Copy Link
Add to Bookmark
Report
Phruwt Issue 03 008
CARDS ETC.
[Article by Phoney Phreak]
DISSECTING CREDIT/CALLING/DEBIT CARDS
=====================================
Credit cards are used everyday by millions of people all over the world but
very few people even know anything about it. This file will try to explain
to you the various types of cards, its structure and some other interesting
things I feel you may want to know.
First of all, there are different types of cards, but I will break them down
into 3 categories. The first are credit cards. These are cards such as
Visa, American Express, Diners, etc. The other cards are calling cards.
Within this category are BOC, CIID, and Corporate cards. Then there's debit
or pre-paid cards that a lot of companies are printing.
Credit Cards
------------
One of the most common credit cards are the Visa cards. It will always start
with a 4 and will be either 13 or 16 digits. These are the formats: 4xxx xxx
xxx xxxx or 4xxx xxxx xxxx xxxx. The last digit is the checksum digit. The
expiration dates are usually no more than 2 - 3 years in the future. If you
look on your card, you will see a cv or pv next to the date. The cv means
that this is a common card but the pv means you are a preferred customer.
Also, there will be the first 4 digits of your card number somewhere on the
card. They have to match. This is the issuing bank's number. Each bank has
their own unique 4 digit number. The most common is Citibank, which is 4820
or 4128. The fifth and sixth digits of the card identify the issuing bank in
some way, for example, the region or corporate office.
Another common credit card is the MasterCard. This will always begin with a
5 and will be 16 digits. The format is 5xxx xxxx xxxx xxxx. Again the last
digit is the checksum digit. The issuing bank's id number will also appear on
the card as well as being the first 4 digits of your card number. The fifth
and sixth digits of the card also identify the specific issuing bank.
"Entertainment cards" such as American Express is also common. These cards
begin with a 37 and the format is like this: 37xx xxxxxx xxxxx (15 digits).
Likewise, the Discover cards are out there. Their format is: 6011 xxxx xxxx
xxxx (16 digits). Their last digits also check for validity.
Other cards are the Diners Card, Carte Blanche and a Japanese credit card
called JCB (Japanese Credit Bureau) which is fast becoming the most popular
card in Japan. These cards are also being here in the U.S. (as well as other
cards called LIFE, JACCS, and OMC).
Here are all the formats:
Visa (13 or 16 digits): 4xxx xxx xxx xxx
4xxx xxxx xxxx xxxx
Mastercard (16 digits): 5xxx xxxx xxxx xxxx
American Express (15 digits): 34xx xxxxxx xxxxx
37xx xxxxxx xxxxx
Discover Card (16 digits): 6011 xxxx xxxx xxxx
Diners Card (14 digits): 30xx xxxxxx xxxx(304x xxxxxx xx61 or 305x xxxxxx xx61)
31xx xxxxxx xxxx
35xx xxxxxx xxxx
36xx xxxxxx xxxx
38xx xxxxxx xxxx
Carte Blanche (14 digits): 389x xxxxxx xxxx
Universal (16 digits): 4783 55xx xxxx xxxx or 4784 55xx xxxx xxxx
JCB (16 digits): 3528 xxxx xxxx xxxx to 3589 xxxx xxxx xxxx
JAL (15 digits): 2xxx xxxxxx xxxxx
Checksum Digit
--------------
The checksum digit is the last digit of the card number. This number is
checked a couple of times by the switch and billing computers. If the last
digit is incorrect, the card is automatically unaccepted. There are phreak
programs out there can validate a card for you as well as make valid-looking
cards for you (it's still not valid because there isn't any expiration date).
But in case you haven't figured it out or had the time to look at the code,
here is how they do it. I've included a subroutine in Basic that you can
incorporate in your program or learn from it to see how it works. If you
don't want to look at the code this is how it works: This mod-10 integer
procedure will work for Visa, Mastercard, American Express, Diners (and Carte
Blanche), Discover, and JCB cards. Weight #1: 1212121212121212 (for Visa,
Amex, and Diners) and Weight #2: 2121212121212121 (for Mastercard, Discover,
and JCB)
Example One: 4444 0041 3001 128? Visa card
x1212 1212 1212 121 Weight #1
--------------------
4848 0042 3002 148 result of multiplication
4+8+4+8+0+0+4+2+3+0+0+2+1+4+8 = 48 add each digit individually (a)
4+8 = 12 add the digits of the result together
12x10 = 120 multiply by 10
120-48 = 72 subtract from first result - see (a)
72 mod 10 = 2 result modular 10 equals the
checksum digit or the last digit
of card number
Example Two: 5555 0125 1500 058? MasterCard
x2121 2121 2121 212 Weight #2
-------------------
1515 0145 2500 057 result of muliplication (in this case the
multiplication may have confused you...
