==Phrack Magazine== Volume Four, Issue Forty-Four, File 20 of 27 [** NOTE: The following file is presented for informational and entertainment purposes only. Phrack Magazine takes NO responsibility for anyone who attempts the actions described within. **] **************************************************************************** SSSSS AAAAA FFFFF EEEEE AAAAA N N DDDD EEEEE AAAAA SSSSS Y Y S A A F E A A NN N D D E A A S Y Y SSSSS AAAAA FFF EEE AAAAA N N N D D EEEEE AAAAA SSSSS Y S A A F E A A N N N D D E A A S Y SSSSS A A F EEEEE A A N N DDDD EEEEE A A SSSSS Y CCCCCCCC AAAAAAAA RRRRRRRR DDDDDDD IIIIIIII NN NN GGGGGGGG CC AA AA RR RR DD DD II NNNN NN GG CC AA AA RR RR DD DD II NN N NN GG CC AAAAAAAA RRRRRR DD DD II NN N NN GG GGGG CC AA AA RR RR DD DD II NN NNN GG GG CCCCCCCC AA AA RR RR DDDDDDD IIIIIIII NN NN GGGGGGGG BY VaxBuster This file is ONLY to be published in Phrack, and has not and will not be released, or published in any other magazine. And a disclaimer: I do not engage in, or condone ANY illegal activity, including credit card fraud, and this article should be used for INFORMATIONAL PURPOSES ONLY. Those wishing to engage in unlawful activities should be warned that there are severe penalties that exist that could render the remainder of your life useless. In the past few years, I have had a ton of people come up and ask, "I want to card something, but I'm afraid I'll get caught because I don't really know what I'm doing, can u give me tips?" This article is designed for those people, people who already have carded and are looking for better/easier ways to do it. One point you'll see me address VERY strongly in this article is safety. I don't want to see any of my friends end up in jail. See, like any unlawful activity, you are going to have certain risks, and this article is designed to ELIMINATE those risks, or narrow them down tremendously. I'm going to take you step by step through the ENTIRE process from the time you pick up the phone until the time you are safely at home reading the manual to your new toy. Stage One - Getting the credit card information Getting the information is probably going to be the easiest of all the steps involved here. You could go trashing at your local restaurant, retail store, or bank. You could open up Federal Express boxes and find them there. You could hack into an establishment and get them from there. It doesn't really matter HOW you get it, but you want to make sure you get the person's full name, their complete credit card number, their expiration, and hopefully an address. In the event that you found the credit card number locally and just have the name, check your local White Pages for their address or use a service like Compuserve to pull up their address. You'll probably find that the address closest to the store is the right one. Also, if you can get a hold of the issuing bank, this will help. Stage Two - Verifying the credit card information There are several ways you can do this. And remember when you are doing this that it would be VERY helpful to get the available line of credit. 1> If you have the issuing bank, call the bank and ask for their AUTOMATED CREDIT SERVICE. They ALL have them. Its an 800 number and it's printed on the back of the card. Basically, this service is set up so that credit card holders can check their available balance, available credit, etc. Usually, they have SOME kind of security that prevents the normal person from walking up and typing in someone else's number. This security is lame. You either have to know the last 4 digits of their social security number or their zip code. 99 times out of 100, you'll find that you'll need their zip code though. 2> So you don't have the issuing bank? Just use a credit card verifier with a merchant number. Don't place a HUGE purchase, it can be any amount, so make it small, like say $8.31 or something. 3> Use a 800 porn service that accepts credit cards. 4> Use a credit bureau like CBI, TRW, or InfoAM. These services are very nice because you can easily check their available credit line. It also has other information that could be useful. Remember, when you are doing this, don't make the calls from your house, and if it's impossible to do otherwise, go through a divertor and a code. Put a couple of levels of protection between YOU and them. This will cut down on any tracks leading back to you. Stage Three - Finding the company You are looking for a relatively small company - one that has what you need in stock, but not one that needs operators to answer calls. Most places (even retail stores like Radio Shack) will ship out to anyone any place in the US. Just tell them you are handicap, or can't get around very well, and they will be more than happy to help. You want to find a place that has Federal Express. And of course, you're looking for one that accepts the type of card that you have. Incidentally, for those who are VERY new at this : If first digit of card is a: 3 American Express (15 digits) 4 Visa (13 or 16 digits) 5 Mastercard (16 digits) 6 Discover (16 digits) Stage Four - Placing the call Ok, before we go any further, make sure you have a call back number. I use a VMB that is in the local area that I'm supposedly calling from. You should almost always be calling for a business, because companies treat businesses better than your standard customer. Tell them you need to have the products the VERY next day, and if they can't have it to you by