NN N D D E A A S Y Y
SSSSS AAAAA FFF EEE AAAAA N N N D D EEEEE AAAAA SSSSS Y
S A A F E A A N N N D D E A A S Y
SSSSS A A F EEEEE A A N N DDDD EEEEE A A SSSSS Y
CCCCCCCC AAAAAAAA RRRRRRRR DDDDDDD IIIIIIII NN NN GGGGGGGG
CC AA AA RR RR DD DD II NNNN NN GG
CC AA AA RR RR DD DD II NN N NN GG
CC AAAAAAAA RRRRRR DD DD II NN N NN GG GGGG
CC AA AA RR RR DD DD II NN NNN GG GG
CCCCCCCC AA AA RR RR DDDDDDD IIIIIIII NN NN GGGGGGGG
BY
VaxBuster
This file is ONLY to be published in Phrack, and has not and
will not be released, or published in any other magazine.
And a disclaimer: I do not engage in, or condone ANY illegal
activity, including credit card fraud, and this article should
be used for INFORMATIONAL PURPOSES ONLY. Those wishing to
engage in unlawful activities should be warned that there are
severe penalties that exist that could render the remainder of
your life useless.
In the past few years, I have had a ton of people come up and
ask, "I want to card something, but I'm afraid I'll get caught
because I don't really know what I'm doing, can u give me tips?"
This article is designed for those people, people who already
have carded and are looking for better/easier ways to do it.
One point you'll see me address VERY strongly in this article
is safety. I don't want to see any of my friends end up in
jail. See, like any unlawful activity, you are going to have
certain risks, and this article is designed to ELIMINATE those
risks, or narrow them down tremendously. I'm going to take
you step by step through the ENTIRE process from the time you
pick up the phone until the time you are safely at home
reading the manual to your new toy.
Stage One - Getting the credit card information
Getting the information is probably going to be the easiest of all
the steps involved here. You could go trashing at your local restaurant,
retail store, or bank. You could open up Federal Express boxes and find
them there. You could hack into an establishment and get them from there.
It doesn't really matter HOW you get it, but you want to make sure
you get the person's full name, their complete credit card number, their
expiration, and hopefully an address. In the event that you found the
credit card number locally and just have the name, check your local White
Pages for their address or use a service like Compuserve to pull up their
address. You'll probably find that the address closest to the store is the
right one. Also, if you can get a hold of the issuing bank, this will help.
Stage Two - Verifying the credit card information
There are several ways you can do this. And remember when you are
doing this that it would be VERY helpful to get the available line of credit.
1> If you have the issuing bank, call the bank and ask for their
AUTOMATED CREDIT SERVICE. They ALL have them. Its an 800 number
and it's printed on the back of the card. Basically, this service
is set up so that credit card holders can check their available
balance, available credit, etc. Usually, they have SOME kind of
security that prevents the normal person from walking up and
typing in someone else's number. This security is lame. You
either have to know the last 4 digits of their social security
number or their zip code. 99 times out of 100, you'll find that
you'll need their zip code though.
2> So you don't have the issuing bank? Just use a credit card verifier
with a merchant number. Don't place a HUGE purchase, it can be any
amount, so make it small, like say $8.31 or something.
3> Use a 800 porn service that accepts credit cards.
4> Use a credit bureau like CBI, TRW, or InfoAM. These services
are very nice because you can easily check their available
credit line. It also has other information that could be useful.
Remember, when you are doing this, don't make the calls from your
house, and if it's impossible to do otherwise, go through a divertor and a
code. Put a couple of levels of protection between YOU and them. This
will cut down on any tracks leading back to you.
Stage Three - Finding the company
You are looking for a relatively small company - one that has
what you need in stock, but not one that needs operators to answer calls.
Most places (even retail stores like Radio Shack) will ship out to anyone
any place in the US. Just tell them you are handicap, or can't get around
very well, and they will be more than happy to help. You want to find a
place that has Federal Express. And of course, you're looking for one
that accepts the type of card that you have. Incidentally, for those who
are VERY new at this :
If first digit of card is a:
3 American Express (15 digits)
4 Visa (13 or 16 digits)
5 Mastercard (16 digits)
6 Discover (16 digits)
Stage Four - Placing the call
Ok, before we go any further, make sure you have a call back number.
I use a VMB that is in the local area that I'm supposedly calling from.
You should almost always be calling for a business, because companies treat
businesses better than your standard customer. Tell them you need to have
the products the VERY next day, and if they can't have it to you by then,
tell them you'll find another company (Hell, who wants to wait? :) )
When you call them, just relax, and pretend like your just placing an order
for yourself, nothing is out of the ordinary, but you just need to start
that special project in the morning. Make sure you have all the information
in front of you. Call during business hours, not on Friday, Saturday, or
Sunday. Here's a transcript of one of my calls:
"Hello XXX, this is Mark can I help you?" (always get their name)
"Yes, My name is Joe and I'm calling from XXX, I'd like to place
an order."
