Credit Card Fraud in the Late 90's 1.0.
By Massood
Circa December, 1997
Section I. Introduction and Preliminaries
A. Goal and Purpose
B. Who This Document Is Meant For
C. Introduction
Section II. Credit Card Basics
A. Number Explanations
B. How Verification (i.e. Verifone) and Payment Dispute Work
C. Credit Card Fraud Law
Section III. The Basic Scam Explained
A. Ten Commandments of Credit Card Fraud Conduct
B. Pre-Planning
C. Fake State IDs
D. What You Should Buy
E. Attaining the Credit Card Numbers
F. How the Scam Works
G. Selling the Stolen Item
H. American Express and Discover
I. Basic Summary
Section IV. How Credit Fraud Investigations Work
A. What Initiates an Investigation?
B. Caller ID and AMA
C. The Association of Credit Card Fraud Investigators
Section V. Advanced Tactics
A. Anonymous Recalling Service
B. Anonymous Remailing Service
C. The Benefits of Disguise
D. The Friendly Taxi Cab Driver
E. Moving Up the ID Ladder
F. Voice Modification Technology
G. Internet Commerce Ordering
H. Money Laundering Basics and Why You Should Know
I. How to Frame Someone With Credit Card Fraud
J. Concealing Your Location
K. Have Your Own "Workshop"
L. Voice Mail Boxes
Section VI. Ways to Fight Credit Card Fraud
A. How to Catch an Inside Credit Card Stealer
B. How Your Business Can Fight Credit Card Fraud
Section VII. Bibliography, Shoutouts, and How to Reach Me
Section I. Introduction and Preliminaries
A. Credit Card Fraud Goal
"To attain money that is laundered and clean so one can use it to buy legitiment
things that are owned in your name."
Purpose - This document will attempt to outline a strategy, and the tactics
needed to implement that strategy, in order to attain money through credit card
fraud.
B. Who This Document Is Meant For?
This document is intended for those who own a car and have freedom of movement
without anyone noticing (i.e. your parents). Do not try any of these tactics
until you are out on your own in your own place. If you are underage and have a
curfew, these tactics will not work for you. Also, this technique is hardcore
and requires many months of planning and setup. This technique is not meant to
be a quick way to earn a three hundred dollars so you can go buy the latest
modem.
Patience will reward you with enough money to start your own business or live
comfortably off of your stock and bond investments. Warning: this technique will
not get you rich. The longer you card the higher chance you will get busted.
Card to a certain goal and use that money to get into a legit business in order
to make money properly.
Also this document is meant for those who want to get an idea of how credit card
fraud is committed and how to stop it. A later section in this document I give
some ideas on how businesses can fight credit fraud in their own sales.
C. Introduction
As some of you might already know, credit card fraud has been going on for quite
a while so the people who investigate the crime are quite good by now as are
some of the foremost proponents who have continued to commit the crime without
being caught. The only thing new in the credit card fraud equation is internet
commerce. Orders now can be done over ip without having to reveal your phone
number (hopefully you always called from a payphone) or the signature of your
voice pattern. Calling from a payphone in your home town always revealed your
location if you did not op divert (even with op divert the AMA, automatic
message accounting, will record the number dialed, duration, and originating
number) or call an anonymous recaller service.
This document will show you a way to card professionally with minimal risk. It
will show you a new way to do it. I have searched all over the Internet to see
if someone else had written about my idea but nobody seemed to have done it.
Without further ado, I present some basics to carding and then present my idea.
Section II. Credit Card Basics
A. Number Explanations
There are four major credit cards: Visa, Mastercard, American Express, and
Discover. American Express has 15 digits in the card and the first digit always
starts with a 3 and almost always the first two digits are a 37. Discover Card
has 16 digits and always starts with a 6. Every Discover card I have seen starts
with 60. Mastercard has 16 digits and always starts with a 5. Visa has 16 digits
and always starts with a 4. Some Visa cards only have 13 digits (i.e.: 5023 000
617 789).
Cards on Visa like this one: 5024 0000 6184 3847 are preferred cards which
usually means they have a higher credit.
B. How Verification (i.e. Verifone) and Payment Dispute Work
When you get a card holders information, you sometimes would like to find out if
the card has been maxed out or not. You want to verify it. You can verify it by
calling up an authorization system (usually 800 number) and giving them a
merchant number, card number, name on the card, expiration date, and amount to
be spent. Some places now just require you to send the number, expiration date,
and amount to be spent. No name. They will tell you if the card has enough
credit to cover the purchase.
Getting a merchant number and dial up is pretty easy. One tactic one can use is
to walk into a store (like Blockbluster) where teenagers work. Buy something
(buying helps since you are "paying" for their time) and then ask them how the
Verifone machine works. They will blather on essentially saying how clueless
they are and then you ask them what the numbers are written on the machine. Most
of the time the merchant number and 800 number will be written on the machine
for each card type (Mastercard, Visa, etc.). Tell them your the new store your
working in does not have a clue how the machine works and if you can write down
the numbers so as to call them up and ask for some clues. Usually they will help
and allow you to write it all down. Presto! Your in business. Thank them for
their help and walk away, bumping into a wall or something to prove to them how
stupid and clueless you are.