Look at the 15th digit, 8 x 2 should be
16 but if you add 1+6 that's how you get 7)
1+5+1+5+0+1+4+5+2+5+0+0+0+5+7 = 41 result of addition
4+1 = 5 add the digits together
5x10 = 50 multiply by 10
50-41 = 9 subtract first result
9 mod 10 = 9 result mod 10 equals the checksum digit
Remember to use the correct weight for the specific card. By the way, there
is a file out there on how to make a valid American Express card by Saturday
Knight. It made valid cards most of the time but it didn't include this
procedure so some of the cards that I made didn't validate and, at that time,
I didn't know why. So if you want to make a valid AMEX card, be sure to use
the above method. There are 6 other methods on making valid AMEX cards by
using a cancellation bulletin. Here's what to do (again for informational
purposes only!)...
Example: 37xx xx xxxx x111x The 37 will always be there for AMEX cards and
the 111 will be the format to look for to
modify. Everything else will be the same.
Now for the real stuff: 37xx xxxxxx x101x Add 1 to the 14th digit and
|| subtract 2 from the 15th digit.
+1-2 If it's 0 it means 10.
Everything else will be the same.
37xx xxxxxx xx000 Add 1 to the 14th digit and
|| subtract 2 from the 15th digit.
+1-2
37xx xxxxxx x100x Add 1 to the 12th digit and
| | subtract 2 from the 15th digit.
+1 -2
37xx xxxxxx x102x Convert the 102 to 201.
|||
201
37xx xxxxxx x101x Subtract 1 from the 14th digit and
|| add 2 to the 15th digit.
-1+2
37xx xxxxxx x100x Add 2 to the 9th digit, add 4 to
| | | the 11th digit and add 4 to the
+2 +4 +4 15th digit.
37xx xxxxxx x112x Add 1 to the 12th digit, add 2 to
||| the 13th digit, and subtract 2
+1|-2 from the14th digit.
+2
Be sure to check the last digit with the checksum routine I just gave you. If
it doesn't come out, use another card number. I've made a lot of cards with
about 90% efficiency with the above methods! The other major credit cards
cannot be made in this way, unfortunately, since the numbers in the middle of
the card has no logical format.
Calling Cards
-------------
Most calling cards are issued by BOCs (Bell Operating Companies). They are
always 14 digits. The format is their phone number and a 4 digit pin number:
NPA NXX XXXX ####. The pin digits are usually random (or chosen by the
customer) and the last digit isn't a checksum digit. These cards can be used
on all systems since it isn't proprietary like the CIID cards. The NPA NXX
are used to identify the issuer. Each NPA NXX belong to their own OCN
(Operating Company Number). An OCN is a number from 0002 to 9999 that
identifies the Local Exchange Carrier or Telephone company. All Telcos have
a unique number assigned to them.
By the way, the numbering scheme in the US has changed now as it will no
longer be in the NPA NXX fashion. In the past, the NPA meant that the 1st
digit had to be between 2 and 9, the 2nd digit was either a 0 or a 1, and the
3rd digit was any number except 0 or 1. The N in NXX had to be between 2 and
9 and the X's could be any number. Presently, the numbering scheme is NXX NXX
where the N's represent any number between 2 and 9 and the X's are any number.
What this means is that EVERY single PBX, calling card validation software,
etc will need to be changed to accomodate for this new dialing pattern and
maybe new holes will be created...
CIID (Card Issuer IDentification) cards are corporate (proprietary) cards.
Again the format is 14 digits and the last 4 is the pin. This time the first
6 digits (sometimes referred to as an SCC or Special Calling Card) don't
follow the NPA NXX format like the BOC cards do. Here is an example: 222 059
xxxx xxxx. The first 3 digits will be the RAO (Regional Accounting Office).
This is how they identify the issuer. Again, each RAO identifies a Local
Exchange Carrier but in a different way (different in terms of billing). To
easily distinguish this card from a BOC card is to remember that all CIID
cards have a 0 or 1 in the 4th position.
Validation companies validate calling/credit cards by calling up the
respective issuing company such as Visa, AMEX, PacBell, Nynex, etc in real
time. This means that it isn't a week old database. If a card turns out to
be bogus, the BOC can update their database in a matter of seconds and the
validation company will receive a code saying to decline it because it is
bad. For example, a validation company will usually send out 2 ascii
characters to respond to the card check request. For example, AN (A = P
Accept, N = No Restriction) would be sent as a 65 78 while a DE (D = Decline,
E = Excessive Use) would be sent as a 68 69.
The database the validation companies access are always positive in that it
will store only good cards. A negative database will hold only cards that
should not be accepted. These negative databases are usually found in hotels
for their PMS (Property Management System) or bong boxes (automated operators
that will process operated assisted calls for guests). Since the hotel's
system can hold only so much data, they do a download of a negative database
from validation companies around once a week to a couple of days.
