Nearly every week we get a call from a new client, asking us to help clean up a site that got hacked or attacked. We have a vast amount of experience routing out virtual attackers. However, we see new methods of attack all the time.
Prevention is the best practice to avoid hackers on your eCommerce site and in your personal life. It’s important to make sure you research your credit card processors and read the fine print. But things can happen and it’s always best to know what to do in the event of a hacking. To better understand a hacker, I’ve worked with my team to try get inside their head.
If an eCommerce site is hacked, then the most valuable data is credit card information. (If it’s a non-eCommerce site, they might try to vandalize the site or encrypt the contents and demand a “ransomeware” payment to get the data back.)
What can you do with stolen credit card information? A hacker could:
- Sell the data in bulk online.
- Use credit card information to purchase online goods and services. (If they’re smart, they won’t use a stolen credit card to ship items to their house.)
But is it be possible to take credit card information and actually create a cloned physical credit card that works?
How easily can you skim credit cards?
Out of experimental curiosity, I purchased a magnetic card reader/writer and 25 blank magnetic cards on eBay for about $70.
When it arrived, I plugged it into my computer and downloaded the MSRX software onto my computer.
I started to scan in everything in my wallet. Mostly to see what was encoded on the magnetic stripe and it was fascinating.
For example, my driver license’s magnetic stripe contains my full name and address. My Costco card stripe has the membership number. The magnetic stripe has a member number that is read by swiping the card and then verified through a database.
My local grocery store card contains the store ID and my membership ID number:
(I’ve changed the numbers so that nobody can clone my grocery card and start using my fuel rewards points!)
The information is encoded on two of the three tracks on the magnetic stripe. That way if the system can’t read one track or it’s damaged, it can try the other track.
Next, I decided I would try to clone the data on my grocery store reward card and write it to a new blank card. The blank card is a plain white card with a black magnetic strip on the back. I first had the system read the information, and then copy it to the blank card.
Then I scanned the new “cloned” grocery card and compared the information on it to the original. The information on the reader appeared identical.
But the proof was in testing. Would my new cloned King Soopers card work when I went to the store? It was time to find out.
I decided to use the self-checkout option and bought a tuna poke bowl for lunch. (I didn’t want to have a checkout person see me swipe a blank white credit card and get suspicious.)
So I went to the self-checkout kiosk, and swiped the cloned card. And it worked!
Wow..kind of cool and scary too!
Now, on to step two: cloning one of my credit cards.
I scanned one of my credit cards, and wrote the details onto a new blank white card. The blank cards don’t have chips so it is trickier to get it to work properly.
I went back to the grocery store, and used my cloned loyalty card again. Then I tried to use the cloned credit card. But it didn’t like the fact that I was trying to swipe the card instead of using the chip reader.
After a couple of attempts, I paid with my real credit card and used the chip method.
I decided to go across the street to the gas station. Why the gas station? They still use the magnetic stripe swipe system – the pumps haven’t been upgraded to use the chip feature.
Again, I used my cloned grocery rewards card to log in and get my loyalty rewards. In this case, I saved $0.03 per gallon. My car has a big tank, so any discount is helpful.
The moment of truth: would my cloned credit card work at the gas pump?
I swiped it in, and the system asked me for my zip code and I entered it promptly. It then let me pump gas!
I was able to physically copy one of my live credit cards, and then use it without a problem. I did need to know the billing zip code, but if I had stolen it from an eCommerce site, I would have that detail regardless.
What I discovered was that if I was able to “skim” or secretly scan someone’s credit card (and figure out their zip code), I could use that information to utilize their card.
However, credit card companies know this, and monitor for signs of this activity. So if I skimmed a credit card from someone that didn’t live nearby then it wouldn’t succeed. The credit card company will often think this is fraudulent and will flag the card and start declining purchases.
This situation actually happened to me once. Someone used my credit card number at a dollar store in New York and spent $150.
Which is quite a bit of stuff to buy at a dollar store! The credit card company flagged this as suspicious, as I had also just used the card at a location in Boulder, Colorado.
I wound up having to cancel that card, and I wasn’t responsible for the charges at the dollar store. (Unfortunately, the dollar store most likely had to eat the $150 fraudulent purchase.)
