Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
A Guide to Credit Card Hacking (Educational Purpose Only!)
#1
You don't often come across advance level of credit card hacking but I am going to expose how the hackers did it for the benefit of all. The more you know, you less risk you will face. Do not undermine the importance of security.

Credit card companies and banks are already doing a fantastic job in securing the card usage, but it can never be perfect. Human will always exploit the rules, the stronger the policy grow, the stronger the rebellion become.

First of all, credit card usage follow a certain rules including the country of usage, IP address, internet service provider, browser type, system type, purchase history and purchase pattern. In order to perform a fraud successfully, the hacker have to match as close to the 7 factors above as possible. In order to do that, there will be a lot of security guideline to follow. Usually the term OpSec is used between hackers to check if everything is secured.

There are a number of terms and hacking style and Carding is the term to hack, I will be brief on it:
  • Fullz - Particular of a person, used as fake account or cash out usage
  • CVV - Credit card information, for online purchase and transfer money to another person
  • Dumpz + PIN - Duplicate the card for physical use, usually called plastic too. Also known as plastic and there are 3 strip in the credit card but only first 2 are used.
There may be a lot of guides people are selling online on how to cash out, but honestly not many will work. Some asking you to play casino and transfer the money to you, some to buy bitcoin, some to bank drop (which means transferring money to his bank and split the fee with him). As most of criteria does not fulfil the 7 factors or the site is simple blacklisted, hackers are unable to do all the big items anymore. I am going to share with you how cash out using Stripe and money transfer. Make sure all steps are done correctly or once the card is blocked, you can never use it again.

  1. Always work in a Virtual Machine. Download Virtual Box or anything free and install a separate operating system on it - preferably Windows based.

  2. Some times you may need extra security level, you can also add in a layer of VPN to your set up and work purely on it. You can buy anonymous VPN using Bitcoin via - airvpn.org

  3. VPN will change your IP but not necessary to become closest to the card holder. You will need SOCKS5 to map it to as close to the user as possible. Get Bitcoin SOCKS5 from luxsocks.ru or uas-shop.ru

  4. Download and install FraudFox, it is a browser that will allow you to change your browser type, version, plugins, environment and etc. Very powerful tool that you need to mask your actual PC set up and take over the user's specifications as much as possible
    (There are alternatives like anti-detect - it is a full operating system, or some just use Mozilla plugin noscript to disable detection totally)

  5. Find out what are the most common browsers people are using here (if you do not have the user's detail) -  w3schools.com/browsers/browsers_os.asp

  6. Once you are done, check for your browser fingerprint for satisfaction - whoer.net

  7. Then check your SOCKS5 IP address - ip-score.com

  8. Finally check for DNS leak - ipleak.net
    (for all the above, you can Google it to understand what is it and who are the parties that govern it)

  9. Download Tor and access the deepweb, you will need to purchase dumpz, cvv and fullz from AB Forum - pwoah7foa6au2pul.onion/forum/ you will not be able to access using normal browser. Check around to see which vendor has the best rating and who are the trustworthy ones, many people get scammed even before they try to scam others, learn to be smart.

  10. Once you have purchased the card, there are a few ways to check for the card without killing it. You should check the Bank Identification Number (BIN) if it is a good card at bincodes.com or bins.pro, the first numbers in the credit card is the BIN number and the last digit on the credit card is the checksum number. Keep a good list of BIN yourself to know which are the better card with higher balance.

  11. You may also check if the card holder's social security number and its integrity at ssndob.cc or electronicpromo.ru

  12. To upload any information or to communicate with other hackers, usually they will use all anonymous services such as anony.ws to upload image, yandex.com email service and privnote.com read once and destroyed notes to leave no evidence

  13. Cash out through donations at payit2.com, register a Stripe and look for a bank drop or,

  14. Cash out via various bank transfer with bank drop: transferwise.comsendvalu.com & azimo.com
These hackers often will phish your information through fake websites or payment system, they will not deduct your money immediately so you will never suspect, but they will sell your information to other hackers to minimise their activities. Often this is used with key loggers and other virus installed in your computer to capture all these sensitive information. Luckily for us, we have OTP and 2FA to prevent it. Be careful people.
Reply
#2
Thanks for the post...........
Reply
#3
That is a useful one......
Really good .......
Reply
#4
Are you trying to get into trouble? Just in today - 23 Nov 2016

Police arrest young couple for trying to purchase goods with fake credit cards, straittimes.com Wrote:SINGAPORE - A young couple were arrested at Ion Orchard's Louis Vuitton (LV) outlet on Monday (Nov 21) afternoon after they tried to purchase items with counterfeit credit cards.

They were arrested with the assistance of an alert sales assistant at LV, the police said in a press release. An assortment of counterfeit credit cards and items worth more than $30,000 were recovered from them. The items are believed to have been purchased using the counterfeit credit cards.

The well-dressed young couple were understood to be tourists staying at a hotel along Orchard Road, Shin Min Daily News reported.

There were five police cars outside the shopping centre and 10 officers were in the store, an eyewitness named Mr Wang, 70, told Shin Min.

Another eyewitness, Ms Lee, 35, said the couple were dressed very stylishly. After they strode confidently into the store and picked out three items, they tried to pay with the counterfeit credit cards. The store was unable to process the cards despite repeated tries, raising the suspicion of the staff. The staff then decided to hold on to the cards.

Shin Min reported that the woman panicked when the credit cards could not be processed and the duo fled in different directions. The woman ran to a nearby female toilet while the man ran towards another side of Ion Orchard.

LV staff directed the police towards the duo who were eventually arrested.

After about two hours of investigations, the couple were taken into police custody.

