How'd They Do That? Part 2 - You Stole My Credit Card Number!

You’ve just gone to eat at your favorite hometown restaurant and 48 hours later you notice charges on your credit card from Dushanbe, Tajikistan or Ouagadougou, Burkina Faso. You’ve never been there, but apparently your credit card has.

How does this happen?

DIY Copy Credit Cards

This type of fraud is called “card present” because someone, somewhere in the world has presented a counterfeit payment card to a vendor. The data needed to create a counterfeit card is surprisingly easy to obtain. It’s also really easy to get a hold of the counterfeit plastic cards, embossers, printers, and hot foil stampers you need to complete the job. Most of it you can even buy on eBay or Amazon.

Embossing and Stamping

The data used to produce counterfeit cards is called “track data,” and it’s stored on the magnetic stripe on the back of your credit card. A standard magnetic reader can read data from one of three stripes or “tracks” on the back of your card. Chris Brewer explained track data in depth in part 1 of this series.

Track 1: the cardholder name, account number (PAN), expiration date, bank ID (BIN), and several other numbers the issuing bank uses to validate the data received. It looks like this:

%B41019905272191^LENIK/GRAYSON ^190920114401135774546844346000011?

^ “Nope, not real data :)”

Track 2: all of the above except the cardholder name. Most credit card payment systems use Track 2 to process transactions. It’s all a counterfeiter needs to produce a fake card.

Track 2 looks like this:

;4101990523272191=19092011440114600011?

^ “Surprise! Also not real”

In fact, the cardholder name field is inconsequential to processing a transaction. Some cashiers will check an ID if the name that pops up on the screen is obviously not the same as what it says on the card, but it’s rare. Even though all my credit cards clearly say “SEE ID” in the signature field. I’m only asked for my ID about one time in five.

Here’s a breakdown of the data on the stripe:

Magnetic Stripe Data

No Card Required

So if you have either Track 1 or Track 2 data from someone’s card, that’s all you need to make a fake card and start spending. But how does someone get hold of that information in the first place? Do they have to physically have your payment card in their hand?

Many people think the primary source for stolen payment card data is when employees of restaurants or other merchants take possession of customer cards and skim them with a small handheld reader like the one shown below.

Card Skimmer

Unfortunately, that isn’t correct. (Unfortunate because it’s easy for law enforcement to catch people with physical skimmers).

Instead, the majority of cardholder data theft occurs after a cashier runs your card through the point-of-sale (POS) terminal. Generally, a business will have two or more terminals where employees enter orders and take payments. These terminals don’t actually process payments; they send the data to a central server located elsewhere in the restaurant. This is usually referred to as a back of house (BOH) server. 

POS System

The BOH takes the payment details and the track data from the card, encrypts it, and sends it out for authorization. From there, the transaction follows the same process Chris discussed in part 1.

Eight-step credit card process

In almost all cases, the data is transmitted securely. The banks and card networks spend millions of dollars a year on security. Unfortunately, the weak link is the merchants themselves.

Finding the Path of Least Resistance

Your local restaurant may make delicious tapas, cocktails, bacon double cheeseburgers, or pizzas but in most cases they know little or nothing about information security. They rely heavily on businesses called “integrators” that sell and install custom POS systems.

Integrators sell and set up the POS systems that help merchants track inventory, seat customers, update menus, and receive payments. Frequently, they are responsible for all of the setup and maintenance of small business IT systems.

Integrators can have anywhere up to thousands of customers so they don’t want to send out a technician every time a client needs a menu item removed or there’s a problem with a terminal. Instead, they install remote access software so that one technician can service dozens of clients in a day.

You may recognize the names of some of the most popular remote access applications: GoToMyPC, LogMeIn, Microsoft Remote Desktop, PCAnywhere, and VNC. There’s nothing inherently wrong with most of these applications if they’re configured properly. But here’s where things start to fall apart: Integrators (and their clients) very often use weak or default passwords during the initial installations for ease of use.

Sometimes they intend to change it later. Sometimes they tell the merchant to change it to something more secure but it doesn’t happen. Sometimes they just forget. I’m not here to point fingers, just to report the facts. If you leave remote access open and use really awful username–password combinations like aloha:hello, pos:pos, manager:manager, or micros:micros, it will only be a few minutes before an attacker compromises your payment systems.

Quick fact: We set up a system just like this to create a lab environment for a class and it took less than 20 minutes from setup to compromise. We used Microsoft RDP and a username–password combination of pos:pos.

Beyond Compromise

Once attackers compromise the POS systems, they install specialized software on the terminals to capture keystrokes (those old style card readers work just like keyboards) or on the master system that sends payment authorizations. It’s far more common to see malware on those master systems (remember that BOH server?) since all authorizations will typically run through that single server. If you’ve read any of the news about major franchises being breached, you may have heard of some of these malware variants like BlackPOS, Chewbacca, Dexter, Malum, or Punkey.

Attackers install a family of malware named “memory scrapers” on these systems and collect the track data we talked about earlier. They either use that data to make their own fake credit cards or sell it to a website that deals in stolen data. Such websites can sell stolen credit card details for between $2 and $50 per record.

There is a healthy “dark web” industry surrounding payment card data. Sites exist that share video tutorials on how to hack, where to get counterfeiting equipment, and search engines that allow you to buy cards specifically from your region or a specific bank. Generally speaking, the newer the data, the higher the price. The card tier (Gold, Platinum, Black) is another important value factor.

So someone purchased your stolen card’s data from an underground site, produced a fake card, and suddenly “you” are buying big ticket items, refundable plane tickets, or just a simple cab ride somewhere in the world you’ve never been in your life.

That’s how they do that!

How Can You Protect Yourself?

It’s hard to imagine credit card theft will ever go away but you can take steps to protect yourself and make it less likely you’ll become a victim:

  1. If you have the option, choose businesses that use chip readers instead of magnetic swipers. (In Europe, Australia and many other places around the world, these are standard.) While these devices are not hack proof, they are typically equipped with point-to-point hardware encryption.
  2. If you are somewhere “sketchy” with old-looking POS systems, pay with cash or a check instead.
  3. If you travel and count on those credit cards to get home, carry a spare! Having your card shut down abroad is no fun—I carry three cards, just to be safe.
  4. Use a credit card instead of your debit card—Chris mentioned this as well in part 1. You’ll almost always get the fraudulent charges back from your bank, but it may take two days or longer if it has come out of your personal funds. You don’t want to miss a car payment because JimBob’s Greaseburger got your card stolen.

*Disclaimer* I don’t actually know a JimBob’s Greaseburger but I mean no disrespect; I’m sure your gut bombs are amazing!

While this series is about individual consumers protecting themselves, I should also mention that Nuix is a Qualified Security Assessment Company (QSAC) and a participating member of the Payment Card Forensic Investigators Program (PFI). We work with merchants prevent to payment card and data breaches and to investigate and respond quickly and efficiently when a breach does occur.

Security & Intelligence

Grayson Lenik

Principal Security Consultant, Digital Forensics & Incident Response

Grayson Lenik has worked in information security and digital technology for more than 20 years. His job roles have included avionics technician, systems administrator, network administrator, security systems architect, private consultant, incident responder and team leader. Grayson has researched and presented on anti-forensics, cybercrime operations and incident response methodology.

Read More