Remember, the higher the purchase is for the card, the more background checks
will be made to validate the authenticity. Some card places will call the number
you give them and verify that you did indeed make the purchase. There are ways
to defeat this as will be explained later (VMB). For now, try to keep all
purchases on the stolen credit card below $500. Do not put any more on a single
card.
Also, remember that expensive items will sometimes require the courier to take a
signature before handing over the item. In this scheme, it is easy to defeat
this since most of the time you will be impersonating the victim and will have
proper ID to prove you are who you say you are. Other times, another person will
sign for you (hotel manager). Also, 800 number callins will record the number
you called from.
Here we have an excerpt from a training manual. It gives an insight into the
verification process.
"Train operators to listen to tone of voice. Note anything suspicious.
Keep a file of bad debtors, phony names and addresses, bogus companies, and bad
credit card account numbers.
If the address given is a P.O. Box in a large city, check into the order more
carefully--especially it it's from a new customer.
Carefully check any orders with unusually high dollar amounts or involving out-
of-the-ordinary situations, including rush orders.
Both American Express and Optima cards have a four-digit, nonembossed CID number
printed on the front end of the card. It appears on the right border of American
Express, and the left border of Optima. Ask customers who place orders with
these cards for the CID number.
Visa card customers will have a nonembossed number appearing above the first
four digits on their card. Ask them for that number, and verify that it matches
the first four digits of the card's account number."
C. Credit Card Fraud Law
This excerpt was taken from a website and has had all the facts confirmed. I
think the author best explains it so will just quote it here.
- Start Quote -
"The greatest pleasant surprise was that it is a federal law that protects us,
as consumers, from liability as a result of credit card fraud. In fact, you
aren't liable for more than $50! I looked up for myself: Title 15, Chapter 41,
Subchapter I, Part B, Section 1643 of the U.S. Code states that "...a cardholder
shall be liable for the unauthorized use of a credit card only if the liability
is not in excess of $50." Not bad, huh? Why then, all this fuss about credit
card fraud? Well, my research revealed some more interesting results: if someone
steals your credit card and runs up a big bill, it's the merchant that the goods
were purchased from that is the true victim - the merchant flat-out loses the
goods, without repayment or reparation.
United States v. Blackmon, 839 F.2d 900 (2d Cir. 1988): The defendants used fake
credit cards only for the purpose of identification. The Court holds that this
does not constitute credit card fraud under 18 U.S.C. �1029(a)(3). In order to
violate this section, there must be an intent to defraud a credit card holder or
a credit card company. Merely using the credit cards as false identification is
not sufficient.
United States v. Russell, 908 F.2d 405 (8th Cir. 1990): The defendant possessed
stolen credit cards on numerous occasions, but at no time did he possess fifteen
or more. The federal offense, 18 U.S.C. �1029(a)(3) punishes the possession of
fifteen or more stolen credit cards. This requires that the defendant possess
all the credit cards at the same time, and the Government may not aggregate its
proof in this regard."
- End Quote -
Interesting eh? The parts that are not explained well I learned from some books
I bought over the internet. Basically, if a person has their card used to make
all kinds of purchases, it requires them a tremendous amount of work to get the
charges taken off. Sometimes the credit card company will give the card holder a
bad credit report and even after the card holder gets the charge taken off the
card, they then have to fight with the credit agencies in order to get a "no
payment" taken off their credit report. In other words, the card holder will try
and find out who did the stealing with a vengeance. So the cardholder only is
liable for $50, but the bad credit report makes them go insane and most of them
will go take the "insta-investigator" course from Sally Struthers and come
huntin down your ass so if you make a mistake they will most likely get you. Or
even worse would be you carded someone who is rich and they hire a professional
investigator to hunt you down just out of spite. With this technique the
investigator will not have much to go on but if you make one mistake then bam!
So pick your targets well and do not make any mistakes.
Also, even though the card holder and the card company will not have to pay, the
merchent will. The merchant will be stuck with giving you the goods with no
payment. So they will come after you. In the whole scheme of things, everytime
you rip off someone four people are affected. The card company complains to the
card holder to pay the bill.
The card holder complains, pays the $50 required by law, cancels the card, and
goes on to fight the credit company. The card issuing bank gets calls from the
card holder but does not really bother too much with it since they are not out
of any money. Then you have the merchant. They get calls from the card holder
with them asking for all kinds of info about the transaction. So with any ripoff
you do, two people will come after you: the merchant and the card holder. So
beware and know your enemies.
Section III. The Basic Scam Explained
A. The 10 Credit Commandments (in order of importance with 1 being the most)
10. Use caution in using a CC # from someone with an address of "route 6, box 8"
since the person is most likely a farmer who rarely uses his CC and will know
exactly how and where you stole the information (especially bad if you're doing
the info recovery through a insider job).
9. Best way to get Credit card info is from the inside.
8. Join the Association of Credit Card Fraud Investigators (fake name under the
P. O. box where the magazine is sent).
7. Always work on your FIP (Full Identification Packet) skills. until FIP is not
a fake but actually the real documents.