They will be charged with cheating and may be fined and/or jailed up to 10 years.

The police reminds merchants and sales staff to exercise vigilance during the upcoming festive shopping season and always adopt correct card acceptance procedures when processing credit card transactions. They should look out for the various security features on the card face. If they are suspicious, they should contact their processing bank immediately for advice.
Reply
#5
Anti-Detect 6.5 Download

Link: Anti-Detect 6.5

Increasing your success rate to 98% during CC, Paypal, Bank Carding
Carders are constantly looking for a new ways to avoid banks and e-commerce fraud detection systems. These security solutions are mostly relying on browser fingerprints, which is the data left by a computing device while interacting in the field of analysing and comparing these data. Anti-Detect Browser is one of the most prominent tools allowing you create a unique fingerprint to spoof the fraud detection system.

If you've been carding and it hasn't worked than it's because you haven't been using Anti-detect, the use of anti-detect is guaranteed to improve your carding, Bank account jobs and PayPal Jobs success rate.
Reply
#6
3 New Methods To Cashout A Credit Card 2014

What you will need.
1 Valid CVV (any country will do) [1]
2 Clean Socks5 proxy as close as possible to cardholder's address [2]
3 Good DNS setup [3]

Method 1: CC -> SLL -> BTC

Ok lets get started.
You'll need an email account. Go create a new one at yahoo/gmail/whatever.....doesn't matter which (i wouldn't use tormail for this......too much of a flag). Go to https://www.virwox.com, and create a new account using the email you just set up and the name on the CVV. Just make up a fake SL avatar you don't need to validate it. You will then have to confirm your new account by retrieving the temp password from your email. First thing to do in https://www.virwox.com is change your password in the "Change
Settings" tab on the left. Now we're ready to do some carding. Click "deposit" and scroll down to the Skrill(moneybookers) option. Then enter the max amount for the currency of 1 your card (currently $56 for USA cards) and click the moneybookers logo.
If you have NoScript installed you will have to temporarily allow all this page. Enter the details you have for the CVV and make up a fake date of birth if you dont have a genuine one. If all goes well, you will then be taken back to the main page with your USD/EUR/GBP balance filled.
On the "exchange" menu left of screen choose USD/SLL to convert to Linden $s, then BTC/SLL to convert to bitcoin.
Now withdraw.

Note:
Typically Virwox hold funds for 48 hours before releasing.
You can process payments a total of 3 times with each card.....one transaction every 24hours.

CC -> Moneygram -> BTC

If you have fulls (ssn, dob, etc) you can try cashing out through moneygram. To do this just go to site and sign up for an account under the cardholders name. Be sure to chain a regional socks5 with your Tor connection so you appear to be from the same country that the cardholder is in [4]. Select Same Day service. It will prompt you for the card
details, dob, and the last 4 digits of the ssn. I would suggest running
this name through a background check (any background search site will do) in case you have to answer a security question to send the funds over. Don't try to send over too much. If you accidentally go over the limit or try to send a suspicious amount you risk flagging the account. No more than $300 from each CC. If everything goes smoothly you can try exchanging through https://wm-center.com for bitcoins. You can find more information on https://wm-center.com.
Read more: https://en.bitcoin.it/wiki/WM-Center

CC -> Forex -> BTC

The process is actually really simple. I was surprised to find https://www.rationalfx.com. Kinda found it by accident actually.
Using a foreign currency exchange site to change money on a credit card into a foreign currency and to wire transfer the money into a bank
account.
In this case, the bank account is at Here
2The process goes as follows:
Make an email account anywhere.
Make an account at https://www.rationalfx.com
Make an account at https://www.mtgox.com. (all account info in the name of the cc
holder).
In https://www.rationalfx.com, add account details, addy, card number, https://www.mtgox.com wire info. Make a transfer.
Process takes 3 5 business days... It turns a cc transaction into a wire transfer so it takes a couple days... (Note: in the interest of speed and
not getting the transaction reversed, Monday/Tuesday is the best day to start the transaction)
Once the money is in https://www.mtgox.com, turn it into bitcoins as quickly as possible
and move it into your other bit wallets. Wash the coins if necessary...
Easy huh?
Already pulled it off once. 400GBP through a MC without any issues. rationalfx does not seem to have any real safeguards in place. Tor works fine there (though it is best to use an exit node wherever your card
holder lives). When I was testing it first with a visa, it told me 3 times in a row that the transfer failed. I lowered the amount each time and tried again. After the 3rd time it went through but I didn't have the Verified by Visa password so I couldn't continue. BOTH Visa AND MC , it seems, will pop up with a verification thingy if its enabled on the card. (Usually US/UK cards) Make sure when you deposit to Here you include the account identification info for that spacific account. You can find it on the 'funding options' > 'Bank wire' page... If you forget that info you wont
get your money.. So there you have it. Its simple as pie.. This is not 100% of the info but ya'll can figure out the rest..
Reply
#7
3 ways to cashout a credit card

Way N.1: PayPal


what you need:
IBAN/ANON Card – you can buy one cheap from: Tobacco2012
1:Set up a real PP account using your real anon. It is easy to do but if you don't know how you can ask Tobacco2012 to sell you a guide within his real anon CC.
2: Wait for validation
3: Get an anonymous SIM card
4: Register yourself to https://www.liqpay.com/en
5: From PP account create a donation button
6: Using stolen CC's deposit some money using the donation button. (my advice is not much from each card, around £20/30 per card is good)
7: Now buy bitcoins using the PP card by https://www.liqpay.com/en
8: Transfer your money to your BTC address Wink

Way N.2: Sim Card

what you need:
A bunch of SIM cards
1: Check if your SIM card is refillable online. If so then go on.
2: Now fill your SIM cards using CC's. Its better to do different refills of low amounts.
3: Now subscribe a wallet on https://blockchain.info(use tor!!)
4: Now make an instant deposit by telephone:
1: select country.
2: select big amount.
3: select payphone way. 4: call and wait.
Good! You now have your BTC in your wallet, you can easily transfer to your address and spend them. I tried this using a Polish SIM card. This way has high fees but has highest success rate.