"Ok sir, I'd more than happy to help you, let me get some info
from you first. Ok. Can I have your name?"
"Joseph XXX"
"Your address, Joe?"
"XXXX XXXX lane, and thats in XXXXXXX XX, the zip there is XXXXX"
"Ok, and a number where we can reach you if there is any problems?"
"XXX-XXX-XXXX"
"Ok, what would you like to order?"
"I need four of those laser jet printers, I believe I spoke with
someone on Friday about them, and the part number is XXXXX-XX.
Also, I had a question on those printers too, what type of
warranty do they carry?" (Always ask about warranty!)
"Well sir, these particular models have one year parts and labor
warranty. You can buy an additional 5 year warranty for only
$49 a piece too. We have an unconditional guarantee of 90 days."
"Ok, I'll take the 5 year warranty on all of them then."
"Do you need any toner cartridges, or printer paper?"
"No, all I need are the printers."
"Ok, how would you like these shipped?"
"You have Federal Express, right?"
"Yeah."
"Ok, Ship them PRIORITY overnight then."
"Ok, and how are you paying for your order?"
"With our corporate XXXXXX card."
"Ok, can I have your account number?"
"Sure its XXXX-XXXX-XXXX-XXXX"
"Ok, and the Billing information is the same as your ship to
address ?"
"Thats right."
"Ok, then this package will go out today, and you'll have the
printers by tomorrow morning."
"Ok, and can you do me a favor?"
"Sure."
"Whenever your shipping department ships the package, get the
Federal Express Tracking Number for me, and leave it on my
Voice Mail System?"
"Sure, I'll do that personally later on tonight."
"Ok. Thank you very much."
"Thank YOU sir."
Ok - a few things I want to mention. First, try to determine what type
of credit card authorization they have. If its retail store, they probably
just have ZION terminals, just the standard type or swipe style. These don't
check the address, or anything, just to make sure the card is valid and
has enough credit left. The other type check all the info, including the
name and address. Its very important that you are SHIPPING to the BILLING
address, because if you change the ship to, they may have a tendency to
get a tad suspicious. Also, the reason you could use that you need the
Fedex Tracking Number is for your Mail room. Use your imagination, but
keep your story the same, don't adlib too much, cause you may fuck up,
but stick to the above format, it works very well. Always try to be as
pleasant as possible, because in the event you couldn't check the credit
limit, you may have to give them another card.
Stage 5 - Finding a drop site
This is one of the harder things to do. If the billing address
of the card is local to you, you may just want to go their house to pick up
the package. If not, find an apartment building close (but not too close)
to where you live. Or find a house that has a for sale sign in the front
yard. Or if you know some school buddy of yours that is away for vacation
use his house (In that event, make SURE he has NO idea your doing this)
Whatever the case may be, just find a place that is relatively secluded from
the street, where there are places for you to park inconspicuously.
Apartment buildings work EXTREMELY well.
Stage 6 - Rerouting the package
This is a little trick one of my good friends showed me. It works
extremely well. Call up Federal Express with your airbill number. The
number is 800-238-5355. Tell them that you are not going to be in town
that day to sign for your package that you will be at another location,
and ask them if they could please send the package to a new address. They
may say that it will take an additional day to do that, depending on how
far away it is. INSIST that it arrives the next day, tell them its
extremely important, and don't take any shit from them, ask for their
supervisor if they gave you any problems. Their commitment is
overnight. By the way, call Federal Express AS SOON AS you know they
physically have the package, this way you give them as much time as they
need to reroute. Obviously your sending the package to your drop site that
you found.
Stage 7 - Picking up the package
This is by far the most DANGEROUS part of it. If you are going to
get caught, this is where its going to happen. DON'T have a school buddy
pick it up for you. Instant doom. DON'T pay someone to do it for you,
lord knows they will sell you out in a second. Not to mention, you're
probably brighter than the average eggplant, so you may be able to talk
your way out. "A guy on the street paid me this $20 bill to do it, I said
what the fuck" PLEASE USE EXTREME CAUTION WHEN DOING THIS.
OK. Call Federal Express, and make sure the package will be arriving
that day, and that everything is on schedule. Ask them what the route number
is, an estimate of when it will be there, and their commitment time for
that particular zip code. Then, go there earlier than you need to be, and
check out the place, look around for anyone who seems abnormal, look for
escape routes, exits. Look around, get a feel for where you are, and try
to ration out why you might just be standing there or why you would have
needed to pick up the package. Remember, if you used all the precautions
I've talked about, you should be in perfect shape. Just relax, be cool, and
everything will work out.