6. Have as many Full Identification Packets (FIP) as possible.
5. Use a FIP only once per drop.
4. Drop off zone should always be a hotel.
3. Only use a drop off zone once.
2. "Lose your face, Lose your name" - Mighty Mighty Bosstones - Always work on
your disguise skills so that when you go to the drop off zone you will look like
anyone you want to be as long as its not yourself.
1. Trust no one.
NOTE : IS stands for Individual Scam. It refers to a single instance of ordering
merchandise from a single company, having it shipped to a drop site, you picking
it up, and then selling it to a buyer. I make this distinction for clarity's
sake since in the advanced section of this document I will refer to a "mulitiple
IS scheme" where you have many IS happening at once.
B. Pre-Planning
Pre-planning means getting your shit together. It means knowing how to answer
EVERY situation that may come up. Many important things must be decided now that
will affect the efficiency of your IS. One is to choose your victim. I do not
suggest using cards from Visa and Mastercard. If possible, use American Express
or Discover. Later on I explain why. If you see a company credit card with visa
or mastercard do not try it. The merchants will not allow the shipping and
billing addresses to be different so the excuse of "I want to send this stuff to
one of my employees out in the field" will not work. If you have American
Express or Discover it mostly will.
Go over in your mind everything that will happen before you begin the IS. Have
all the info you need ready and easily accessible when you make the call (hotel
address, number, zip code, your alias, alias address, number, etc). Practice
talking to the operator over and over to get used to ordering. Drive by the
hotel and decide where you will park, or, if using a taxi cab (described later),
find out the cab company you will call and the pick-up site. Have everything
prepared, even what to do if you drive up in the cab and see a cop car sitting
in the parking lot. Have in mind what you would tell the cabbie. Let nothing
surprise you or catch you off guard.
C. Fake State IDs
In order to satisfy the hotel manager, the delivery person, and the retail buyer
of your identity, you have to get a fake state ID. Most hotels will allow you to
rent a room with just showing a state ID with your picture on it and a date of
birth (most do not even ask for ID, if you look old enough). Fedex and UPS will
not even deliver the package to your hotel room; they mostly ask the hotel
manager if the person the package is being sent to has a room there. If so, the
delivery person drops it off and the hotel attendent calls you at your room.
Sometimes the delivery person may wait for you to show up in order to sign for
the package. Rarely will the delivery person ask to see some kind of ID. But if
the person does, you will be prepared.
Once you check out of the hotel (always check out like a normal person since you
do not want to arouse suspicion), then go to the shop that you have preselected
as your sell point and flash your ID and haggle hard for a good price. Most
dealers will sense your fraudulent if you just agree to the first price that
comes up. Before you go in imagine your best friend spent a lot of money on this
hardware and you're selling it in order to get money to pay for your best
friend's upcoming and unexpected surgery. After your hard haggle, sell the item,
pocket the cash, and walk out.
Where to get a fake state ID? Fortunately, the anarchy of the web provides a
great means. Check out
http://www.icenter.net/~idcards/index.htm - for great state ID cards.
http://www.photoidcards.com/- for state and world ID cards.
They can even have ultraviolet markings and holograms placed on the card for
more authenticity. It is also legal to have and its legal for them to sell to
you. Some of the IDs are only about $50 while others are more expensive. It also
costs more to add ultraviolet markings hotography and the hologram. In order to
get the ID, go to Kinko's or some place like that and get a small photograph
taken of you (say the photo is for your passport, they will not care, usually
costs $11 for two pictures). Get a money order and send that and the picture to
the ID place and get an ID card sent back to you (at your p.o. box).
***NOTE*** Post offices will accept a state ID card as proof of ID. So it would
be wise to open a new p.o. box under a fake name (an ID that you DO NOT use for
an IS).
Also if you are not 21 then your state ID can make you 21 so you can get a hotel
room.
Remember, it is important to make sure the fake ID you have is the same name as
the card you are hoping to use. You might want to get some cards and verify them
first to make sure they have some credit. Then send off for the fake ID's (or
make your own if you have the equipment) and then "become" that person. If the
delivery boy asks for Id, you have it.
D. What should you buy
It is tempting to buy computer systems and then sell them in order to get a lot
of cash (buy a new system for $2000 and then sell it for around $900). But, with
further thought, you will realize that buying computer commodities is usually
better since they are
A. smaller and more easily transported as opposed to a heavy monitor and cpu;
B. harder to trace since the items will most likely be put into a new system (by
the store owner who bought your items) and sold to another person. Most places
would find it difficult to track where every memory module or cpu goes when the
investigator comes around;
C. more buck per pound. The new latest chip may cost around $600 and weigh a few
pounds whereas a new computer system (around $2000, remember the purchase has to
fit within the limit of the actual credit card account) that can fit on a
typical credit card account will weigh around 60 pounds and take up a lot of
space in your trunk. General rule is to have the smallest buck per pound ratio
you can get.
Also, a recent idea of mine is to buy regular stuff. Why do all carders seem to
always card for computer stuff? Why not card for a nice $400 ring? It is much
easier to conceal and to pawn. Why not buy a silver bar with a card? There are
so many things you can card for now over the phone. Any home shopping channel
would be a prime candidate as I gather they just realize that fraud is a part of
their business and they just accept it. Though I would be especially careful
with them since they may have many fraud investigators working for them. But do
not limit yourself to just computer stuff. Buy small, expensive items and sell
them in one day. Then your set.