then, tell them you'll find another company (Hell, who wants to wait? :) ) When you call them, just relax, and pretend like your just placing an order for yourself, nothing is out of the ordinary, but you just need to start that special project in the morning. Make sure you have all the information in front of you. Call during business hours, not on Friday, Saturday, or Sunday. Here's a transcript of one of my calls: "Hello XXX, this is Mark can I help you?" (always get their name) "Yes, My name is Joe and I'm calling from XXX, I'd like to place an order." "Ok sir, I'd more than happy to help you, let me get some info from you first. Ok. Can I have your name?" "Joseph XXX" "Your address, Joe?" "XXXX XXXX lane, and thats in XXXXXXX XX, the zip there is XXXXX" "Ok, and a number where we can reach you if there is any problems?" "XXX-XXX-XXXX" "Ok, what would you like to order?" "I need four of those laser jet printers, I believe I spoke with someone on Friday about them, and the part number is XXXXX-XX. Also, I had a question on those printers too, what type of warranty do they carry?" (Always ask about warranty!) "Well sir, these particular models have one year parts and labor warranty. You can buy an additional 5 year warranty for only $49 a piece too. We have an unconditional guarantee of 90 days." "Ok, I'll take the 5 year warranty on all of them then." "Do you need any toner cartridges, or printer paper?" "No, all I need are the printers." "Ok, how would you like these shipped?" "You have Federal Express, right?" "Yeah." "Ok, Ship them PRIORITY overnight then." "Ok, and how are you paying for your order?" "With our corporate XXXXXX card." "Ok, can I have your account number?" "Sure its XXXX-XXXX-XXXX-XXXX" "Ok, and the Billing information is the same as your ship to address ?" "Thats right." "Ok, then this package will go out today, and you'll have the printers by tomorrow morning." "Ok, and can you do me a favor?" "Sure." "Whenever your shipping department ships the package, get the Federal Express Tracking Number for me, and leave it on my Voice Mail System?" "Sure, I'll do that personally later on tonight." "Ok. Thank you very much." "Thank YOU sir." Ok - a few things I want to mention. First, try to determine what type of credit card authorization they have. If its retail store, they probably just have ZION terminals, just the standard type or swipe style. These don't check the address, or anything, just to make sure the card is valid and has enough credit left. The other type check all the info, including the name and address. Its very important that you are SHIPPING to the BILLING address, because if you change the ship to, they may have a tendency to get a tad suspicious. Also, the reason you could use that you need the Fedex Tracking Number is for your Mail room. Use your imagination, but keep your story the same, don't adlib too much, cause you may fuck up, but stick to the above format, it works very well. Always try to be as pleasant as possible, because in the event you couldn't check the credit limit, you may have to give them another card. Stage 5 - Finding a drop site This is one of the harder things to do. If the billing address of the card is local to you, you may just want to go their house to pick up the package. If not, find an apartment building close (but not too close) to where you live. Or find a house that has a for sale sign in the front yard. Or if you know some school buddy of yours that is away for vacation use his house (In that event, make SURE he has NO idea your doing this) Whatever the case may be, just find a place that is relatively secluded from the street, where there are places for you to park inconspicuously. Apartment buildings work EXTREMELY well. Stage 6 - Rerouting the package This is a little trick one of my good friends showed me. It works extremely well. Call up Federal Express with your airbill number. The number is 800-238-5355. Tell them that you are not going to be in town that day to sign for your package that you will be at another location, and ask them if they could please send the package to a new address. They may say that it will take an additional day to do that, depending on how far away it is. INSIST that it arrives the next day, tell them its extremely important, and don't take any shit from them, ask for their supervisor if they gave you any problems. Their commitment is overnight. By the way, call Federal Express AS SOON AS you know they physically have the package, this way you give them as much time as they need to reroute. Obviously your sending the package to your drop site that you found. Stage 7 - Picking up the package This is by far the most DANGEROUS part of it. If you are going to get caught, this is where its going to happen. DON'T have a school buddy pick it up for you. Instant doom. DON'T pay someone to do it for you, lord knows they will sell you out in a second. Not to mention, you're probably brighter than the average eggplant, so you may be able to talk your way out. "A guy on the street paid me this $20 bill to do it, I said what the fuck" PLEASE USE EXTREME CAUTION WHEN DOING THIS. OK. Call Federal Express, and make sure the package will be arriving that day, and that everything is on schedule. Ask them what the route number is, an estimate of when it will be there, and their commitment time for that particular zip code. Then, go there earlier than you need to be, and check out the