Also, some "Smart Phones" access their own little database in order to
validate their customer's cards. These Smart Phones are payphones (COCOTs -
Customer Owned Coin Operated Telephones) that allow the user to input their
calling/credit card numbers to make an "operator assisted" call. It will then
check back with the owner's database and will approve (process the call) or
decline the card. Some of these phones, for example, will prompt you for your
name and play it back to the called party to ask if they will accept a collect
call from so and so (your name). Since these operator assisted calls are very
expensive, these Smart Phone owners capitalized on this by converting these
operator assisted calls as cheap direct dial calls to get the huge profits.
After the call is made, the phone will either call or will be called by the
owners and all the information (calling/credit cards numbers) are retrieved
and used to bill the customer.
By the way, validation companies contain enough information about the call to
bust you. The companies that complete credit/calling card billed telephone
calls will usually send (depending on the service they have) the calling ANI,
the called number, the date, time, and the billing number (third party,
calling/credit card with expiration date). They do this so other locations
or companies which utilize the same database can get information on which
credit/calling cards are bad without having the fraudulent card used on their
system first.
The companies can later pull a report to see what phone numbers were trying
to make calls using bogus calling/credit cards with their Administrative
Terminal. They send this information in order to block calling areas or
track the number of times someone calls a certain number (identifies fraud).
Other things you can do with the Administrative Terminal besides blocking
cards numbers, you can block trunk numbers or block the number you're calling
from or to, change the number of card uses per 24 hour period (usually set at
15-20), reset or clear this number, inquire about the card and when it was
used (you can usually go back around a month or so), or override the card
(make it always approve). Unfortunately, you need their proprietary software
to access and run this service. You also need to know some special keystrokes
to navigate around their software without any on-line help. Pressing
'ALT-Shift-F1' will allow to you block a card, for example.
Hacking your way into this system would result in a huge selection of cards to
use. All necessary information are here such as expiration dates, issuing
company names, OCNs, calling numbers and/or called numbers. With this
information, you don't have to worry about making operator assisted calls.
Some operator centers are told to ask about the card to identify possible
frauders so if you are nervous or jittery, the operators might ask you for
your name, issuing company's name, the type of card that you are using and
even the zip code of your location. If they suspect you are lying or a
possible frauder, they might process that call but definitely block that
card. The major validation companies are US West Service Link, Card*Tel,
and LIDB (only validates calling cards).
CreditCheck companies also work the same way. Each CreditCheck company
location has a positive database in-house which they validate against. This
database is kept up-to-date (realtime) from either a central corporate office, credit/calling card clearinghouse, or a banking institution.
Debit/Pre-Paid Cards
--------------------
These cards are fast-becoming the most widely used form of long distance
calling. These cards are bought with a certain fixed amount. You use this
card to make your telephone calls and when the card is used up, you can
throw it away. Each card is imprinted with the value, whether it be dollars,
minutes, or units. Each company has its own preference. Units seem to be
the most favorite overseas. Dollars and minutes are somewhat difficult to
calculate at the programming level then have to explain to the consumer what
is left and how much was used since they could call intra-state, inter-state,
and international. Units seem to be easier since you could say it would cost
1 unit for intra-state calls, 2 units for inter-state, and 3 units for
international. With minutes and dollars, you not only have to calculate the
distance and time (or it could be a flat-rate) but you have to calculate the
tax depending on the type of call.
These cards have an 800 number to call then you enter in about 30 numbers.
Twenty of those numbers is just the pin while the other 10 is the number
you're calling. A 7-digit pin could have a million possibilities but try to
hack out a 20-digit pin! There doesn't seem to be an easy way but adding or
subtracting digits from your pin might work. Some pins have certain
information encoded in it like the card denomination, card batch, issuing
company, etc.
Some companies have offered consumers to recharge their pre-paid cards by
asking callers, when the card is used up, to enter a credit card to increase
or re-charge the card. All companies will validate your credit card in some
shape or form but if their system or link is down, they will validate when
everything is back up so using a program to create credit cards might work to
get past the initial checksum check.
Luhn Check Digit Routine
------------------------
This subroutine written in Basic will check the last digit of Visa and
Mastercards to make sure it's valid.
WEIGHT$=2121212121212121
WLEN$=LEN(WEIGHT$)
CLEN=LEN(CC) CC = CREDIT CARD NUMBER
CK.DIGIT=CC[1]
CNBR=CC[1,CLEN-1]
CNBR.LEN=CLEN-1
RESULT=0
WI=CNBR.LEN
WI=WLEN$
FOR IX=CNBR.LEN TO 1 STEP -1
PRODUCT=CNBR[X,1] * WEIGHT$[WI,1]
FOR IDX2=1 TO LEN(PRODUCT)
RESULT+=PRODUCT[IDX2,1]
NEXT IDX2
WI-=1
NEXT IX
MULTIPLE.OF.TEN=(INT(RESULT/10)+(MOD(RESULT,10) GT 0) * 10
TEMP.CHECK.DIGIT=MULTIPLE.OF.TEN-RESULT
CC=(TEMP.CHECK.DIGIT EQ CK.DIGIT)
RETURN
- Phoney Phreak