Way N.3: Poker

To do this you need an initial investment of 2BTC.
1: Go to Here and register an a REAL account for you.
2: Refill that account using 2 BTC.
3: When asked use REAL information of yourself.
4: Now register a second FAKE account using CC information (use tor!)
5: Refill fake account with CC information.
6: Now, using tor and you normal browser, play the 2 accounts against each other and win on real account.
7: Do some real play to avoid suspicion on real account.
8: After couple of days withdraw your winnings.
9: You have 50% chance of being asked for ID when you withdraw, send it without problem as you won this money legally.
Reply
#8
7 Reasons Your Credit Card Gets Blocked

Plus: 7 tips for handling it when it happens to you

When your credit card company stops a thief from charging fraudulent expenses to your card, you're thrilled. But what happens when they mistake you for the thief?

7 reasons your credit card gets blocked

With $6.89 billion in fraud losses in 2009, credit card companies eager to stem the tide are continually beefing up their anti-fraud measures, relying on sophisticated computer software to flag suspicious transactions. Trouble is, what looks like a red flag to a computer may just be you trying to make a mundane purchase. Then, all of a sudden, your card's declined, leaving you red-faced and frustrated.

So what looks bad to your card company? Anything out of the ordinary. "The credit card companies -- Visa, MasterCard, American Express, Discover -- all have their own proprietary technologies that look for anomalies in your spending habits," says Robert Siciliano, a McAfee consultant and identity theft expert based in Boston. Siciliano suggests that each transaction is automatically analyzed for up to 200 different data points, everything from where you live to what you normally buy to how much you're spending, to determine the likelihood that you're the one actually making a particular charge. If the analysis doesn't add up, your card will be blocked and your next purchase declined.

What triggers a block

Card issuers won't go on the record about specific red flags -- as Siciliano points out, "That'll only give the bad guys an edge." But according to experts and hapless cardholders who have experienced a block, these shopping habits may lead to hassles:

Shopping where you've never shopped before. "I've had calls from my card company saying, ‘We've detected unusual activity.' It wasn't unusual, but it was a different pharmacy than the one I normally went to," says Denise Richardson, a certified identity theft risk management specialist and author of "Give Me Back My Credit!"

Making several purchases quickly. Janis Badarau, of Lavonia, Ga., sometimes hits three grocery stores in a row to find what she needs and take advantage of sales. But a few months ago, she was so speedy that by the time she swiped her card at the third store, it was declined. "I called the bank when I got home, and they told me that shopping at three supermarkets within an hour or so was considered 'unusual activity,'" Badarau says.

Charging something small, then something big. Criminals sometimes test the waters with a stolen card by charging a tiny amount -- say, a song on iTunes -- before moving on to a triple-digit purchase. That small-big pattern in your own buying habits may result in a declined card.

Shopping away from your home base. That's especially common when you're moving. "If my billing address is Massachusetts and I'm buying a washer and dryer in Idaho, that's an anomaly, because why would I buy a washer and dryer in Idaho if I live in Massachusetts?" says Siciliano.

Charging travel expenses. On the road, any purchase from gas to restaurant meals can trigger a block. While that's long been true for travelers abroad, it now happens domestically, too. "Once my travel to L.A. flagged it and I spent 20 minutes verifying transactions," says Traci Coulter, of New York City. When she asked what caused the card to be declined, she was told, "a taxi, a charge at the airport, in-air Wi-Fi and a rental car hold" -- all standard travel expenses.

Buying things in different geographic regions on the same day. During a cruise, Janet Gillis, of Tampa, Fla., used a card to get money from an ATM on the ship, then she later made a purchase on-shore in Belize. For the rest of the trip, her card was declined. "Apparently, the ATM on board the ship is registered to a Miami location, and several hours later, I was purchasing something in Belize. To them, it looked suspicious because the transactions happened so close together," says Gillis. Online purchases to merchants in different parts of the world can trigger the same flag.

Dealing with billing issues. When Siciliano wanted to make an addition to an online purchase, he contacted the company, but the second transaction they tried to process was declined. The card issuer "thought that the merchant was taking advantage of my card number."

How to handle a block

When your card company suspects suspicious activity, sometimes you'll get an email or a phone call asking you to verify a purchase. Other times your card is simply declined, with no advance warning and no information why, and it's up to you to call your issuer and sort out the problem. Follow these tips to minimize the hassle (and humiliation) of a blocked card:

Carry backup credit cards. You'll be able to offer another working card while you sort out the problems with the first.

Keep your card's contact info handy. "Have your credit card company's toll-free number as one of your phone numbers in your mobile," recommends Siciliano. "If a card is declined, you know who to call."

Tell your card company when you're traveling. Advance notice doesn't always keep your travel purchases off the "suspicious activities" list, but card companies recommend it. In the same vein, "Give your creditor your cell phone number," says Richardson. "If they only have your home number on file, that can be a problem, too."

Use a prepaid card. When you travel, a preloaded card gives you the convenience of credit without the hassles. (You do lose the protection, however, so that convenience comes with a price.) Get texts. According to Chase representative Gail Hurdis, customers can sign up to receive a text message within minutes of a flagged transaction and can indicate by text whether they recognize it.

If they do, the account is updated and the transaction cleared instantly.