place, look around for anyone who seems abnormal, look for escape routes, exits. Look around, get a feel for where you are, and try to ration out why you might just be standing there or why you would have needed to pick up the package. Remember, if you used all the precautions I've talked about, you should be in perfect shape. Just relax, be cool, and everything will work out. Walk around for a little bit, and find out the possible directions the Federal Express Van will be coming from. Walk in front of the house just when he arrives. Pretend as though your just on your way home or just on your way out the door. Sign for it, and you're done. Ok, you say, I'm the nervous type, and I don't want the guy giving my description to the police, FBI, etc. (As though they will remember 1 out of the hundreds of deliveries a day) Call up Federal Express and ask for a signature release. This gives Fedex the right to leave the package at your front door, and this removes their responsibility. OR, leave a note with your signature (not printed) on the door, mailbox, etc. Remember though that the guy may come home (or look out his window) and see the package, or you signing it. Remember there is nothing saying that you have to be there when the package arrives. You can get a signature release or leave a note. Make sure you are there as soon as possible AFTER they leave the package. I actually prefer to be there, because when I just let it go, and check back later, it is almost NEVER there. Either a> someone stole it b> a neighbor picked it up and put it in their house for them c> the owner is actually home and got the package (which is REALLY bogus, cause it's on their card!) I have ALWAYS used an apartment building. I have ALWAYS been there to pick the package up. I have never been busted. See, if you understand how the system works, you know that there is NO way that anyone knows that it is an illegal purchase. If you look at it on a time line : <----2:00pm-------2:05pm------8:00pm-----10am---> verify call reroute pickup Now, if there is a problem, it will probably be either a> not enough credit left on the card (which is nothing, they will leave a message on your vmb) b> they called directory assistance and actually called that number or c> VISA/MC/AMEX/DISC called the customer to verify the purchase because it was larger than usual. So obviously, if they got in touch with the card holder, or visa/etc called the card holder, they AREN'T going to ship the package - meaning you aren't going to show up anyways. Of course you never use a drop site more than once, you never use a company more than once, and you never use a card more than once. Once you get your package, KEEP YOUR MOUTH SHUT. Don't jump on IRC, and say, "Hey Cameron, I just carded a new Amiga 4000." And if you do eventually tell someone that you carded it, NEVER USE ANY SPECIFICS, no information about the company, the drop house, the name on the card, NOTHING. If you follow these instructions, you can guarantee you will have absolutely no problems, I have been doing this for quite some time, and have NEVER been bothered by any law enforcement concerning this. I have never found anyone who was careful that got busted. The people who have gotten busted for carding have either bragged about it, or let someone know before hand, or have been set up. I have tried to cover all bases, but I'm positive I've missed a few so if anyone has questions, let me know. I am always open to helping people and can be found on the IRC, in either #hack or one of the better #hack alternatives. In addition to carding by phone, there is another possibility, that is writing credit cards with a magnetic stripe writer. A certain group did this for EIGHT years, before getting caught. This is worth a whole article to itself, but I'll just go over some guidelines. Track I is 210 bpi. Track II is 75 bpi. The next chart shows the Magnetic Stripe Data Format (Track I) Field # Length Name of Field ------- ------ ------------- 1 1 Start Sentinel (STX) 2 1 Format Code 3 13/16 Primary Account Number 4 1 Separator (^) HEX 5E 5 2-26 Card Holder Name 6 1 Separator (^) HEX 5E 7 4 Card Expiration in format MMYY 8 3 Service Code (?) 000 WORKS. 9 0/5 Pin Verification Field 10 Discretionary Data Depends on 3, 5, 9 11 11 Visa Reserved Always last 11 positions 12 1 End Sentinel (ETX) 13 1 LRC Maximum Record Length is 79 Characters The next chart shows the Magnetic Stripe Data Format (Track II) Field # Length Name of Field ------- ------ ------------- 1 1 Start Sentinel (STX) 2 13/16 Primary Account Number 3 1 Separator (=) HEX 3D 4 4 Card Expiration Date in format MMYY 5 3 Service Code (?) 000 works. 6 0/5 Pin Verification Field 7 Discretionary Data Depends on 2, 6 8 1 End Sentinel (ETX) 9 1 LRC "The LRC is calculated by performing a BITWISE XOR (Exclusive OR) on all ASCII values of the characters in the Inquiry - EXCLUDING the but INCLUDING the ." is HEX 02. is HEX 03. By the way, for my last article, "TTY SPOOFING", check Phrack 41 File 8. ***** MANY thanks go out to my friends, of whom I won't mention because of the delicacy of this topic. I appreciate them sharing their knowledge with me, and I feel I'm kind of returning the favor by writing this article. Thanks also go out to the Phrack Staff, both past and present for putting out an excellent magazine, and continuing to distribute information to the computer underground. ***** Happy Hacking and Safe Carding! VaxBuster '93