Walk around for a little bit, and find out the possible directions
the Federal Express Van will be coming from. Walk in front of the house
just when he arrives. Pretend as though your just on your way home or just
on your way out the door. Sign for it, and you're done.
Ok, you say, I'm the nervous type, and I don't want the guy giving
my description to the police, FBI, etc. (As though they will remember 1 out
of the hundreds of deliveries a day) Call up Federal Express and ask for
a signature release. This gives Fedex the right to leave the package at
your front door, and this removes their responsibility. OR, leave a note
with your signature (not printed) on the door, mailbox, etc. Remember though
that the guy may come home (or look out his window) and see the package, or
you signing it.
Remember there is nothing saying that you have to be there when the
package arrives. You can get a signature release or leave a note. Make
sure you are there as soon as possible AFTER they leave the package. I
actually prefer to be there, because when I just let it go, and check back
later, it is almost NEVER there. Either a> someone stole it b> a neighbor
picked it up and put it in their house for them c> the owner is actually
home and got the package (which is REALLY bogus, cause it's on their card!)
I have ALWAYS used an apartment building. I have ALWAYS been there
to pick the package up. I have never been busted. See, if you understand
how the system works, you know that there is NO way that anyone knows that
it is an illegal purchase. If you look at it on a time line :
<----2:00pm-------2:05pm------8:00pm-----10am--->
verify call reroute pickup
Now, if there is a problem, it will probably be either a> not enough
credit left on the card (which is nothing, they will leave a message on your
vmb) b> they called directory assistance and actually called that number or
c> VISA/MC/AMEX/DISC called the customer to verify the purchase because it
was larger than usual.
So obviously, if they got in touch with the card holder, or visa/etc
called the card holder, they AREN'T going to ship the package - meaning you
aren't going to show up anyways. Of course you never use a drop site more
than once, you never use a company more than once, and you never use a card
more than once.
Once you get your package, KEEP YOUR MOUTH SHUT. Don't jump on IRC,
and say, "Hey Cameron, I just carded a new Amiga 4000." And if you do
eventually tell someone that you carded it, NEVER USE ANY SPECIFICS, no
information about the company, the drop house, the name on the card, NOTHING.
If you follow these instructions, you can guarantee you will have absolutely
no problems, I have been doing this for quite some time, and have NEVER been
bothered by any law enforcement concerning this. I have never found anyone
who was careful that got busted. The people who have gotten busted for
carding have either bragged about it, or let someone know before hand, or have
been set up.
I have tried to cover all bases, but I'm positive I've missed a few
so if anyone has questions, let me know. I am always open to helping people
and can be found on the IRC, in either #hack or one of the better #hack
alternatives.
In addition to carding by phone, there is another possibility, that
is writing credit cards with a magnetic stripe writer. A certain group did
this for EIGHT years, before getting caught. This is worth a whole article
to itself, but I'll just go over some guidelines.
Track I is 210 bpi. Track II is 75 bpi.
The next chart shows the Magnetic Stripe Data Format (Track I)
Field # Length Name of Field
------- ------ -------------
1 1 Start Sentinel (STX)
2 1 Format Code
3 13/16 Primary Account Number
4 1 Separator (^) HEX 5E
5 2-26 Card Holder Name
6 1 Separator (^) HEX 5E
7 4 Card Expiration in format MMYY
8 3 Service Code (?) 000 WORKS.
9 0/5 Pin Verification Field
10 Discretionary Data Depends on 3, 5, 9
11 11 Visa Reserved Always last 11 positions
12 1 End Sentinel (ETX)
13 1 LRC
Maximum Record Length is 79 Characters
The next chart shows the Magnetic Stripe Data Format (Track II)
Field # Length Name of Field
------- ------ -------------
1 1 Start Sentinel (STX)
2 13/16 Primary Account Number
3 1 Separator (=) HEX 3D
4 4 Card Expiration Date in format MMYY
5 3 Service Code (?) 000 works.
6 0/5 Pin Verification Field
7 Discretionary Data Depends on 2, 6
8 1 End Sentinel (ETX)
9 1 LRC
"The LRC is calculated by performing a BITWISE XOR (Exclusive OR) on all
ASCII values of the characters in the Inquiry - EXCLUDING the <STX> but
INCLUDING the <ETX>."
<STX> is HEX 02.
<ETX> is HEX 03.
By the way, for my last article, "TTY SPOOFING", check Phrack 41 File 8.
***** MANY thanks go out to my friends, of whom I won't mention because of
the delicacy of this topic. I appreciate them sharing their knowledge
with me, and I feel I'm kind of returning the favor by writing this
article. Thanks also go out to the Phrack Staff, both past and present
for putting out an excellent magazine, and continuing to distribute
information to the computer underground.
***** Happy Hacking and Safe Carding!
VaxBuster '93