Provide a new address. When you move, quickly update your billing address so your card company recognizes your new home base.

Ask for compensation. When Linsey Knerl's card was erroneously declined, the store cashier refused to accept any other card, forcing Knerl to abandon a cart full of stuff. The Tekamah, Neb., woman wrote a letter to her issuer expressing her disappointment. "The credit card company actually gave me a rewards points bonus for my troubles -- enough to buy a plane ticket the next time I traveled!" she says.

Annoying as it can be to get blocked by mistake, remind yourself that it's a sign that your credit card company's got your back.
Reply
#9
A Guide To Everything Non-AVS

I have a little time on my hands today so I have decided to do something productive and try and get everything AVS under one roof to make things nice and easy for people with avs questions.

Disclaimer:

I have never actually used a non-avs card! lol. I have however spent a long time on this forum reading just about everything I can get my hands on (I don't even plan to start carding until I have another 2 months reading about how things work) and want to try and give something back. I imagine there will be mistakes so if any of the regular dudes here spot something wrong let me know.

Glossary - The terms you will come across when reading about avs.

AVS - AVS stands for address verification system and is one of the many things sites use to verify that the card in question is not being used fraudulently. However, some cards do not have this in place meaning the site is unable to pull up the address the card is registered to

Bill=ship - One of the most commonly asked questions on TCF and evo. As the system of any site is unable to verify the address you can put any address you like in the billing address section of the delivery form Big Grin. This is good news as the billing address differing from the shipping address can throw up major red flags during transactions. With this being said the billing address should always match your shipping address. This is often shortened to bill=ship.

VBV - Verified by visa (VBV) is the second stage of the 2-factor authentication system used by visa to try and prevent fraudulent transactions. The first of these is the CVV2 number, which is the 3 digits found on the back of 99% of CC's. Just because a card is non avs doesn't mean it will not have vbv.

BIN - BIN is bank identification number. BINS can be checked by visiting Here and typing the first 6 numbers of your cc in.

Now with the general terms out the way we can move on to some of the other questions we see so many times a day.

Pros and Cons of non avs

As mentioned above, the main advantage of non ans cards is the ability to make the billing address = drop address (which should NEVER be your house/appartment/condo/garden shed or whatever else you may happen to live in) as if these do not match sites can ask for additional verification. The drawback with these cards is that they tend to be from south american countries so cards with good balances are hard to come by. Thinking you can order $5000 worth of stuff just because bill=ship is an easy mistake to make but it really will not be the case with so many of these. Stick to a very maximum of $1000 to avoid burning your cards I would say.

Also note that some sites can refuse non avs because they are not able to verify the address for the card.

Other FAQ's

Where should I set my socks to?

Another common question. If you don't yet know what socks are or how they work, I suggest you get your ass over to the TCF wiki and read everything on there as you have a lot to learn before starting this. If you do know what socks are then lets continue Big Grin.

For non avs cards your socks should be set as close to your drop as possible as this will also be the billing address. The origin of the card does not matter as remember the site can not verify the address.

What are some non AVS BINS?

This information is not freely available in general. Some kind folks have offered some up on some threads in this forum (can't find the link sorry) so take a look, use the BIN checker and take it from there.
Reply
#10
Carding Guide, All My Knowledge

