AOH :: P15-04.TXT

Advanced Carding XIV

                ===== Phrack Magazine presents Phrack 15 =====

                         ===== File 4 of 10 =====

~                             The Disk Jockey                                ~
~                                                                            ~
~                                presents:                                   ~
~                                                                            ~
~                          Advanced Carding XIV:                             ~
~              Clarification of many credit card misconceptions              ~
                           (A 2af presentation)
     After reading files that have been put out by various groups and
individuals concerning carding, credit fraud, and the credit system in general,
I am finding more and more that people are basing these files on ideas, rather
than knowing how the system actually works.  In this article I hope to elighten
you on some of the grey areas that I find most people either do not clarify, or
don't know what they are talking about.  I can safely say that this will be the
most accurate file available dealing with credit fraud.  I have worked for and
against credit companies, and know how they work from the insiders point of
view, and I have yet to meet someone in the modem world that knows it better.

This file is dedicated to all the phreaks/hacks that were busted for various
reasons in the summer of 1987.

Obtaining Cards:
     Despite popular belief, there IS a formula for visa and mastercard
numbers.  All credit card account numbers are issued by on issuing company, in
this case, Visa or Mastercard.  Although the banks are not aware of any type of
pattern to the account numbers, there IS one that can be found.  I plan to
publish programs in the near future that will use the various formulas for
Visa, Mastercard and American Express to create valid accounts.

     All that is needed to successfully use a visa/mc account is the account
number itself.  I don't know how many times I have gotten into arguments with
people over this, but this is the way it is.  I'll expand on this.

First of all, on all Visa/MC cards, the name means NOTHING.  NOTHING AT ALL.
You do not need this name and address of the cardholder to successfully use the
account, at no time during authorization is the name ever needed, and with over
50,000 banks, credit unions, and various other financial institutions issuing
credit cards, and only 5 major credit verification services, it is impossible
to keep personal data on each cardholder.

Ordering something and having it sent with the real cardholder's name is only
going to make things more difficult, at best.  There is no way that you can
tell if the card is a normal card, or a premium (gold) card merely by looking
at the account number.  The only thing that can be told by the account number
is the bank that issued the card, but this again, is not needed.

The expiration date means nothing.  Don't believe me?  Call up an authorization
number and check a card and substitute 12/94, and if the account number is
good, the card will pass.  The expiration date is only a binary-type check to
see if the card is good, (Yes/No), it is NOT a checksum-type check code that
has to be matched up to the card account to be valid.

Carding Stupid Things:
     Whenever anyone, ANYONE tries to card something for the first time, they
ALWAYS want to get something for their computer.  This is nice and all, but
just think that every person that has ever tried to card has tried to get a
hard drive and a new modem.  Everyone does it, thus every single computer
company out there is aware and watching for that.  If I could give every single
person who ever tries to card one piece of advice, it would be to NEVER order
computer equipment.  I know there are a hundred guys that will argue with me
about it, but common sense should tell you that the merchants are going to go
out of there way to check these cards.

Merchant Checking:
     Since I brought up merchants checking the cards, I will review the two
basic ways that almost all mail-order merchants use.  Keep these in mind when
designing your name, address and phone number for your drop.

The Directory Assistance Cross-Reference:
     This method is most popular because it is cheap, yet effective.  You can
usually tell these types of checks because during the actual order, you are
asked questions such as "What is your HOME telephone number" and your billing
address.  Once they have this information, they can call directory assistance
for your area code, say 312, and ask "May I have the phone number for a Larry
Jerutis at 342 Stonegate Drive?"  Of course, the operator should give a number
that matches up with the one that you gave them as your home number.  If it
doesn't, the merchant knows that something is up.  Even if it is an unlisted
number, the operator will say that there is a Jerutis at that address, but the
telephone number is non-published, which is enough to satisfy the merchant.  If
a problem is encountered, the order goes to a special pile that is actually
called and the merchant will talk to the customer directly.  Many merchants
have policy to not ship at all if the customer can not provide a home phone
number that corresponds with the address.

The Call Back:
     This deals with the merchant calling you back to verify the order.  This
does not imply, however, that you can stand by a payphone and wait for them to
call back.  Waiting by a payphone is one of the stupidest things I have ever
heard of, being that few, if any, places other than the pizza place will call
back immediately like that.  What most places will do is process your order,
etc, and then call you, sometimes it's the next day, sometimes that night.  It
is too difficult to predict when they will call back, but if they don't get a
hold of you, or only get a busy, or an answering machine, they won't send the
merchandise until they speak with you voice.  This method is difficult to
defeat, but fortunately, due to the high cost of phone bills, the directory
assistance method is preferred.