Remember, most credit card bills go out at the late middle or end of the month.
I would suggest the best time to buy the items would be around the 8th of the
month to the 18th. Only do IS's two weekends in a row and then stop for a month
until the next month. Any more would be pushing it too much. You might give them
a pattern to look for and then BAM! your caught. Remember the most embarrassing
thing that could ever happen to you is getting arrested.
Also, when buying the items, have all the info ready on a piece of paper. Some
places ask for things while others do not. Some may ask for driver's license
number or the issuing bank or a "number on the back." They might ask for the
bank or interbank number (Mastercard). They might ask for social security
number. In most of these cases you should be ready to give up the deal. If the
merchant is this thorough then you might get caught. ALWAYS ALWAYS ALWAYS ask
what they will need to make the purchase. Be very adamant (act like your an
idiot) about knowing what everything they will need to know before you hand over
ANY information about yourself. If they require a shitload of info then say you
do not want to give all that out for privacy reasons (hell, tell them your John
Perry Barlow and you will write bad lyrics about them). Only give over the info
when you know its a good deal. If you screw up, then your whole IS is
compromised and you have to pick a new hotel, new card, etc. So make sure.
Its also important to have many companies ready to call since some may be out of
stock, can not do next day delivery, don't deliver to Guam (do Guamites hack?),
etc. So make sure you got enough places to call so your time spent out in the
boonies with the lone payphone in the heat won't be wasted time and gas.
Things the merchant should agree to before handing over the info:
1. Next day delivery?
2. Different billing and shipping address?
3. Item in stock?
4. Need only the basic info for a transaction (address, number, name)?
I tend to think that the merchant has no idea if the billing address is the same
as the shipping address. I have thought about just saying the hotel address is
my home address. Try that out and see what happens. That way you can use Visa
and Mastercard cards (they require the two to be the same whereas Discover and
American Express usually do not).
E. Attaining the Credit Card Numbers
Many people think this part is the hardest. It is actually the least hardest out
of all the hard things in doing hardcore credit card fraud. An ideal job would
to be in charge of a computer system for a company that process all credit card
purchases through a computer that dials a modem into a verification company and
batches out the cards. Then you can just copy the authorization file and store
it on disk and have all the numbers, expiration dates, addresses, and numbers
for all the purchases. Even if you can only get the name, card number, and
expiration date you can usually look up the name and get a good idea of who it
is (assuming its a local name). Inside jobs are the best ways of getting card
numbers. You can work as a clerk at a mall job and, when you take out the trash
(as you would since your a loser clerk), you can put all the carbons in a box
outside the dumpster and drive around later to pick them up. You can even work
as a mall clerk as a second job and keep your current one.
Other ways are through dumpster diving for carbons. The best way though is to be
in a company where you have access to the file that has the card information and
the customer info. Most places that sell over the internet take all that info
down on the computer. If you become a sysadmin for that place then you are set.
Remember, if you have no skills in the computer then you can not get a job for
any of these companies. I am assuming you know something about computers, that's
why your reading phrack right? So use those skills to get a job in some company
that does internet commerce and hack into that file and get the info. Many
places have databases where they track where their customers are calling from or
which IP addresses they are routing in from and then store in a database the
card info and the card holder info on a geographic map. So brush up on that SQL
and get the info. The opportunities for someone computer skilled in getting an
inside route to the card info are endless. If you cant get an inside track on
card info then you should not be reading this file anymore. Put it away and come
back later when you have some skills.
F. How the Scam Works
Attain the credit card numbers plus relevent information about the credit card
holder.
Information you should have before attempting to proceed:
1. Credit card number.
2. Expiration date.
3. Card type
4. Card holder's name
5. Card holder's address and home phone and/or business phone.
Generally, the more information you know about the card holder the better you
will be prepared to answer any questions the order-taker might make.
The basic scam has a new twist which I have devised on my own. The drop off site
is the most important place in this crime since it is the place all
investigators go to begin the investigation into your whereabouts and its the
only place in the whole scheme in which you actually have to physically reveal
yourself to people who may be interviewed by the investigator. Most people
advise to find an abandoned or vacant house or to have a friend accept the items
for you. The friend idea is not wise as explained in my 10 commandments.
New idea: Use a hotel or motel room for your drop off.
The hotel room has many advantages and a few inconveniences. One advantage is
that your drop off site can be mobile. You can drive to far off cities and have
the drop off site be at a hotel there. You do not have to run around some
strange town looking for a vacant house. Second advantage is singularity. With
hotels you can use a drop off site one time and one time only and then move on
to another site. Remember, it is wise to use a drop off site only once since the
investigator will not have a chance to stake out the place on your second trip
waiting for you to waltz up and get arrested while trying to grab the goods. One
inconvenience is that sometimes you have to drive a long ways to get to a hotel
that is far enough away from your current residence. Plus you have to find time
to check out of the hotel before noon of the next day. That usually means you
have to do it before work. What can be done is to order the stuff on a Friday
and then go on your day off Saturday and pick it up. Or, if for some reason you
can not do this, you can go to the hotel on your lunch break and pick up the
item and check out.