This chapter is about virtual carding. Virtual cardung is the art of ordering goods online using stolen
credit cards, also known as “CVV”, “pizza”, any any other names the members of the community use
to disguise their intentions. Although this seems easy, there are many pitfalls you might want to be
aware of when doing that, especially since merchants are getting more and more aware of online fraud.
Want to know how to get free goods? Let's get started!
Section 1.1 – How It Works
The first thing is to ask yourself, how much do you want to card, and what do you want to card? Then,
you will have to pick one of those 3 levels. Each level represents a difficulty level and you will see
the
prerequisites.
Level 1: Easy carding
This level is used for very easy things to card, for example restaurants and small phone orders, mostly
under $50. This is the entry point of most carders. For that, you will need:
• Credit card number
• Expiration date
Level 2: Intermediate carding
This level is used for online transactions that are slighly higher, like background reports, or a very
small physical item. You will need:
• Credit card number
• Expiration date
• CCV code
• Cardholder name
• Full billing address
• Sometimes, phone number of the account
Level 3: Hard carding
This is not recommenced for beginning carders. Here we are talking about everything above level 2,
such as large physical items, or high-security websites like Newegg, TigerDirect, and sites that
require
Account Take-Over (for ATO, see section 1.2 of this guide). Computer parts, electonics, and many
other items fall in this level. You need:
• Credit card number
• Expiration date
• CCV code
• Cardholder name
• Full billing address
• Phone numbers
• SSN
• DOB
• Recommended, background report
If you are aiming for level 1 carding, you just need to call for pizza and order pizza to another
address,
no need to write lengthy paragraphs on this one. This is easy and is pretty straightfordward.If you
are aiming for level 2, you can card background reports or small physical items, mostly under
$150. All orders are done online, and you will have to enter the correct billing address, shipping
address, and card information.
Now, you must see if the websites says billing phone number on file with the bank, or simply contact
phone number. If the website asks for billing phone number, you have to put the phone number on file
with the bank for the cardholder, otherwise it is safe to put your burner phone number (see section 2.1
of this guide). Now, is the website going to call you? It depends on the order, their policy and their
suspicion about you, so there's no safe answer to this question. Remember that carding is often trial
and
error.
When you use a card to hit a website, do not hit another website using the same card until your order
has shipped. Making an order go though and having a charge approval is easy, but getting it shipped is
often where the challenge lies.
A level 2 site that is often carded is peoplefinders.com. This is where carders get most of their
background reports. It is a good playground to test your skills, and will prove useful later.
Now, on to level 3. You probably saw the information required, now how to get it? First, if your
subject
is aged under 40, chances are that you are out of luck. Otherwise, read on.
First, you need to get the right type of card. This is called finding the right BIN (Bank
Identification
Number). The BIN is the first 6 digits on the card and is used to identify the card type as well as the
issuing bank. To learn more, go to bindb.com, at the top go on Bin Search, and enter the first 6
digits of
the card. They will tell you the issuing bank, and card type. You have debit and credit cards, and the
card type can vary. From the weakest to the strongest, they are:
• Secured: Very low limits, sometimes around $300
• Classic: Low limits, sometimes around $1000
• Gold: Average limits, can be around $3000
• Platinum: High limits, can be around $8000
• Business: Very high limits, in the 5 digits, often around $15,000
• Signature: The best ones, I got cards that had $30,000 of credit limit
Note that those numbers are subject to change according to the cardholder's credit score, history, and
spending patterns. For the benefit of this guide, we will only work with credit cards. By experience,
debit cards often do not have funds, and have tighter security for online purchases. In other words,
they
are rubbish for level 3 carding, but may have other uses, like level 1 or level 2 purchases.
Register an account on any SSN finder site such as ssnfinder.ru or ssndob.cc and look for your subject.
At the same time, go on peoplefinders.com and get the full background report of your subject using a
level 2 card. Once you have the background report, look if the addresses and date of birth match on the
report and on backstab. If everything matches, you can assume the SSN will be correct. Use your
common sense to compare the backstab and peoplefinders results to make sure you didn't get the wrong
information. About 80% of the subjects over 40 years old can be found.
You have the SSN and DOB? Great! Now, time to get the mother maiden name. This is slightly harder
and will work if your victim is in one of those states: Arizona, California, Delaware, Idaho, Indiana,
Kentucky, Maine, Maryland, Massachussetts, Minnesota, Nevada, New Hampshire, New Jersey, Ohio,Rhode
Island, South Dakota, Texas. Go on archives.com and card an account, then look for your
subjet's mother (look at the background report for her name and date of birth), and try to look for her
birth record. This is a trial and error case and works about 50% of the time.
Why get all this information? Because many level 3 swites will have either VBV (Verified by Visa) or
MCSC (MasterCard Secure Code) protection during checkout. This is a form that is presented by the
issuing bank of the credit card and asks for additional questions. Although every type of card is
different, the commonly asked questions are:
• Date of Birth
• Last 4 digits of SSN
• Full name on card
• Billing zip code
If you fail any of those questions, the order will not go through. Now, why did we need all this
information? Because we will perform a ATO on the account. This is tricky. Read the next section for a
detailed description of Account Take-Over fraud.
Section 1.2 – Account Take-Over Fraud
Do you dream of carding thousands of dollars worth of computer hardware on Newegg? It's doable, but
not easy. You have to follow the right steps. I carded a $10,000 gaming rig in under 2 weeks using
platinum cards by following that guide, so I'm in position to tell you how.
First thing, check the balance of your credit card. Now, before going crazy, remember this rule of
thumb: Do not use card checkers! They burn the card very quick. Let me explain.
Every transaction automatically gets a fraud score between 0 and 999. The system used to evaluate
transactions is the same used by the big 4 banks and is called Fair Issac. Transactions having a fraud
score over 300 will hit manual review by an agent, who will decide if they contact the cardholder or
just let it though. Scores over 500 with auto-decline, block the card, and an agent will contact the
cardholder. Some banks have different criterias, but things that can affect the fraud score are:
• Comparison with the usual spending pattern of the cardholder
• Location of the charge
• Amount
• Risk factor of the associated merchant
For example, a $20 charge in the cardholder's local Walmart will not trigger anything, but a large
purchase of $2000 on Newegg.com will have a high fraud score and probably auto-decline if the
cardholder rarely makes online purchases.
So how is this relevant? A small card-not-present charge followed by a big charge will make the fraud
score very high, because they assume you are testing the card. If they see a small $1 charge, then a
few
minutes later a large purchase online, they will auto-decline the card and your plan will likely fail.
There are much better ways to check if a card works. The best way is to call the bank's toll-free
number
and use the automated prompts. This brings no danger, however use Spooftel to spoof your number to
display the cardholder's number. Once you do that, you are ready to call the issuing bank's number and
check how much is left on the card. Let's get to it.Call the bank using your burner phone and have in
hand the following information, according to the
bank. The automated prompt will give you access to the transaction list, balance, and a few other
options. Here is the information for the biggest 4 banks:
Chase Bank – 1-800-432-3117
• Full card number
• Zip code
Note: If you correctly spoofed the phone number, you will only be asked for the last 4 digits of the
card, otherwise you will be asked for the full card number.
Citibank – 1-800-627-3999
• Full card number
• Last 4 digits of SSN
Bank of America – 1-888-421-2110
• Full card number
• Zip code
Capital One – 1-800-955-7070
• Full card number
• Last 4 digits of SSN
If, for any bank, you enter the card number and the system immediately transfers you to an agent
without additional questions, it means the account is closed and the card is burnt. No need to waste
time on this one, just hang up and use another card. The agent will only tell you the same thing, and
you will look dumb.
It's always a good practice to take note of the last transactions and amounts, just in case you get
asked
for them later. Listen to them and write them down, I recommend up to 8 transactions for maximum
safety.
So you have the balance and the available credit line now. Nice! So you know how much you can
spend online. Before you go crazy though, there is one more obstacle you need to be aware of: many
sites like Newegg or TigerDirect refuse to ship to an address that is not on file with the bank. And
chances are that your cardholder does not reside at your drop address. Here is how we will solve this
problem, introducing the Account Take-Over fraud, also known as ATO.
ATO is the process in which a fraudster (you) calls the bank to make whatever changes he wants to the
account, without the cardholder knowing. This involves speaking with a customer service agent and
using social engineering. Before you even think about pressing 0 to speak to an agent, make sure you
have, at the very least, the following information in hand:
• Full card number, expiration date, CCV code
• Full billing address of the cardholder (and county)
• Date of birth (and write down the age too, not just the DOB)
• SSN
• MMN (Mother Maiden Name)
• Employer name (facultative, if possible, try to find it on Facebook)•