Can you rewrite new credit card info onto an old credit card?
Cloning a credit card onto the equivalent of a blank white card has some limitations such as having no chip.
I wanted to see if I could load my live credit card number and information onto an older credit card. One that had numbers on it, and that matched my name that was on my ID.
Some limitations to this:
- I still couldn’t quite use the card at a place that has chip technology since the card is expired. Only places with older readers that haven’t upgraded. And this is becoming more and more difficult to find.
- Some places (such as Office Max) require the cashier to take the card from you and enter in the last four digits of the credit card number into their point of sale system. If the numbers on the card are different than the ones scanned into the system, then the sale is flagged as fraud.
I found a store that hadn’t upgraded to the chip reader and just had the older magnetic stripe reader. And it worked! Crazy!
Is it possible to create a physical card from stolen online information?
The fourth and final step for me was to check if I can take credit card information that a consumer might enter online, and see if I could encode a blank credit card that could actually work.
In order to do this, I needed an understanding of what the specific code on the magnetic stripe meant. Check out the example code below. The original information was changed to protect myself from credit card fraud ironically.
Here’s a look at the (edited) raw data that was encoded onto my magnetic strip from a real credit card:
%B4780000000000000^APPLESEED/JOHNNY B ^180710201000000000000000000000000?
Before I could start the process of creating a credit card from online data, I needed to figure out what the card magnetic strip data actually meant.
How to Decode a Credit Card’s Magnetic Strip Data
To start, magnetic cards contain three tracks. The first track can contain up to 79 characters and the second track can hold 40 characters.
Most magnetic card reader systems are designed to read both tracks in case one is damaged. However, the third track is rarely used. In all of the cards I scanned I never found a card with information on the third track.
Here’s a breakdown of the information on the card:
- Start sentinel = % (This indicates the start of the information on the card.)
- Format code = B (B indicates a credit or debit card.)
- PAN (Primary account number) = up to 19 digits. In this case, the credit card number.
- The first digit of the credit card number indicates the type of card (3 = Amex, 4 = Visa, 5 = Mastercard, 6 = Discover).
- The next five digits of the credit card number indicate the card issuing bank. Visa and Mastercard have 16 digits; Amex has 15 digits in the account number.
- Field Separator = ^ (This tells the system that the account number is complete, and that the next field is beginning.)
- Name: 2 to 26 characters.
- In this case, last name, First name, Middle initial. I’m putting in Appleseed, Johnny B.
- Field Separator = ^ (Again, this says that the name is finished, and move on to the next field.)
- Expiration Date = YYMM. In this case, the card’s expiration date is formatted as 1807 which translates to July 2018 (YYMM).
- Service Code = 3 digits. The next three digits are the service code. In this case, 201.
- The first digit (2) says that I can use this card internationally, but to use a chip where available.
- The second digit is zero, meaning normal. If it was set to a 1 or a 2, it would flag a system to contact the card issuer.
- The third digit, in my case ‘1’, sets restrictions on how the card can be used.
Card Restrictions Codes
0: No restrictions, PIN required
1: No restrictions
2: Goods and services only (no cash)
3: ATM only, PIN required
4: Cash only
5: Goods and services only (no cash), PIN required
6: No restrictions, use PIN where feasible
7: Goods and services only (no cash), use PIN where feasible
After this is what is known as the “discretionary data” on the card. This could store the card’s PIN #, a code that can be used to check the PIN, or other information.
Discretionary data is optional, but it can contain a CVC1 code.
What exactly is a card’s CVV2 and CVC1 code?
I’m sure you’re familiar with the CVV2 code – the three digit code on the back of a Visa or MasterCard or a four digit code on the front of an Amex. (Amex uses a four digit code because their primary account number is 15 digits instead of the 16 for Visa / Mastercard).
This three digit code is what you have to enter in to a lot of eCommerce sites to “prove” that you have the card in hand.
It’s not a number that’s stored in the magnetic strip.
From my understanding, the CVV2 code is a computed number that is based on the primary account number (15 or 16 digits), the expiration date, a three digit service code, and then multiplied and calculated against two secret encryption keys that are known only to the card issuing bank.
