Greed: A story of a fraud

That's a real story of a bank fraud. Everything you wanted to know about the way the banking works, your three digit numbers, your online account and billing address. And how your money can be stolen.


Words by John Smith


How easy it is to accept cards. How easy to use them. How easy to steal them. First of all, who is it that benefits from using cards? You, the consumer. It’s so easy! No one will ever mug you and take your cash in a dark alleyway. Rent a car, a room in a hotel; take a loan, if needed. Yeah, until the first case of fraud. Then come phone calls, arguments, reissuing, $50 fine to teach your stupid gob a lesson, and the feeling that you’ve been had for free, like a smile in fucking McDonalds. Them, the business. Accept orders over the phone. No cash to transport. No need to sew up salesmen’s pockets. Take commission for card payments. Get chargeback for half the monthly income. Me, the carder. Getting access to you entire credit or maybe even all your savings for a dollar. The only people who got pure profit from the way things are right now, are the banks and VMC. Accept cards, but it’s your responsibility. Pay with cards, but it’s your responsibility.

The bank spends less, raise volumes, receive commission percentages etc.

Why CVC was introduced: Many, many years ago card data was all over the place. On the slips from a trashcan, on a check that wasn’t handed out to the previous customer, on the statement sticking out from someone’s mailbox. People ordered goods from catalogues. You could put in someone else’s data and your address and get an item, but who would risk their freedom in the countries where you can order things from catalogues? Besides, it was really hard to repeat massively. Can you imagine a person filling in stacks of order forms so they can steal some sneakers? I can’t. But then the Internet came along. A system with no limits. The most important part was that you need the same info to pay online as you did offline. What was risky for US residents was perfectly fine for Russians or Ukrainians. FAQs on how to use this data to your benefit popped up on Usenet. And so it went.

A massive amount of people started breaking the law. VMC didn’t react for the longest time. What for? Your contract clearly states that you’re using the card at your own risk.

Full stop. Income grows. Basically, not a single fuck is being given about the end user’s problems. But at some point retailers must have started howling too loudly. VMC had to react, and the rest probably joined in. Some fucktard decided to separate order process into two separate procedures: online and offline. The offline process stayed the same, but the online process got a new parameter to consider — a checksum that was physically present at the back of the card, but it didn’t show up on slips or checks. Introducing it was supposed to confirm the physical ownership of the card by the person making the order.

Did this stop fraud? No. Did it slow it down? Partially. It stopped the influx of new fraudsters. Simply put, an average Joe couldn’t just hop in and reap the benefits.

To your disappointment and my great delight the threat of data leak wasn’t taken seriously at the time

It didn’t slow down existing fraudsters. That’s why: the introduction of the code wasn’t instant. CVC appeared as an extra option in the acquirer’s system. The code couldn’t just physically manifest on a manager’s whim, it required reissuing all cards. Reissuing wasn’t forced. Total introduction dragged on for years. Fraudster guys kept working. Common people still need explanations about the three digits on the backside of their card. provide. Where did they get said volumes? From the Web, of course. From all those databases that you created yourself by diligently typing in your card details so you could buy a gift for your granny in Atlanta or watch porn.

To your disappointment and my great delight the threat of data leak wasn’t taken seriously at the time. The mouse was riding the elephant. There were teams being put together, and in them were people who could code a few lines in C++. I remember when bases of several dozens of online casinos leaked using SQL Unicode injection. Also, one world-famous processing company shared all their data with three lads from Ukraine for half a year. Wankers, eh?

There was even an adverse effect to it: believing this measure to be effective, many acquirers stopped doing real checks: ‘Hello, got the three digits? Of course, Mr. Jones, where should we ship your diamond for 5k? Thanks, Mr. Jones, please call again’. Not for long, of course.

Half of those who did demand the code didn’t actually check it despite the field being on the forms. Screw them.

Besides that, the option of checking the card’s address appeared. A really useful novelty — until then I could specify any address as the billing address and shipping address, and the merchant has no way of checking it. Here’s a clarification: the address is only checked on its numbers. This is a backwards compatibility issue. Most likely most acquirers’ software would have to be changed drastically otherwise. Sadly, it’s only an option.



Do you have online banking? Did you read the user agreement when registering in the system? How different is it to the content of promo leaflets? The difference is between the money in your pocket and a stranger’s pocket. In the past, the clients were shown a safe in the bank’s basement. How else? Security comes first. That’s what you paid for. And now? Now there’s nothing to show.

I think a bank’s data centre could only impress a specialist; in fact, though, it is the actual bank. The office next door, the familiar cashier, the personal safe where you keep your title deed — none of those are the bank. A modern bank is a data centre. Your money is entries in its database. Why did it get that way? The only reason is that the bank benefits from it. It’s just so simple and so profitable to close down 100 branches and install a server. You won’t think I am against modern technology. I am against banks giving up on what people dome to them for — security — out of greed. Pure greed, nothing else.