Billing Address:
     This should ALWAYS be the address that you are having the stuff sent to.
One of the most stupidest things that you could do to botch up a carding job
would be to say something like "Well, I don't want it sent to my house, I want
it sent to....", or "Well, this is my wifes card, and her name is....".  These
methods may work, but for the most part, only rouse suspicion on you.  If the
order sounds pretty straightforward, and there isn't any unusual situations, it
will better the chances of the order going through.

Drop Houses:
     These are getting harder and harder to come by for the reasons that people
are more careful then before, and that UPS is smarter, also.  Your best bet is
to hit somebody that just moved, and I mean JUST moved, being that UPS will not
know that there is nobody at the house anymore if it is within, say, a week of
their moving.  It's getting to the point where in some areas, UPS won't even
leave the stuff on the doorstep, due to liability on their part of doing that.
The old "Leave the stuff in the shrubs while I am at work" note won't work,
most people are smart enough to know that something is odd, and will more than
likely leave the packages with the neighbors before they shove that hard drive
in the bushes.  Many places, such as Cincinatti Microwave (maker of the Escort
and Passport radar detectors) require a signature when the package is dropped
off, making it that much harder.

Best Bet:
     Here is the method that I use that seems to work well, despite it being a
little harder to match up names and phone numbers.  Go to an apartment building
and go to the top floor.  The trashier the place, the better.  Knock on the
door and ask if "Bill" is there.  Of course, or at least hopefully, there will
be no Bill at that address.  Look surprised, then say "Well, my friend Bill
gave me this address as being his."  The occupants will again say "Sorry, but
there is no Bill here...".  Then, say that "I just moved here to go to school,
and I had my parents sent me a bunch of stuff for school here, thinking that
this was Bill's place."  They almost always say "Oh Boy...".  Then respond with
"Well, if something comes, could you hold on to it for me, and I will come by
in a week and see if anything came?"  They will always say something to the
effect of "Sure, I guess we could do that...".  Thank them a million times for
helping you out, then leave.  A few days after your stuff comes, drop by and
say, "Hi, I'm Jim, did anything come for me?".  If everything was cool, it
should have.  The best thing to do with this is only order one or two small
things, rather than an AT system with an extra monitor.  People feel more
comfortable about signing for something small for someone, rather than
something big, being that most people naturally think that the bigger it is,
the more expensive it is.
     This is the best method that I know of, the apartment occupants will
usually sign for the stuff, and be more than happy to help you out.

     The thing that I can never stress enough is to not become greedy.  Sure,
the first shipment may come in so easy, so risk-free that you feel as if you
can do it forever.  Well, you can't.  Eventually, if you do it frequently
enough, you will become the subject of a major investigation by the local
authorities if this becomes a real habit.  Despite anything that anyone ever
tells you about the police being "stupid and ignorant", you better reconsider.
The police force is a VERY efficient organization once they have an idea as to
who is committing these crimes.  They have the time and the money to catch you.

Don't do it with friends.  Don't even TELL friends that you are doing it.
This is the most stupid, dangerous thing that you could do.  First of all, I
don't care how good of friends anyone may be, but if a time came that you hated
eachother, this incident could be very bad for you.  What could be even worse
is a most common scenario:  You and a friend get a bunch of stuff, very
successfully.  You tell a few friends at school, either you or him have to tell
only one person and it gets all over.  Anyways, there is ALWAYS some type of
informant in every high-school.  Be it a teacher, son or daughter of a cop, or
whatever, there is always a leak in every high school.  The police decide to
investigate, and find that it is becoming common knowledge that you and/or your
friend have ways of getting stuff for "free" via the computer.  Upon
investigation, they call in your friend, and tell him that they have enough
evidence to put out a warrant for his arrest, and that they might be able to
make a deal with him.  If he gives a complete confession, and be willing to
testify against your in court, they will let him off with only paying the
restitution (paying for the stuff you got).  Of course, just about anyone is
going to think about themselves, which is understandable, and you will get the
raw end of the deal.  Don't let anyone ever tell you that as a minor, you won't
get in any trouble, because you can and will.  If you are really uncooperative,
they may have you tried as an adult, which would really put you up the creek,
and even as a juvenile, you are eligible to receive probation, fines, court
costs, and just about anything else the judge wants to do with you.  All this
boils down to is to not tell anyone anything, and try not to do it with anyone.

Well, that should about wrap up this file.  I hope this clears up some
misconceptions about carding.  I am on many boards, and am always open to any
comments/suggestions/threats that anyone might have.  I can always be reached
on The Free World II (301-668-7657) or Lunatic Labs (415-278-7421).

Good luck.

                                                 -The Disk Jockey

AOH Site layout & design copyright © 2006 AOH