Plastic Card Fraud
Another fraud scenario using plastic bank cards. The most vulnerable cards of Sberbank, suitable for payments on the Internet - ranging from Visa Classic and MasterCard Standard. The owners of the "payroll" Maestro and other Momentum are not subject to this reception.
Small educational program
1. Sberbank has the opportunity to transfer money from card to card and replenish someone else's card, knowing only its number (on the front side). No other values ​​are needed for this.
2. It is possible to find out the name of the owner of another (!) Card by its number, by making a payment to it through Sberbank-Online. We try to transfer to another card, say 10 rubles, enter the number of another card and on the screen “Check details” we see the amount of our payment, the number of another card and ... the name of its owner.
3. Many ask for help and place ads on charity sites. In addition to the usual bank details and numbers of WebMoney / Yandex.Money wallets, they increasingly began to fall “or on the card of Sberbank No. XXXX XXXX XXXX XXXX.”
')
4. There are such payment gateways that can take money from a card without asking for CVV (CVC) or MasterCard SecureCode control code. Amazon.com, for example, is served exactly this way. To pay, you only need to enter the card number, the name of the owner and the expiration date.
Algorithm of fraudster actions
1. We are looking for charity sites and posts on ZhZhchechkam, like this :
“You can make a donation to the number of the Savisovka card on a Plasik card, in any branch of the Savings Bank of Russia. It is enough to know the card number 676280389109721113 Borovkov’s recipient Anastasia. ALL THANK YOU VERY MUCHLY THANK YOU !!!! ”
Excellent option, even the name of the recipient indicated. Translit, ANASTASIYA BOROVKOVA ... Or maybe ANASTASIA BOROVKOVA. Not many options.
And if not specified?
Let's say this is the announcement:
"Sberbank account for transferring donations from card to card (no interest!) - 5469 3800 2643 5684"
Not a problem, now we find out:
a) Open Sberbank-Online, select "Transfer to card":
b) Enter the details of someone else's card and the amount - whatever you like. We want to do a charitable translation.
c) Oppanki! Name of card holder.
Refusing to translate, all that we need, we just learned.
Translite, DANIIL FIRSOV? Probably.
2. Nagrebli base "Sberbank card number - the name of the owner?" Excellent. Go to Amazon.com, add a new map:
CVV DOESN'T ASK !!! The transfer to SecureCode does NOT occur. Sberbank's one-time passwords are NOT requested. A one-time password is also NOT requested from Avant-garde cards. Hold at the same time occurs immediately.
What do we need to guess? Card type and expiration date. It is unlikely that it is Gold, certainly not American Express and certainly not Diners Club. Well, either MasterCard or Visa, or Cirrus / Maestro or Visa Electron uninteresting to us.
How to find out what is in front of us?
Look here:
Visa and MasterCard cards have 16-digit numbers.
VISA card numbers always begin with the number “4”.
MasterCard card numbers always start with the number “5” and consist of 16 numbers.
The Maestro card number starts with the numbers “3”, “5”, “6” and can consist of 13, 16 or 19 numbers.
Focus on the first two types (“normal” Visa and MasterCard), Cirrus / Maestro in the furnace.
Enter the type of card, its number, transliteration of the name of the owner. It remains only to guess the expiration date. For how many years do they issue cards? 3..4 years usually. Often they get a card as soon as they start fundraising. One or two possible values ​​of the year and 12 values ​​of the months. Not more than 36 options. There is no delay, no captcha. The card is either added or not. Not added? We try other values.
Added? We are trying to buy something ... You can even run into a credit card.
- ?????
-PROFIT !!!
Protection against such fraud
Do NOT publish your card number anywhere. It is often thought that without a CVV, and even without the name of the owner, there is no use for the card number. This method shows that this is a common misconception.
In any case, even if the bug does not work, the fraudsters still have rich opportunities for social engineering in relation to the published data.