Most ways of stealing implies such use of it that it will be impossible for you to prove that the changes to your account weren’t made by you

Most banks offer you to agree that your login and password prove your identity as the owner of the account. The banks don’t care that this data is easy to obtain, and, furthermore, that most ways of stealing it implies such use of it that it will be impossible for you to prove that the changes to your account weren’t made by you. Some might say “don’t use it if you have doubts'’. A solid argument, that was. Up until the point when banks started charging for paper statements, paying your bills offline etc. Now it’s the only option. But they have no basis for keeping your security on the level of your email account or Facebook security. In this case, I am talking about huge retail banks. Trust me when I say that my reprimands aren't directed at offshore banks, not even the smaller ones.

Their main selling point has always been security. That's why every change to the account should be confirmed by a special key, generated on a separate device.

Ownership of such device should be the sole way of determining the owner, not the password.

So why isn't everyone introducing such devices? Some are. Mostly those banks that are still happy to show you their safe, even if it's now a digital one. Also, smaller banks that had to return stolen money to its rightful owner, and this compensation was a serious blow to their income. The rest are in no hurry. They are worried that the procedure will be too difficult for you; worried that you'll leave for another bank that doesn't make things difficult.

Even if you lose money, a big bank is willing to cover your losses. But who is willing to soothe your wrecked nerves?

Unquestionably, there is a lot less trouble with unauthorized access to accounts than there was before. You'll get an SMS every time anything at all changes in your online bank account, but in the early noughties very few banks had that option. The banks rushed the introduction. Try to remember which services provided by online banking you use. Billpay? Account to account transfer? Paying for your card account with your current account? I suspect that is the whole list. But from the bank's point of view that wasn't enough. If before you were offered, or in some cases forced, to use a service, now it's a lot simpler. A manager stuck a finger up his ass, spun it around there, reaching for the spinal column (seeing as an idea like that can't have come from their actual brain), and scooped out a set of services that you simply have to use because they give him 10% growth per quarter and a bigger bonus than that of his colleague in the next cubicle.

Here are some of those brilliant ideas:

Overnight Billpay

How do you use this? Decide to urgently return a debt to a distant relative in the middle of the night? Rush to pay your plumber who lives down the street and send a check, paying extra $50 for sending it with a courier from a bank located in the other state? It's okay though; I know what to do with this. I will send your check to a mule who lives in the same state as the bank right before your local baked pumpkin festival and cash it for 5% while you're digging pumpkin seeds out of your butt. International wire transfer. It's a dubious improvement in the life of a guy from Iowa.

Ever he's reached the Canadian border a couple of times in his life, I have no idea how he could make use of this service. I, on the other hand, can send the transfer to a bookmaker in the UK and lose the bet over tomorrow's weather to myself.

Internal transfer

Certainly more handy. But why is it that you don't have to confirm the recipient's account? Who is the recipient usually? In 90% of the cases it's a relative. Do you have that many? I doubt that you have more of them than I have mules. Mules who are happy to believe the tale about restoring credit history and to open an account in the required bank and send me the money anywhere via WU within three hours. How many times a day do you check your account? And how many time zones are there in the US?

For some reason online stores aren't willing to ship to different addresses. Have you guessed why that is yet? Say you need a new Apple MacBook ASAP. Will you log in and change? Well, so will I. I already have one, but it can't hurt to have two.

Check imaging. After a law was introduced, banks stopped exchanging paper checks.

That is logically sound. Great way to save. One thing remains a mystery though: along with those changes came the option to view all those checks online. If I couldn't see the requisites of your account before, now it was simple — I could find them on the cheques that your bank so diligently scanned in for you. Furthermore, say you sent a cheque to pay for your health insurance. What did you specify as the account? Your SSN? And for your car insurance — your driver's license number? Do you see?

PIN change. Great idea. Paid at an Indian café with your PIN? Put your card into a flaky ATM? You can always change the PIN online. Perfectly safe, right? The PIN and your card number aren't enough to withdraw cash at an ATM. Well, not quite. Let's consider how the system behind ATMs works. So, there's the bank that issued the card. The magnetic strip holds important data, such as the card number and the checksum, so called CVC, that cannot be figured out based on other information about the card. The PIN should be known just to the owner and the bank. Theoretically, for a successful withdrawal you need a PIN and correct magnetic strip data. Who checks this data? Not the ATM. The ATM sends the request to the bank. The PIN thing we've already discussed — it can be changed on the website. But the magnetic strip is a whole different story; it's often simply not checked. What is the reason for it? Probably just crappy software.