Car make and model (facultative, if possible, try to do a Google StreetView on the CH's house)
House size and value (facultative, if possible find it in realestate.com as this is public
information)
Driver's license number, expiration, state (facultative)
Previous addresses
Background report
In case you do not have the MMN, try to guess using common last names in the background report. If
you really cannot find it, sometimes it is possible to get around it with other questions. Once you
have
this information in hand, study it, try to remember it. Remember, you are the cardholder, the card is
yours, and you are confident, just like when you call your own bank for a legitimate request.
When you call the bank, you will be usually asked for 3 security tokens. Those tokens can be, but are
not limited to: DOB, SSN, Address, CCV code, cellphone, MMN. If you fail 1 token, you will be asked
2 more. At this point, 2 things can happen:
1. You did it correctly, so the agent will listen to you and will do whatever request you have to do
on the CH's account, and no flags will be raised.
2. The agent suspects an ATO is occuring, and transfers you do the securiy department. This is
called the Verid department, and you will be asked 2 OoW (Out of Wallet) questions. Those are
multiple-choice questions based on the cardholder's credit history and public records. They can
be easy or tricks, it's random every time it happens. If you fail those, they will tell you that they
can't help you and will suggest you show up in person at your bank. They will also ring the
cardholder. So if you fail this one, forget this card, it's burnt to a crisp.
The first thing you want to do on the account is change the billing phone number. Only that. Do
nothing else, as making too many changes will raise a red flag on the account. Call to change the main
billing number and let the card sit still for at least 5 days.
All right, are you ready? Relax, sit in your favorite couch, call the bank, listen to the prompts, and
press
0. The message goes on, this call may be recorded for quality purposes.
This is the first example, if you have the correct MMN (this is the most frequently asked token).
Agent: Thank you for calling Chase, my name is Bob, who am I speaking with?
You: James R Layton.
Agent: Thank you mister Latyon, and for security purposes, may I have the mother's maiden name on
the account?
You: Lucile.
Agent: Thank you, and what is your date of birth?
You: October 1 st , 1965.
Agent: Thank you mister Layton, what can I do for you today?
This is the second example, if you do not have the MMN. Guess it, and do not hesitate. You know
yourself better than the agent does, and they can only rely on the information they have on their
screen
to validate your answers.
Agent: Thank you for calling Chase, my name is Bob, who am I speaking with?You: James R Layton.
Agent: Thank you mister Latyon, and for security purposes, may I have the mother's maiden name on
the account?
You: Smith.
Agent: I actually have something different here, it starts with C.
You: With C? It's impossible! Her name was Lucy Smith, she never used any other name!
Agent: Well, you do not have any other name that might start with C?
(if you have a last name starting with C on the background report)
You: My aunt's maiden name is Charlotte, but I doubt that's the answer you have on file.
(if you have nothing like that on the report)
You: No, no one in my family uses such a name.
Agent: Oh well, let me take note of this for you, can you confirm the last 4 digits of your social
security
number?
You: 4456.
Agent: Thank you, and what is your date of birth?
You: October 1 st , 1965.
Agent: And you billing address with the zip code?
You: 123 Fake Street, Fakeville, NY, 10008.
Agent: Thank you Mr. Layton, how can I help you today?
If you hear that, it means you got in. Otherwise, you will be transferred to the security department
for
the multiple-choice questions, have your report in hand. If you fail, the card is dead. Make sure you
spoofed the cardholder's number, otherwise you could be asked for other questions like driver's license
number, vehicule plate number, etc. Those are questions you probably do not have the answer to.
Now, what you want to do is change the billing phone number. A sample dialog with the agent can go
as follow.
You: I would like to change my phone number. This phone will be disconnected tomorrow and I want
to give you my new primary number so you can reach me if there is something.
Agent: Okay I see, what is the number?
You: 234-567-8901.
Agent: Thank you, is there something else I can do for you?
You: No thanks.
Agent: Thank you for calling Chase, have a wonderful night.
Once you passed the verification part, the rest is pretty straightforward and is relaxing. Now that you
changed the billing number, let the card rest for at least 5 days. Do not make any transaction. The
cardholder will continue to use his card normally too. During your call, at the end, if you failed the
MMN question, you might want to remind the agent to change the MMN on file to avoid problems next
time you call.
Also take note, at any point, if the agent wants to put you on hold, or says he needs to verify
something
and will be back, wait for him to put you on hold, and hang up. It basically means they are going to
ring the cardholder. If this happens, you might want to wait at least 48 hours before calling again,
and
you will see just by the automated prompts if the card is burnt or not. Maybe they did not call the
cardholder, but in 90% of the cases, they did. It happens, especially with Citibank, who likes to
replace
the Verid questions by a quick ring to the cardholder.The questions often change when you call, but
they always follow a certain pattern. By experience, I
will give you the tokens usually asked by the big 4 banks, but we aware that they might change, or they
might ask you other questions if they believe you are bogus. They can ask for your age to throw you
off, as you might not have to calculate it fast enough using the DOB. If you fail this verification,
you
will be transferred to Verid department.
Chase Bank, level: hard
• Full name
• MMN (if failed, last transaction)
• Last 4 of SSN
Citibank, level: medium
• Full name
• Password (pet name, MMN, favorite hobby, or best friend, if failed, last 4 of SSN and CVV)
• Mailing address
• Phone number
Bank of America, level: easy
• Full name
• (sometimes) Verbal password, which is MMN (if failed, DOB)
• Last 4 of SSN
Capital One, level: medium
• Full name
• Last 4 of SSN
• MMN (if failed, DOB and mailing address)
Since you have to wait 5 days, it's a good idea to create an account on your target website, browse the
items, put some in your cart, go to checkout, go back, remove items, read descriptions. Just try to