G. Selling the stolen item
Once you have the item, with the receipt, then proceed to a store that buys
computer items or a pawn shop to sell jewelry and shit. Make the sale. Most
places will not ask for ID but if they do, hand them your state ID. It is
usually better to drive up in a taxi cab since then you can tell them (if they
ask) that you are a hater of all cars since they kill (traffic fatalities) and
pollute the air (smog) and that you only use cars when you have to but usually
you drive your Huffy. Remember, pawn shops accept state ID's. As long as they
see an ID, their asses are covered so they don't give a damn about your ID. Take
the money, go to the bank, and deposit it. Then go home and relax.
H. American Express and Discover
American Express is useful since they allow you to send a package to another
address other than your billing address. Visa and Mastercard will usually not
allow the shipping and billing address to be different. Even if you have a
company Visa card they will not allow you to send the merchandise to an
"employee" in some hotel. The merchants will usually make you resend it from
your workplace. So, if possible, use American Express since you know you will
not have a problem.
Discover card is the same way too but some merchants do not know this. Sometimes
they will let you sometimes they won't. Remember, always make sure they will
allow different shipping and billing addresses before you give them that
precious card number and ID info!!
I. Basic Summary
In order to clarify all this, here is a summary of the sequence of events in an
IS.
1. Get a couple of fake ID's sent to you from those companies I listed above
(make sure they correspond to the names of the card holders that you have
verified still have credit).
2. Get five or six cards with card number, expiration date, card name, card
address, card home number.
3. Pick five or six merchants and the item or items you want to purchase from
each of them.
4. Pick a couple of places you know you can sell the stuff once you get it.
5. Wait till a day where you can order the stuff and pick it up the next day
(either on your day off or on your lunch break.
6. Twenty minutes before you order the goods, call a verification place (have
three or four handy in case one is busy or down), and verify the card has still
has good credit left (usually check for a dollar or so).
7. Sometime after noon, call the first merchant and see if they will do what you
want. Give them the necessary info and hang up.
8. Drive to the hotel and check in under the alias name with the fake id in your
wallet. Remove all other forms of ID from your personage.
9. Go beat your meat to the latest pr0n sent to your mail box till the next day.
10. Check voice mail or your hotel messages periodically.
11. Go to the hotel with however amount of stealth you want, and pick up the
stuff.
12. Check out of the hotel.
13. Drive to the sell point and sell the stuff.
14. Go to the bank and deposit it as soon as possible.
15. Hire hooker to have sex with you since you are a stud and too geeky to get
it free.
Section IV. How Credit Fraud Investigations Work
A. What Initiates An Investigation?
Mostly an investigation is instigated, as I have stated before in Credit Card
Law, by merchants or consumers. The two parties can either pursue the
investigation themselves or pay a professional to do it. Always assume they will
investigate and always assume they will hire the best. That way, anything else
will be a breeze to you. Obviously the more money a merchant or person has lost,
the more likely they will go to extremes to get you. So if you maintain $1000 or
less average ripoff rate per card holder and merchant, you minimize the chance
that packs of people will come hounding after you for outsmarting them.
This excerpt was taken from a website. It is interesting to note how banks do
fraud detection with computers.
"Detection of consumer credit card fraud is one of the most prevalent and
successful applications of neural net technology in retail banking today.
The banks with the largest credit card businesses, and thus the highest losses
due to consumer fraud, have been the pioneers of the technology.
Even using the most advanced techniques on card transaction data, consumer
credit card fraud is very difficult to detect with any certainty; even the best
neural net models cannot provide more than about 1 in 3 to 1 in 4 certainty of
actual versus suspected fraud.
For the largest card issuers, optimal selection rates for consumer fraud
investigation using neural net detection technology range from about 0.1% to
about 3.0% of the total transaction base, yielding fraud detection rates of
about 20% to 30% at false positive rates of about 85% to 95%.
A bank card issuer with 1 million transactions per day can generate maximum net
daily fraud prevention savings of up to $300,000 using neural net detection.
Nearly all banks that use neural net technology for credit card fraud detection
use vendor-supplied packages and tools; leading vendors are HNC Inc. and Nestor
Corporation for complete packages, and NeuralWare Inc. for programming tools.
Well over 50 million bank card accounts are screened and scored today for
suspected fraud using neural net technology."
This quote was taken from
http://www.towergroup.com/NONCUST/NOTES/V2/HIGH/v2_017.htm
Great stuff on cc fraud prevention.
Mostly, as I have explained previously, the fraud investigation is done by the
merchant or the card holder. Some places have a full time fraud investigator who
just goes around trying to bust people. Many of these investigators check phone
logs of the merchants call auditing system, interview the person who handled the
order, review any tapes of the voice of the person who ordered the stuff,
interview the hotel clerk who signed for the stuff, etc. So be careful.
B. Caller ID and AMA
Caller ID is not to be worried about since you will always be calling from a
payphone. It does not really matter if they trace it (unless your stupid enough
to call from the same three or four payphones in the same area). AMA information
is almost the same. It does not matter that AMA can track you even if you op
divert since your still calling from a payphone. I would suggest calling from a
different, random payphone everytime you do an IS. Its hard to break away from
habit and to break away from convenience to drive a long ways across town to
make a call, but its worth it compared to all the "inconvenience" you will
receive from Bubba and his horny gang in the state pen's showers.