How the world famous payment system came to be an egg headed youngster

My compatriot, by the way — woke up once in the late afternoon after a night of fraud and, having got into the bath, leaped out of it like Archimedes, yelling "eureka!" His idea was as follows: the amount of cards online is finite, and still small to build a market of electronic payments — even if just local to America — in one system. What's needed for it? Money! A considerable amount, because fraud exists and cannot be eliminated, but it can be used to one's own advantage. If you limit the sum of a transaction to some manageable number, you can handle the losses, since you can't register one card with multiple accounts. And if there are a sufficient number of investors with deep pockets, then eventually, seeing as the number of cards is finite, fraud levels will fall as the volume of cards registered in the system grows. Common people will be forced to register so that no one does anything in their name, and even more so after someone does. That's why the payment system didn't check the owner's real name for the longest time. That's why at first it would freeze an account at the first sign of trouble. PP will never say how much money from the frozen accounts was returned to its rightful owners. Someone's losses are another man's operational income. Who's got the biggest database of cards after VMC? Of course the payment system does!

What else? Proxies — or IPs, to be precise! They are finite as well. Yes, there are a lot of them, since the country that invented the Internet holds about 75% of all the address space. It’s the Chinese who march in columns not only to the toilets, but also online — I am referring to NAT. It’s Bhutan where the only white IP address belongs to the king. But if your proxy is fake, there’s no way you can add money to the payment system.

The greatest payment system ever was built at the intersection of those two sets

At first, everything was peachy. Everyone rushed in looking to score. An American payment system, now that’s no joke! Stealing online — money coming out of your optical drive. After a while the hype died down though. Cards don’t get accepted, money won’t withdraw, and they keep calling you. Newbies fell off the wagon. More advanced players moved on to better things. Still, a considerable amount of money was moved from the investors’ pockets to carders’ pockets. Although to be fair they were willing to share from the start.

Those who managed to score were mostly grateful to a popular American ISP for holes in their firmware that opened up SOCKS on the standard port; the most popular operating system for having NetBIOS on by default for all classes of networks; and the payment system itself.

Why can’t I gamble with my own cash in an online casino?

You can, of course, but if anything happens, we’ve got nothing to do with it.

You are, essentially, the 9 SSN digits. When you got offered the convenience of filing for a credit card online by simply filling in a form on a website, I also got the opportunity to fill it in for you. Yes, you don’t give away your data, but the Web forgets nothing. In your online banking account, in your insurance order form, in a letter from your employer I’ll look for your data and I’ll find it. How often do you change your SSN? How about your driver’s license and your account number and everything else? Trust me, if I decided to turn a particular American citizen’s life into a waking nightmare, I’d do it with no effort whatsoever. However, I am motivated by profit, and that’s what I’ll do: using my access to your online banking, I’ll get the missing information — at least your SSN to start with.

People who are looking for profit aren’t concerned with security. They simply lack the knowledge

Using ancestors, I’ll get your MMN. With the help of a couple of other wily online services I’ll get your DOB and DRVL. I already have the information about your accounts and credit cards. If you have 5-digit sums on your accounts, I’ll attempt to withdraw them. I’ll start with opening a new account in your name. When I register on the bank’s website, I’ll specify the address of a document shipment service. Since I am opening no interest checking, it won’t require me to pay for anything. When I get the card that’s tied to the new account, I’ll order a money transfer to it when the moment is right. If the amount is high, I’ll first register a company in your name and then open a corporate account. There are several options here, actually. As the sole owner of a company, your credit rating is also your company’s credit history, so I can request a credit. Or the company may apply for international wire transfer.

Banks from Lithuania, Latvia and Estonia

“Any starting capital has illegal roots.” I read this somewhere once, and I don’t agree with it. But it’s true in relation to banks. I saw it with my own eyes.

Lithuania — Latvia — Estonia. Several large banks, at least one per country. 70% of all illegally acquired income has been transferred via those banks. A numbered account lets you receive a transfer in any name. A card that’s accepted worldwide. No checks of the legality of the source of your money and no guarantee of safety. An account can always be arrested pending investigation and no one will complain because the money is most likely dirty. I suspect that there are entire departments in those banks that trace the movement of money between accounts with a single aim — to freeze an account at a perfect time. Is it ethical to steal from a thief? The bankers knew who they were accepting into the happy European family, and if they did, why did they accept us?

Because they are the same. How do these small launderettes differ from the acclaimed?

Swiss ones? Just by the volumes.

Do you remember the time when the Internet began with Yahoo!? It was small, primarily text-based. No spam, no online banking, no, god forbid, captcha. A space for specialists and enthusiasts. But as soon as they got a whiff of money, a wave of people came in who considered themselves real smart asses, and who didn’t understand what the Net was all about. Yearning for easy money. Those people were the culprits of first cyber crimes. People who are looking for profit aren’t concerned with security. They simply lack the knowledge.

Understand this, the main property of the Web is anonymity. The main property of reality is personality. You can’t combine those two concepts through the combination of login and password. Relying on the security of this data is simply naïve. Only that allows the criminals to pass themselves for someone else.

Yes, with the appearance of social networks anonymity started to disappear, but we’re in transition still. Not anonymous anymore, but still not protected by publicity from identity theft.


To read more visit: