SpartanZ Part 1

July 19, 2017 | Author: Anonymous Gtr0KFzD | Category: Debit Card, Credit Card, Financial Transaction, Cheque, Visa Inc.
Share Embed Donate


Short Description

pl...

Description

Let’s say you opened a credit/debit card and want to buy something on internet with your card. First, you introduce all card details into secure page of shop. Most shops can’t see those details, because they are encrypted and if they could see this, it will affect people privacy and safety. After you introduced info into payment gateway (secure page), transaction must be authorized by bank. This is done automatically in some seconds, and if everything is ok, money goes to merchant account. A merchant account is a type of bank account that allows businesses to accept payments by cards, typically debit or credit cards. From merchant account, shop will get money to it’s bank account. Entire process takes about a few days, depends on merchant account So shop doesn’t get money right away after you made payment, like many people use to think "chargeback" - term used for debiting a merchant's bank account with the amount of a transaction that had previously been credited. Return of money to card holder. Usually occurs when card holder see some transactions which he hadn’t done, contact bank, bank contact shop, and shop must return money. Chargebacks occurs 95 % everytime, but everything depends if it occurs before you managed to cashout or after. It can occur a few days after payment, or three months after. Bigger the balance on card, harder for holder to notice losses. Also, sometimes people can request from banks to be notified via SMS or E-mail, when their card is debited, or when they reach some limits on their cards. Plus, some of them are big fans of online bank statements, and check them daily. All this affect the chargeback speed. BIN- Bank Identification Number These are 6 digits of a credit card number. By BIN you can find the bank that issued the card and the level of it. Bins can be checked on sites like

bins.pro

For example you have a card which's number begin with 414709 and it's from Capital One Bank, Signature Level. All cards that will begin with 414709 will be Signature from Capital One Ban k about Shipping/Billing address: Billing adress is the adress which cardholder indicated on file when he opened his card. Shipping adress is the adress on which your order will be delivered. All shops which deliver physical items ask for shipping and billing adress. Even if a lot of shops have the option to indicate different billing and shipping adress, not many ship on different billing and shipping. Everything depends on amounts you card. Some new shops which don’t have good antifraud system, don’t check for billing address, even if they ask for it. This a vulnerability in their shop and also this can happen

because payment processor page doesn’t have connection with shop information. You can see people calling this “bill=ship” This means that in billing address you put your shipping address, and everything goes ok

If you card small amounts like till 200 $, even very serious shops may not look at your different bill and ship addresses. I mean, shops offer you the chance to use different billing and shipping, but they also have the right to cancel your order anytime if they think that you are not legit. And orders till 200 $ make us legit. You can search for shops bill=ship to be worldwide, not US or UK, but to card them with US or UK cards. This is just an example. Chances for success are bigger. Such shops many times ask on their site all the holder's card details like name, address, zip, and so on, and after they redirect you to another site which is the processor's page. There you introduce only card number, expiration date, and cvv. So there isn't any connection between these two ones. First one checkd the personal details and address, and second one just the card information. The right way it would be: Second one checks everything Banks have option to add a temporary shipping address to the file, different from billing, but about this ill teach in another session when we will get to ATO (Account take over) AVS stands for Address Verification System This is system used to verify the address of a person claiming to own a credit card. The system will check the billing address of the credit card provided by the user with the address on file at the credit card company. AVS verifies only the numeric portions of a cardholder's billing address. For example, if the address is 101 Carderstreet, Fraudland, CA 92346, in the United States, AVS will check only 101 and 92346 to match. Maybe you saw such listings like „Non AVS” cards. This mean that card has no adress on file or it doesn’t support that. A lot of european credit cards are non avs, also south america. For U.S this is rare Non-AVS cards can work good for shops which accept and process worldwide orders. Again, if you will want to card in this way, look in the direction of EU shops. Because many of their cards are NON AVS, shops don't have reasons to check for AVS Sometimes, even cardholders may receive false negatives, or partial declines for AVS from e-commerce verification systems, which may require manual overrides, voice authorization, or reprogramming of the AVS entries by the card issuing bank. Why this is happening? Because of the fact that there are different

codes for AVS. For example Street address matches, but postal code do not match. Or, AVS data is invalid or AVS is not allowed for this card type, Non-U.S. issuing bank does not support AVS, and other things. All of this may raise some flags, but it doesn't mean that they will make a final decision for shops to accept or not your payment. Also, another thing with non avs cards: For example shop doesn’t check if your card is AVS or not. And you put billing address from US or any other country. Shop can check bin of your card, and see that this BIN is from Colombia. This means there can be probability for order to be declined. Mostly it happens for big shops which have departaments of people who manually review orders for fraud Like you see, NON AVS is a powerful tool if you use them on the right shops.