C. The Association of Credit Fraud Investigators
A good place to keep up on whats happening in credit fraud investigation is to
use a fake P O box (remember, use a fake state ID to open up a PO box under an
alias and get into this organization) and join the Association of Credit Card
Fraud Investigators. It always pay to know how the enemy will come bust you!
Section V. Advanced Tactics
A. Anonymous Recalling Service
I have heard of some companies that will allow you to dial into their pbx for a
fee and call out on another line thus concealing your location. The caller ID
and ANI (Automatic Number Identification) info passed along to the victim
company will be that of the anonymous recaller service. Clearly a service such
as this one would be a haven for carders and other criminals. I would tend to
think that a company that offers this kind of service would be visited by the
authorities frequently in order to trace back a call. I have not yet found a
company that offers these services but I have formulated what would be some
basic tenents that a company like this would have to do in order for it to be
usable by the carder.
They are:
1. The company would allow you to buy a block of time that can be used on a per
minute basis (i.e. use a money order and purchase a 60 minute block of usage for
$60).
2. The company would allow you to pay with money order or cash so as to not have
to give a real name.
3. The company does not retain any logs of incoming ANI information so the
authorities can peruse at their discretion later.
Of course you would call from a payphone so no one could really trace you back
but the ANI information from a payphone is announced to the victim company and
investigators later on can know the exact place you made the call. With an
anonymous recalling service the investigators would not know where you called
from. The only thing they would know was the location of the cardholder's
address (the person who owned the card number that you used to steal the
merchandise) and they would know the place where it was sent to.
I know of no way presently to conceal the cardholder's address but I have an
idea on how to conceal and confuse the location of the drop-site.
B. Anonymous Remailing Service
An anonymous remailing service would be a place that would receive packages from
abroad and reship them to your drop-site. I have heard of places like this but
have never seen a place that actually does it. Of course you could ask someone
in a certain town to reship it to you for a fee and start a relationship with
this person. But most likely this person would get suspicious and call the
authorities and they would come to your drop-site and arrest you. So that would
be a bad idea. This idea violates the most sacred commandment: commandment one.
You may argue "The person does not know of my identity so in essence I am not
trusting this person." But, alas, the person knows where you will be when the
delivery is made to your drop-site and can tell the authorities beforehand.
Also, it is highly irregular to have packages reshipped to somewhere else so
suspicion would already be raised and thus, you would be increasing your chance
of capture.
If I ever find an anonymous remailing service I would hope they have certain
characteristics:
1. The company would allow you to buy a certain number of "pounds" that can be
shipped. For instance, a person might pay $60 dollars for a total of 30 pounds
to be shipped anywhere in the United States.
2. The company would allow you to call in and tell them to flag a package that
is addressed to "Mark Templar," for instance, and have it sent to another
address with maybe even another name on the package.
3. The company would not keep any records of the address of the redirected
package. The only thing they would have on hand is your account name and
password (in order to identify yourself
C. The Benefits of Disguise
"Lose your face lose your name." - Mighty Mighty Bosstones
Obviously, the less accurate the hotel clerks description of you the better off
you are if the feds come a knockin. Try to decrease your exposure as much as
possible. Color your hair for a month of IS's, put on a mustache, grow a goatee
(you know you always wanted to do that), wear a different style of clothes,
cross dress, etc. If the feds are looking for a woman in spandex and your a guy
in a tshirt and jeans with pizza stains all over you, they will not have much of
a case. Be imaginative.
D. The Friendly Taxi Cab Driver
If you desire, you can go to your drop site in a taxi cab and have the cabbie
wait a while until you get your goods, check out of the hotel, and leave. This
way no one can see the car you drive and record a driver's license number. You
could have the cabbie pick you up at an apartment complex or something about a
mile away. Have them take you to the spot and take you back. No one sees your
car or anything. The taxi cab cost will add a little to the overhead but its
worth the decreased exposure.
E. Moving Up the ID Ladder
Once you get some money you can spend it on getting your own laminator and
camara with matching software. This way you do not have to send off money to get
a new ID card. You might even be able to recreate a driver's license. This
equipment can cost some bucks. I would suggest putting the equipment at a
storage place with a battery inside in case the place does not have power
available. If you pay for the storage (usually in 6 month or even higher
increments) then you do not have any incriminating evidence on your own
property.
As you get more skilled at this technique, you can begin to think about forging
fake birth certificates and social security cards and getting the Department of
Motor Vehicles to allow you to take the driving test and get a real driver's
license. I could write a whole article about birth certificate fraud but it goes
beyond the scope of this article. Suffice it to say it can be done for those who
know.
F. Voice Modification Technology
Many places sell voice changers; some are better than others. Some devices do a
really good job at making you sound like anyone you want to be. Others can only
do four or five voices. Investing in these devices can be useful since some call-
in places record the voices of those who call in for later use. If you are
captured and the feds try to bring this evidence up against you, you would be
able to get out of a conviction since your voice is not the same. I would also
suggest storing this device in the storage room also.