appear like a legitimate shopper. Remember that $1000 is a lot of money for the average American and
if you show you don't care about your money and just throw items in your cart, you raise flags. Look
like you care about how much it costs.
Once you got rid of this verification process, it will be easier next time you call the bank for this
account. So let's suppose you followed me and let it sit for 5 days. Call again, and this time, we will
add a temporary shipping address to the account. A transcript can go as follow:
(pass verification questions)
You: I want to make a purchase from Newegg.com but they ask me to add a temporary shipping
address on file. I'm not sure how that works, do I just tell you where I want them to send my order?
Agent: Let me help you with that, we can add an alternate address on the account, what would be the
address?
You: 123 Fraud Street, Cardingville, CA, 98765.
Agent: No problem mister Layton, I have notated the account for you, is there something else I can
assist you with today?
You: No thank you
Agent: Have a good afternoon.Almost all banks allow that, except Bank of America, who can only change
the mailing address. That's
why their cards are not the best when it comes to level 3 carding, but some stores will do a conference
call with the bank to bypass this restriction. Chase works the best for temporary shipping addresses,
but
is hard to ATO. It all depends on your skills and what you're comfortable with.
Once you have added the alternate address in the account, it's time to make the hit. Take your account
on the website you want to card, shop a little bit again, then proceed to checkout. Try not to go over
$2000 per order. Enter the correct billing address, double-check the information. Enter the billing
phone number (the one you added on the file at the bank), then your shipping address. Triple-check all
the information for accuracy.
Then, send the order. You might be greeted by a VBV or MCSC form, but if you have the required
information, it should not be a problem. Enter the information they want to get, and submit the order.
Also, some websites like TigerDirect will ask you for your DOB and will give you 3 verification
questions to answer. Those are public records and can easily be found in your background report, so
don't be scared. If you fail 1 question, you will be asked an additional question. If you fail 2 or
more,
the order will be put “on hold” and things will get harder, so try not to fail.
At this point, 2 things can happen when you submit the order. It depends on the spending habits of the
cardholder, and will make things easier or harder for you.
1. The order goes through without any problem, and becomes “pending” status.
2. The transaction get declined and the website says to call the issuing bank. If this happens, call
the bank, the system will act like the card is burnt (transfer without any additional questions),
and a fraud agent will answer. Remember, the card is yours, tell them you authorized the
transaction, but you don't know why it's declined. It's usually easy if you have the correct
information, but if you ATO'd the account before, chances are that you have everything it takes.
When the agent tells you you are all set, resend the order on the website. Call as soon as you get
the decline, don't wait, otherwise the real cardholder will get a call you don't want him to get.
All right, the order is now sent and the status is “pending”. The next section will tell you why some
orders get canceled (newbie mistakes), and why in your case everything should be all right. Take a deep
breath and hop to the next section.
Section 1.3 – Why Orders Get Canceled
When a website receives an order of about $1000, we understand that they try to protect themselves.
What is the first thing that a website will do to verify the order? That's right, they will call the
issuing
bank and will check if the billing phone number you entered is correct, otherwise they will ask for it,
and will ring it. You can receive the call, or the cardholder will, depending if you ATO'd the account
correctly.
This is why orders get canceled when newbies enter a credit card order and expect to receive a free
iPhone from the Apple store. They are not fools and want to protect themselves. However, if you took
care of changing the billing number on file, you will get the call and you will be able to confirm the
order.
Not so fast, a call is not simply “is everything okay?”, but rather a verification call where they
want to
see if you are really the cardholder or not. They sometimes ask you for verification questions similar
toVerid questions, but all the questions are taken from public reports. They can also ask you if you
put
the shipping address on file with the bank (you hopefully did), and they will call the bank to verify.
Also, in some rare cases, they can make a conference call with you and the bank, but you will be asked
for the usual questions, which means last 4 of SSN, DOB, last transactions, etc.
If you are a newbie and just put some credit card information on a website hoping to get a free iPhone,
you will just see the order passing to Canceled state without any details and you will not even get a
call. This is the reason why people post threads about “carding does not work” and get the same
answers.
If you passed the verification call, the representative will tell you that everything is okay and that
they
will have the order shipped out today. This is good news! At this stage, I received 100% of my items, I
never had problems past the verification stage. Now you may be tempted to hit another site; resist to
the temptation. You ATO'd card can almost be considered a level 4 card, at you own the account and
can do whatever you want, so it has a high sentimental value. Wait for the order to ship and the
package
to leave the merchant before you hit another webstore.
I recommend carding in the morning, to avoid letting a charge sit on the card for too long. You never
know how often a cardholder checks his statement online. I had cards that died within hours, and other
ones lasted 3 months. Once the package is shipped, you can card another store, no need to call the
bank, as your drop address is already on file. Repeat until the card is burnt. Once it is burnt, never
show
your face at the drop again. The alternate address is on the bank's records and they can send Law
Enforcement to this place. A drop is like a condom, use it once, do all your business, and trash it,
because it becomes dirty.
Another verification step they can take is send you an e-mail asking for scans of your ID documents,
such as passport and driver's license. These can easily be photoshopped and there are templates