In addition, you can use Cirrus / Maestro Momentum cards issued by Sberbank, which are not suitable for online payments, to collect funds. A scammer is unlikely to get something from the publication of their number, even knowing the name and the expiration date.
Small educational program
1. Sberbank has the opportunity to transfer money from card to card and replenish someone else's card, knowing only its number (on the front side). No other values ​​are needed for this.
2. It is possible to find out the name of the owner of another (!) Card by its number, by making a payment to it through Sberbank-Online. We try to transfer to another card, say 10 rubles, enter the number of another card and on the screen “Check details” we see the amount of our payment, the number of another card and ... the name of its owner.
3. Many ask for help and place ads on charity sites. In addition to the usual bank details and numbers of WebMoney / Yandex.Money wallets, they increasingly began to fall “or on the card of Sberbank No. XXXX XXXX XXXX XXXX.”
')
4. There are such payment gateways that can take money from a card without asking for CVV (CVC) or MasterCard SecureCode control code. Amazon.com, for example, is served exactly this way. To pay, you only need to enter the card number, the name of the owner and the expiration date.
Algorithm of fraudster actions
1. We are looking for charity sites and posts on ZhZhchechkam, like this :
“You can make a donation to the number of the Savisovka card on a Plasik card, in any branch of the Savings Bank of Russia. It is enough to know the card number 676280389109721113 Borovkov’s recipient Anastasia. ALL THANK YOU VERY MUCHLY THANK YOU !!!! ”
Excellent option, even the name of the recipient indicated. Translit, ANASTASIYA BOROVKOVA ... Or maybe ANASTASIA BOROVKOVA. Not many options.
And if not specified?
Let's say this is the announcement:
"Sberbank account for transferring donations from card to card (no interest!) - 5469 3800 2643 5684"
Not a problem, now we find out:
a) Open Sberbank-Online, select "Transfer to card":
b) Enter the details of someone else's card and the amount - whatever you like. We want to do a charitable translation.
c) Oppanki! Name of card holder.
Refusing to translate, all that we need, we just learned.
Translite, DANIIL FIRSOV? Probably.
2. Nagrebli base "Sberbank card number - the name of the owner?" Excellent. Go to Amazon.com, add a new map:
CVV DOESN'T ASK !!! The transfer to SecureCode does NOT occur. Sberbank's one-time passwords are NOT requested. A one-time password is also NOT requested from Avant-garde cards. Hold at the same time occurs immediately.
What do we need to guess? Card type and expiration date. It is unlikely that it is Gold, certainly not American Express and certainly not Diners Club. Well, either MasterCard or Visa, or Cirrus / Maestro or Visa Electron uninteresting to us.
How to find out what is in front of us?
Look here:
Visa and MasterCard cards have 16-digit numbers.
VISA card numbers always begin with the number “4”.
MasterCard card numbers always start with the number “5” and consist of 16 numbers.
The Maestro card number starts with the numbers “3”, “5”, “6” and can consist of 13, 16 or 19 numbers.
Focus on the first two types (“normal” Visa and MasterCard), Cirrus / Maestro in the furnace.
Enter the type of card, its number, transliteration of the name of the owner. It remains only to guess the expiration date. For how many years do they issue cards? 3..4 years usually. Often they get a card as soon as they start fundraising. One or two possible values ​​of the year and 12 values ​​of the months. Not more than 36 options. There is no delay, no captcha. The card is either added or not. Not added? We try other values.
Added? We are trying to buy something ... You can even run into a credit card.
- ?????
-PROFIT !!!
Protection against such fraud
Do NOT publish your card number anywhere. It is often thought that without a CVV, and even without the name of the owner, there is no use for the card number. This method shows that this is a common misconception.
In any case, even if the bug does not work, the fraudsters still have rich opportunities for social engineering in relation to the published data.
In addition, you can use Cirrus / Maestro Momentum cards issued by Sberbank, which are not suitable for online payments, to collect funds. A scammer is unlikely to get something from the publication of their number, even knowing the name and the expiration date.
Source: https://habr.com/ru/post/109361/
All Articles