G. Internet Commerce Ordering
Internet ordering requires different skills. I do not suggest internet ordering
since find calling it in over the phone more anonymous. I suppose if you used a
sniffer on the same segment as your connection and spoofed the order form you
could get the anonymity but that requires techniques and it also requires you to
break the law (spoofing and sniffing). Its a basic rule that the less laws you
break, the safer you are.
Also some of you may have the smart idea of using an anonymous web browsing
service like anonymous.com or this navy.mil site I have used. Both sites will
reveal in a second their logs to any authorities. All it takes would be for the
investigator to look at the merchant's logs to see the ip you came in off of
(which might by anonymizer.com, for instance), then go to anonymizer.com and
look at their logs, then go to the owners of the dial-up service you use, look
at their logs, and they may eventually have to look up the logs at the local
telco. Even if you call into a stolen dialup account the owner of the account
will demand to see the telco logs (because he or she is professing innocence)
and the logs will point to your house. The only way this may work is if your
using a laptop with acoustic coupler at a pay phone. Then you would not care if
they traced the call back. But that requires some bucks (the A/C, laptop, etc.)
and is not really worth it. But it does offer the computer elite among us a
chance to show some skill so I guess it is okay.
So either way, spoofing or dialing in on a stolen account (or an account you
opened up with a money order to the ISP under a false name) requires you to
break an additional law in order to commit credit card fraud. As I have said
before, the less laws you break the better. So I generally frown upon these
ideas as being too extravagant without any real tangible advantage over plain
old voice call-ins. Maybe I am wrong. Would like to hear some opinions.
H. Money Laundering Basics and Why You Should Know
Now that you have all this money what to do with it? I would suggest depositing
it into a bank for savings. As had been said before, the longer you card the
more chances you will get caught. Put the money in the bank and then pull it out
when you are ready to open your own business, invest in stocks, or whatever. The
money will look clean to the IRS as long as you do not have too much money
deposited into it all at once (say $10,000). Put in a little every week and if
the IRS comes a knocking you can claim it is money you saved from not buying
porn magazines or something. I would suggest depositing around $200 to $500 a
week. Banks are not required to report to the regulators deposits this low so
you are safe.
I. How to Frame Someone With Credit Card Fraud
This part is really easy. You are now fully aware of all the pitfalls that can
befall you as you card away. Make some mistakes this time but point the trail to
an enemy. If your a phreaking god then make the ani info point to your enemy's
house. Or, break into his pedestal that services his house, call him up, and
keep him on the phone long enough to find out which pair of wires is his number
using your inductor. Then use your lineman's phone to dial up the merchant and
start the transaction. Or you can call up some phone sex place and talk for
hours (though most hang you up after 15 minutes and make you call back).
Use this technique to frame an enemy. Do the scam but have the mailing address
be your enemy's house. The more you have delivered there the more likely the
fraud detection software will go off and the more likely your enemy will get
busted. One sure fire way to set it off is to order lots of items with around 6
different credit card numbers and have it all ship to the victim's location. Do
all the orders in one hour. More than not, the feds will show up at his door and
bust him. Remember, you can do this to anyone (federal officials, movie stars,
etc.).
J. Concealing Your Location
One way to avoid revealing your location would be to fly or drive to another
state and then make the order from there. The idea is to leave on a Friday
afternoon and arrive that night at a hotel room where you check in and pay for
it with cash. You then go to a nearby payphone and order your goods and ask for
next day shipment.
When you go to the hotel and to the computer shop do one of two things in order
to conceal your car:
1. Park a block away and walk there.
2. Park a half mile away and take a taxi.
You do not want the hotel manager and/or the computer shop owner to jot down
your license number and vehicle description (plus your physical description) if
they become suspicious and want to check out where you purchased the item.
Remember you will have the receipt of the item so they would know where you
bought it at.
K. Have your own "workshop"
This part is important. If the feds come and bust you, they will search your
house. You are screwed if you have incriminating evidence lying all over the
place. Especially if you get your own laminator, software, camara, etc, then you
can not just run a script on your computer and deep wipe it all from your house!
So you need to get a storage place to hold all your tools. I would suggest using
a fake state ID to get a storage site that offers electricity. If you can't find
that, get a battery to power the items. Drive there without being followed and
do your work and then leave. Once you are done with the IS, go back, store
everything, and go back home. That way if you ever get busted, no one will know
where all the stuff is. All the card numbers, devices, etc. are all in a locked
storage room under a different name using an alias you have never used with any
individual scam (IS).
L. Voice Mail Boxes
Most merchants will ask for a number in case the order goes bad and they need to
call you up. If you give them a fake number and they call then the call will not
go through. Sometimes the merchant will call the number to see if the number is
real. The worry is that if you do not know if the merchant has called the number
than you do not know if they have tried to verify the purchase. For instance, if
a merchant tries to call the number and they get a Burgerking, then they might
call the card issuing bank and ask for more verification of this sale. The bank
will either call the card holder or give the correct number to the merchant and
they will call the card holder. Then they will figure out your trying to scam
them (remember the two people ripped off in each IS is the merchant and the card
holder) and they will call the police and have them pick up your dumb ass at the
hotel the next day.
So to make sure this has a low likelihood of happening, get a voice mail box.