When you place an order online, this three digit code is a final step to verifying the card.
But the magnetic stripe information contains a CVC1 code. This is a data point that is written into both tracks of the card.
The CVC1 code is never used online.
It is likely that the code has been manipulated by an algorithm. A basic example could be take the actual number (1234) and multiply it by an arbitrary number, such as 55632. The result would be 68649888; that might be the card number. (My guess is that the calculation is much more complex.)
If you know the secret number, you can take the 6864988 number, divide it by 55632, and then on the server side know that this correlates to the actual number 1234.
Additionally, there’s an End Sentinel separator usually set to ?.
And finally, there’s a Longitude Redundancy Check (LRC) that is 1 character. It’s used to verify that Track 1 was read accurately. If track 1 wasn’t read accurately, then a system might automatically default to track #2, or just show a card read error.
Here’s the information for track #2:
It’s basically the same information from Track #1, without my name. It also has two less digits at the end of the discretionary data.
Track #3 is usually blank.
Track #3 was originally designed as a track that an ATM could read or write information to, including an encrypted PIN, your country code, currency units (i.e. US$), amount authorized to withdraw from the ATM). But because this could be manipulated easily (with a card writer like mine), it’s not really used.
Circling back to my original challenge: Could I take credit card information, like the information that I would enter to place an order online, and encode that into a credit card that would actually work?
The biggest challenge was the discretionary data.
The questions I kept asking myself:
- Leave the discretionary data blank (set it to all zeros) to see if this would work?
- Use discretionary data from another card to see if this would work, because perhaps the card reader didn’t really use this information?
- Just give up and not try this, because it’s a little crazy?
If the discretionary data wasn’t really used during the authorization process, then I could make it work by “creating” a credit card from online data.
But if the discretionary data was actually used during the authorization process, then the bigger risk is that trying to use that credit card number would flag the transaction as fraudulent, and have my credit card company shut down the card.
And that might be a difficult conversation to have with their fraud department.
I could say that I was doing security research for my blog, and decided to see if I could clone my credit card by using a magnetic card reader I bought on eBay.
Good luck with that conversation and getting another card from the bank. Plus not getting flagged for life. Additionally, maybe having the FBI or Secret Service show up.
I considered using a credit card that I don’t use much and didn’t mind I triggered something with the credit card company.
However, in the interest of avoiding trouble and for the purposes of this publicly-posted blog, I chose option #3 – Pass.
While it’s possible to encode a blank card and either put blank numbers or other numbers for the discretionary data, I decided that this was where I should stop.
Even if I was going to do this with my own real credit card information, I didn’t want to start guessing the discretionary data and CVC1 code.
Don’t try this at home or with a credit card number that isn’t your own.
If you do risk this with a stolen card even at a gas station, there’s a multiple of ways you can be caught. First, there’s cameras everywhere, and it would be easy to have a camera record your face using the pump. Or photograph your license plate number. Or who knows what other measures are in place to prevent using stolen information?
If I have physical access to your card, it’s a much simpler process of duplicating it. I could run it through a skimmer to record the track information on the card and write down or photograph the CVV2 code on the original card.
Based on the name on the card, I could do a quick web search to find the billing address (typically where you own your house, although not always). With physical access to the magnetic data from the card, I can clone the card and use it at a gas station or another place that doesn’t require a chip reader.
I could also use it online if I can accurately find the address information.
Without physical access to the card, but just data I gathered from credit card information entered onto a site, I could use the information to make purchases online. (Although I wouldn’t want to ship them to a place that could trace back to me.) I could clone the card, make up the discretionary data for tracks #1 and #2 and use the card in the real world at places that don’t require a chip. Although I didn’t test this part out.
So based on the discretionary data encoded onto the magnetic stripe of a credit card, it would be very difficult to “clone” a credit card, using just data gathered online.
My advice is to keep your credit cards close. Most importantly safeguard your ecommerce site, especially if you’re taking credit card payments online. However, don’t be fearful of taking ecommerce transactions out of fear of fraudulent purchases!
We can help make your ecommerce site safer and protect your customers from credit card fraud. Contact us today!