First we need to make a test to see if the store is accepting non avs cards. But search for shops that process international orders. For example, like 6 months ago, Amazon used to accept NON AVS cards, but i guess now, they aren't accepting anymore, because a lot of people started abusing it. You put any shipping address when using a non avs card

ok, let's move now to the next topic, VBV/MSCS, Safekey- 3D secure: 3-D secure is an additional security layer for online credit and debit transactions. It was developed by Visa, and called Verified by Visa (VBV) Soon, it was adopted by Mastercard, under the name of Mastercard Secure Code (MSCS), and later by American Express as Safekey. I'll put shops in two groups. Shops/Payment Gateways that check for 3D secure and shops that don’t. For a shop which checks for 3d Secure, after you entered card details into the payment gateway, it redirects you to 3D Secure page, usually page of bank emitent. Because this is an additional security layer, there you must introduce code set up by holder, or some of his personal information. Sometimes you can reset the code, by having SSN (Social Security Number), ZIP, DOB (Date of Birth) or other information of card holder (this is for USA), sometimes you can’t. If a BIN can be reseted and what info is required everything depends on BIN and on country where card was emited Also, resetting the 3d secure can kill the card sometimes, depends on how sensitive is the BIN and how big is the fraud percentage for it. 3d secure is very popular in Europe and less popular in United States When i'm saying popular i mean:

1. A lot of holders have 3d secure enabled on their cards. Most BIN’s have option to enable 3d secure 2. A lot of shops accept or require 3d secure transactions I don't know, maybe you noticed on AB that some vendors are selling like hundred of NON VBV BINs. This is bullshit, because a lot of BINS from USA are NON-VBV and it's not so hard to find one, depends on what level do you need. Higher levels equals with higher chances to be VBV on card. Also, such collections of thousand non vbv bins actually have like 40-60 % of BINs VBV. So saying just in case, don't be fooled by it. But finding a nonvbv BIN from Europe, is hard, and that's why nobody is selling such info. NON-VBV are also less in Canada, Australia and UK than in US, but more than in EU If a shop redirects you to Verified by Visa page, this means that in case of fraud, all the chargebacks will be paid by bank, because this is their layer of security If a shop doesn’t check for VBV, shop must pay all expenses in case of chargebacks. That's why sometimes the NON-VBV shops tends to have stronger security. Because they will need to pay the stolen money in the end BTW, about Amex Safekey, you will see it very rare

How to change the VBV password and MCSC Password First method: First method is very simple. We will pre enroll into the VBV or MSCS. What this means? This means that BIN supports VBV, but holder just didn't use this option and didn't enroll. So we will do it for him. After, we will have the possibility to use the card with the VBV password that was setuped by us. Also, this method works mainly for US, but for some UK and Canada banks too. Again, i'll put banks in two categories based on the ways they allow their customers to pre enroll cards. 1. Big banks (but not all) like Chase or Citibank for example allow to do it via Online Banking. How it's done? You go to their website. Login with online details (not easy to get and rare sold by somebody on DN), and acces their control panel. There you can do many nice things, like checking balance, sometimes transfers, changing billing address, and also VBV enrolling. This is not for us, because of the lack of online login details. The best are the second types of banks. 2. Smaller banks (but not all) use this option via third parties. This is the method we may want to use and it works for US. The third parties we will use can be found here:

www.mycardsecure.com - It works for VISA and Mastercard https://verified.visa.com/aam/activation/landingPage.aam- It's not really a third party, and it works only for VISA www.mastercard.us/securecode-sign-up.html - For Mastercard Also, you can check the banks processes of enrolling to VBV by typing in Google something like this: Enroll VBV and "name of the bank" Sometimes, pre-enrolling can occur even when we are trying to make a payment. What i mean by this? For example you are trying to use a CC that supports VBV (but isn't enrolled) on a shop that checks for VBV. The payment gateway will suggest you first to enroll the card and will redirect to the right place. You will create the password, and after will be able to use it on the shop. When you try to pre-enroll the card online you must have the same setup like when carding. I mean to change your IP to cardholder's location and much more things we will discuss in the security session. Also, you will need to have the DOB and SSN of cardholder, but about this we also will discuss later. Second method: Ok, next method for dealing with VBV. It's simple and it's about resetting the vbv password. Of course you can do it only by having the right information in your hands. This is the best method for NON-USA cards. How to get the right information? By buying Fullz CVV. But resetting the VBV doesn't require everytime the same info. It depends on country and BIN. This means that information we get when buying Fullz CVV may not be enough sometimes. For US usually the information required is MMN, SSN, and even ZIP (bins resetted by zip are considered to be the best because it's easy), SIN (SSN in CA) for Canada, Account number/Sortcode number, MMN in UK, Account and sortcode in Germany. But everything depends on BIN, this is not an exact info and will never be exact. When you will be redirected to VBV page, if the card is resetable, you will see a button to reset the password and after is easy. Also, remember what i told? Resetting the VBV may kill the cards, depends on how sensitive is BIN Third Method: This method may look a little strange to you, but i want to tell that there are people who are using it because of the fact that they really have the need in using a 3dsecure card. It is hard because it involves direct speaking with bank employee, exactly like ATO. There are people who can manage calls for you in exchange of a little payment, but you never know how good are they in SE (social engineering). Actually you must be good, because it's not about how you talk, but about what you

talk What we must do? In a few words, we call the bank, pretend to be the cardholder, and come with a very good legend why we need to change the VBV. That's why SE skills are essential here. Like everytime when you want to make some changes on card, you will be asked a few basic questions like MMN, SSN, ZIP, and so on. You can have this info by getting fullz. But all this info doesn't matter if your legend isn't good enough, or if you will deal with an experienced bank employee who is good at detecting fraud. Now i'll talk a little about how can you check if a card is VBV or not Actually a direct method or site i don’t know and never heard of a good one (there are a few checkers on market, but most of them are giving fake results using old bases, exactly the same NON VBV bases that vendors i told you above are trying to sell), but there are some indirect methods for doing this. 1. You can go to a shop you know that checks for VBV. If you don’t know such a shop, go to google and type „verified by visa shop”, „verified by visa clothes”, or something like this, you will get enough results. After go to site datafakegenerator.com, generate a fake credit card with bin you want to check, and try to pay at shop. Even if card is dead it will redirect to VBV page. This doesn’t work for all shops and cards, but for many i tried, it worked. 2. You go to this website https://verified.visa.com/aam/activation/landingPage.aam . If card isnt VBV it will write that your card doesn't support that. You see, this is the same site like in the case when we setup the code by ourselves. And we also have the same site for MC: http://www.mastercard.us/securecode-sign-up.html Most of the times if a BIN is NON VBV, all the cards with this BIN will be NON VBV too. Mostly in European/Asian countries, you can find a very interesting layer of security, which makes carding process to be very hard. When you are redirected to Verified by Visa page, you can’t use information like ZIP or SSN to reset the code. They just send a sms code on holder’s mobile phone, which you need to confirm by entering it on VBV page. This layer of security it’s very hard to pass, and it require forwarding of sms to your number, and a very very few people do it, because it just isn’t profitable and require good technology. Such cards should be avoided or used on shops which don’t check for VBV. From my experience, most of China, Hong Kong, Singapore, Thailand, Spain, have sms confirmation VBV. So, use this cards on shops which dont have VBV Checking Enabled