available everywhere. Utility bills are pretty easy to forge too, so don't worry about this part. Do
what
you have to do, but be quick.
Another step you can take, is to put the shipping name on the package to a family member of yours, for
example if the cardholder's name is James Latyon, send the package to a certain Harry Layton (find a
name that's on the report and have their DOB, in case) and say you are sending the package to your son
/ brother / whatever relationship you have on your report.
Also, keep in mind that no method is perfect, and the website can cancel the order simply because they
feel it is not safe to process it. Nothing is perfect, but if you ATO'd the account successfully, it
should
be easy. Remember to stay under $2000 per order. You never know what other tricks they may use to
catch you.
Always choose the fastest shipping method. Some say it raises flags, but if you did everything else
correctly, that will not be the reason why your order fails. Besides, it greatly reduces your chances
of
getting an intercepted package, which is a pain in the ass and makes your efforts worthless.
This brings me to the topic of finding a drop to ship your order to. You can ship it to your house
without any problem, if you want the police to knock at your door and make you ride dirty to the police
station, and get in a steaming pile of shit of trouble. So read on to find out how to ship your order
safely.Section 1.4 – Drops
A “drop” is a place, or location, where you have illegal, carded, or stolen goods shipped to. It has
to be
a place that has no link with your current life and is in no way linked to you.
Finding a drop is not really hard. You can go on Craigslist and find houses for rent, or just drive
around
your neighborhood looking for houses for sale where you can ship goods to. Make sure the house has
no big windows that allow the driver to see that the house is empty. You don't want to have the package
returned to the sender because of that. Just use your brain to find a decent house that you think is
worth
shipping a package to. Usually pick a town close to yours, but not in your neighborhood.
The big day has come: UPS tracking shows “Out for Delivery”. Yeah! Now check if the package
requires a signature. All carriers require it, except UPS. For UPS, you can see if Signature Required
is
written on your tracking page.
Method 1: Acting like you are away
If you don't need a signature, you can leave a note on the door, “we are away, please leave package
here, take this as my signature” and you might as well print the order confirmation page showing the
tracking number and put it with your note to make your case stronger. The driver makes the final
decision about leaving the package or not, but usually there is no problem with UPS when they don't
need signature. Sign the note, put the order confirmation page with it, stick it in the door, and wait
in
your car not far from the place. When the driver leaves the place, grab the package, and put it in your
car. Then skip method 2, and continue reading.
Method 2: Acting like you own the place
The second method is when a signature is required. You will have to meet face to face with the driver.
Remember one thing, you can relax. The driver's job is not to investigate fraud, but only to make sure
the package does to the right received. So you must just make him believe the package is yours, they
don't care about fraud (but don't be stupid and talk about your crime). Carry a printout of the order
confirmation page, the tracking number open on your smartphone (use VPN!), and look like you've
been waiting for him. You might wait at the drop, sitting on the front lawn, or doing whatever you
want. However keep in mind that waiting in the car when the driver sees you get out of the car is
highly
suspicious. If you choose to wait at the drop while being visible, take down any “for sale” or “for
rent”
signs, and call the bank's automated system prior to showing up to ensure the card is still valid and
the
police is not waiting for you. Greet the driver, show papers, sign the cardholder's name, and proceed
to
the next section.
By experience, when you have brokerage fees to pay (like international package), you can call UPS
before getting the order and ask the amount. Leave a money order on the door and the driver will take
it
and leave the package. You will avoid getting a InfoNotice that way, and the driver will believe you
own the place. I did that a lot of times and no failure so far.
After getting your package
I sometimes skip this part when I am lazy, but you should be extra careful. Your freedom has no price
tag, so take 5 more minutes to do this precaution.Drive to a nearby park or public place, and open the
cardboard packaging. Look for any device that
may be tracking your position, such as bugs, GPS devices, etc. Then destroy the shipping label (you
can burn it to make sure), throw the cardboard packaging away, and you now have in your hands a
precious item you carded using your ATOd card. At this point, you can consider your carding heist a
“success”! Drive home, relax, you owned the bank and the website. You can brag about it on the
forums with reason.
If the card is still valid and there was no tracking device, you can card to the same drop again until
the
card burns. Get as much as you can out of it. Burn the card to a crisp. I remember getting $10,000
worth of electronics on a Chase card at the same drop, split on 5 orders. This was a money-making
week.
All right, you carded the item, ATO'd the account, got items, more items, burnt that drop to a crisp
too,
now the card is dead... either over the credit limit, or flagged by the cardholder. Never show your
face
to that drop again, and enjoy your goods!
What happens after? Read on to find out.
Section 1.5 – Chargebacks
A recurring question on the forums is, when the card is declared stolen and the transaction is disputed
because of fraud, who takes the hit?
In the case of a card-present transaction using chip & PIN in countries where they use that technology,
the bank takes the hit when the transaction is declared fraudulent.
In all other cases, it's the unfortunate merchant that takes the entire loss. So if you card Newegg for
$2000, they pay about $1600 for the merchandise that they send you, and they are short the money
because you carded them, so they have to make 6 similar big orders without problems to cover that
loss. You now undertand why they make verifications and don't want to be carded.
Some big merchants like TigerDirect and Newegg will just eat the loss and assume that they failed at
fraud detection, but smaller merchants will make a formal complaint at their police department. Now, is
the police going to investigate? It depends.
Reply


Forum Jump:






Users browsing this thread: 2 Guest(s)