Sometimes you can get away with giving them your hotel number but that means you
have to admit your calling from a hotel and keeps you from trying to pass off
the hotel address as being the actual address that you live at (remember the
merchant has no way of knowing if the address you give them is actually the
billing address unless they go to extraordinary lengths to find out). Its better
to get a voice mail box and check for messages. You can normally order the VMB
through the phone and send a money order to the place.
Some places will actually open up the box for you for a week in exchange for
your promise to send the payment. You can then make the voice mail recording
message to act like its a home answering machine. Make sure the VMB is direct
inward dialing. It would not look good to have the merchant go through the
"Atlas Voice Mail Company" menus in order to get to you. So invest in a VMB so
you can have the peace of mind of knowing if the merchant is trying to set you
up or not. Change the VMB you use often.
Section VI. Ways to Fight Credit Card Fraud
A. How to Catch an Inside Credit Card Stealer
If you are in the business of wanting to catch someone who you suspect is
getting credit card info from your company and is using it to buy things, I have
some suggestions. One thing you can do is get the FBI or local authorities in on
it. Talk to them and suggest what can be done. What can be done is to first scan
the entire computer system for any cron jobs or resident programs. These things
may be copying the credit info file offsite to some remote IP address. If so,
lookup the IP address and go from there.
Another tactic is to plant a card into the credit file and wait. Get a card from
the police that has only a $1000 dollar limit or, at the most, a $2000 dollar
limit. Put the card into the credit file and wait. If you are lucky, the moment
that card is used you will know that most of your suspicions will be true. From
that point, call the card company and ask about the transaction and then talk to
the company that was called and look into their call auditing system and see if
you got any caller ID data or ANI number. Then, if you have not found out a
number, get the police to call the local telco and get the logs and find out
where the call was made from.
Now you may find out the call is from a phone booth. If the call was from a
house or something then you're set. Bust whoever lives there and hope they are
the employee your suspecting or, if not, that the person will give you evidence
against the employee you suspect. Remember, you know that the person is giving
out credit info since your company is the only place the plant card has been
"used." If the call was from a phone booth, compare the location of the phone
booth to the suspected employee's residence.
If the call came from a phone booth then you do not have much evidence to go on.
What I would suggest next to do is hire a consultant (or do it yourself if you
have the skills) and place all kinds of tripwires and watchdog programs on the
credit info file to notice any change in its status. Hopefully, your expert or
your expertise will have more skills than the suspected employee and you will
catch the employee copying the file and bust him or her.
B. How Your Business Can Fight Credit Card Fraud
If you are a merchant and find out that many of your transactions are
fraudulent, then I suggest to hire a professional credit fraud investigator.
They have many techniques to stopping future fraud and some techniques in
catching who did it in the past. Remember, the key to stopping credit card fraud
is using the same way any house tries to stop a burgler. You know you can never
make your house full-proof from a burglary but you want to have enough defenses
so as to deter someone from attempting a break-in. You want them to move on to
someone else easier. Likewise, a good professional will train your employees
well enough that they are able to detect when a fraudulent credit card is being
used. The professional can also get your computer system set up so that no
employee in their right mind would attempt to copy that credit file. Eventually,
word would get out to the criminal carders out there that your company is not to
be messed with and, like a house with an alarm, dog, and security patrols
periodically, the prospective carder will just move on to another company with
less anti-carding skills.
If you are having specific or chronic problems with credit card fraud abuse in
your company, give me a email at the address I provide below and I will try and
help you out.
Section VI. Bibliography, Shoutouts, and How to Reach Me
It is best to be prepared and take precautions in order to avoid contact. Always
find out as much about your enemy as possible. I have looked ceaselessly for
good books on credit card fraud investigations and the only book I could find on
the web was a book by Burt Rapp which is now out of print and unavailable. I
will attempt to find some resources in the future.
A great source for the beginner is altavista.com. Type in "credit card fraud"
and read on from there. Only about the first 60 sites are decent. As you will
find, as I found out, most of it is old. Hence the need for my update.
One decent book I found which is tangentally connected to CC fraud is "The
Laundrymen" by Jeffrey Robinson. If you are successful enough to need to launder
your ill-gotten gains then this book is worth the read.
I got a lot of info from ordering some books from this site.
http://pimall.com/nais/ They rock my werld.
The final awesome source is to join the Association of Credit Card Fraud
Investigators. Know thy enemy.
Shoutouts: These people have influenced my development into what I am today. I
thank them. Ace from EFNET #2600, Nirva, and Halflife. Tons of respect for you
all.
How to get a hold of me:
[email protected]
Final Note: Credit card fraud is lonely business. NEVER succumb to the
temptation of telling others in RL (real life) or on IRC about your CC skills.
NEVER have a friend, even your best friend, help you out with this because if
that person screws up and gets busted you will most likely be implicated since
the D.A. will let "Best Friend Johnny" squeal on you instead of spending a year
with "bubba." ALWAYS do this alone and ALWAYS maintain as low of a profile as
possible. AND NEVER EVER use the equipment you buy in your own residency.
I will attempt to update this article if anything changes or I happen upon any
other revelations in knowledge and technique. Look at the version number at the
top to see which one you're reading.