And another method that works for passing through VBV, especially in UK. Orders via phone. When you call the shop and place an order via phone, most of the times VBV won't activate. But you need to check if a specific shop accepts call orders, not all are doing it. Usually just the biggest ones. And please don't share this tip, cause i don't want a lot of people to start abusing it like with other things. For a order via phone, you call the shop usually on the number they provide on their website for phone order, tell to the employee your card details and he/she inputs them manually in the merchant. In this way, 3dsecure has a big chance to not be triggered Ok, now ill speak about how to check a card to see if it's valid or dead. Valid means that card can be used, and dead that it was disabled by bank at request of holder, or because of suspecting fraud First and most important rule. Never check a CC before you want to use it. Of course, many people are talking that exists checkers of CC’s that don’t kill the card. Yes, such checkers exist, but let me first explain how bank’s antifraud system works Every transaction gets fraud points from 0 to 999. This system is used by four of biggest banks in US and other banks are using similar systems. It's not about the system used, but about things on which are based these system. They are similar for almost all of the banks in US, and even in the world. Transactions which got more than 300 points, will be checked manually by a bank employee, who will decide if to contact cardholder or to allow transaction. Transactions which got more than 500 points, get autocanceled, card is blocked, and bank employee contacts the cardholder. What things add fraud points: Comparing transaction with payments which cardholder made in past- This is a very important point. If cardholder is really a big spender, it means that a big transaction won't be flagged by bank The location of your payment- International transactions are considered risky, especially if cardholder never made an international transaction in his life. The amount- If card has 5000 $ and you want to spend everything in one transaction without calling bank and asking them to allow transaction, there are extremely high chances that you will fail. Riskfactor used by merchant/shop. How it usually looks:

1. Geographic IP= country of your IP must match the country of real holder 2. High Risk Country- there are some countries usually associated with fraud. They look if your IP or billing address are from such countries. Some of those: Russia, Ukraine, Belarus, Macedonia, Columbia, Egypt, Indonesia, Macedonia, and others. 3. Distance- Distance between IP address and billing address. 4. Bin number match- country of credit card match the country of IP (like i told about NON-AVS cards. But this is not for all the shops) 5. Carder E-mail- if email which you used is in the fraud database (rare) 6. Open Proxy- if you are making payment from a free public proxy. 7. Spam IP- if your IP is associated with Spam 8. Other things

For example, if card holder spends 30 bucks in a local store from his city, this isn’t suspicious at all. But a big order for 20003000 $ on a laptop’s online shop, will get many fraud points, and it has a big chance to be cancelled if cardholder makes online payments very rare. How all this is linked to what I said before about checking? Very small transaction, followed by a very big transaction, will get you a big fraud score, because they understand that you are testing the card. If they see an amount charged in limits of 0.510 $ and after some minutes a big order of 1000 $, payment has an imense chance to be declined. Alright buddy, now let me tell you about how checkers work per general and why it's not a very good idea to check a CC using many of available on market checkers. A credit card checker is based on merchant. It's like taking the CC and paying at a shop. The merchant will just hold a small amount on card (if this amount is present of course the card is Live), or it will charge it. Checkers which just hold amount are better, but not perfect at all. Some checkers are using hacked merchant accounts in different countries, other are using merchants created by themselves, which is better and not associated with fraud. Banks don't really like cards being used in a different country. For example, card is issued in US, but you use it in South Africa. This looks suspicious of course, especially if cardholder

never made a single payment to South Africa in his life.. The same thing happens with checkers too. For many checkers, we don't really know where is located the merchant. It can be in US, in South Africa, or in Australia, and all these things add a risk for card to get dead because of us checking it. There are a lot of factors involved. History of cardholders spendings, his spending's pattern, and also Bank. There are sensitive banks, which have strong antifraud measures and can block the card just by having a little suspicion about fraud. Also, there are banks that don't care a lot. Amex Company is a good example, and for almost 80 % of Amex cards even a few checks won't kill the card most of the times. 1. Checkers Semi-private checkers where you check your cards for a little amount paid. Some of them charge the card, and some of them just put hold on funds to see if they are in account. Some of such checkers for which i heard normal feedback are ugmarket.com, Ucheck https://ucheck.cc/register/ cubi11.com - Vietnam based, for them you must pay. 2. Donation sites Sometimes this is a better method, everything depends on your goal. A good way to check card through donation sites is to make it with help of authorize.net merchant. This is a relatively easy merchant to card. You can google something like „donate authorize.net” or "donate through authorize.net" and you will find sites After you checked your card, and found out that it is valid, give it a little time to rest. I would say something between a few hours and 1 day. Another option is also to check the card via sites like Netflix for example

3. Third method is a personal method and i didn’t see many people using it. First, you go to wallet.google.com and make account if you already dont have it. There you choose payment methodcredit/debit card, enter card details, and save them. If you see error that your card can’t be authorized, in most of cases it is dead. Same thing you can do also with yahoo wallet.

View more...

Comments

Copyright ©2017 KUPDF Inc.
SUPPORT KUPDF