EXPERTS AND PROFESSIONALS ONLY!


    Exploiting Track2 Info

    Share

    zeusk
    Admin

    Posts : 144
    Join date : 2011-12-04

    Exploiting Track2 Info

    Post  zeusk on Thu Jun 21, 2012 2:36 am

    The following article explains practically how vulnerable banks are in the operation of ATM cards. ATM cards (Credit cards) usually has a magnetic stripe that contains the raw data called tracks for its operation.
    The physical layout of the cards is standard. The LOGICAL makeup varies from institution to institution. There are some generally followed layouts, but not mandatory.
    There are actually up to three tracks on a card.
    Track 1 was designed for airline use. It contains your name and usually your account number. This is the track that is used when the ATM greets you by name. There are some glitches in how things are ordered so occasionally you do get "Greetings Bill Smith Dr." but such is life. This track is also used with the new airline auto check in (PSA, American, etc)
    Track 3 is the "OFF-LINE" ATM track. It contains security information as your daily limit, limit left, last access, account number, and expiration date. (And usually anything I describe in track 2). The ATM itself could have the ability to rewrite this track to update information.
    Track 2 is the main operational track for online use. The first thing on track to is the PRIMARY ACCOUNT NUMBER (PAN). This is pretty standard for all cards, though no guarantee.
    Example of Track1
    B4888603170607238^Head/Potato^050510100000000001203191805191000000
    Example of Track2

    4888603170607238=05051011203191805191
    Usually only track1 and track2 are needed to exploit the ATM card.
    Let us examine track1.



    Take the Credit Card account number from Track 2 in this example it
    is:4888603170607238 and add the letter "B" in the front of the number like
    this B4888603170607238 then add the cardholder name YOU want to show on the
    card B4888603170607238^Head/Potato^(Last name first/First Name)next add the
    expiry date and service code (expiry date is YYMM in this case 0505,and in
    this case the 3 digit service code is 101 so add 0505101 ,

    B4888603170607238^Head/Potato^0505101

    No add 10 zero's after service code:

    B4888603170607238^Head/Potato^05051010000000000

    Next add the remaining numbers from Track2 (after the service code)

    B4888603170607238^Head/Potato^050510100000000001203191805191

    and then add six zero's (6) zero's

    B4888603170607238^Head/Potato^050510100000000001203191805191000000 this is
    your Track 1



    Track 1:B4888603170607238^Head/Potato^050510100000000001203191805191000000


    REMEMEBER THIS IS ONLY FOR VISA AND MASTER CARD(16digits) , AMEX HAS 14
    DIGITS, this doesn't work for Amex

    FORMAT FOR TRACK2
    CC NUMBER: YYMM (SERVICE CODE)(PVV)/(CVV)
    Here is the Fleet's credit track2 dump:
    4305500092327108=040110110000426
    we see card number, an expiration date, 1011 - service code, 0000 is the place for pvn (but it is absent!), and at least 426 is the cvv (do not mix with cvv2)

    Now let's take a look on MBNA's track2 dump:

    4264294318344118=04021010000044500000
    here we see the same - no pvn's and other verification information -just a cvv.

    As clearly shown above it is possible to generate track1 from track2 using the method shown above. However track2 gen software automates the process.
    The major process of getting the track2 info is through skimming. Fraudulent POS (Point of sale) merchants can use handheld devices called skimmers to read off and download the tracks data from your credit card if you are not careful. This is the main method of obtaining the original tracks from the credit card.
    However this article will focus on the exploitation of ATM cards using credit card info such as Credit card number, cvv2, Exp date and PIN and then using algorithms commonly called ALGOS to generate the track2. These credit cards infos are normally obtained by spamming. There are a lot of reviewed [censored] who sells these infos in some carding forums.
    Now it is interesting to note that there are a lot of talks about track2 generation possibility. How much is it real? However in my own candid opinion, it is very possible to generate track2. The simple truth is this.

    Generation process of debit (and some credit) dumps from the credit card number, expiration date and cvv2 code becomes possible because of the banks’ weak, "nonsaturated" structure and the banks failure to actually carry out proper validation of the track2 info. It might interest you to know that about 10% of banks are vulnerable. This vulnerability called pvv loophole have been fixed for the major banks But still sometimes the idiocy and negligence shown by employees of many American (and not only) banks quite often continues to surprise all: about 10% of issued cards still vulnerable, even for the moment.
    During the last 2 years I have come to discover so many banks which are still vulnerable to this attack. This forms the basis of this article. Armed with the right tool, you can actually encode cards using cc number, cvv2, Exp date, PIN and the algos.
    Now what is the nature of the algos you might ask? I will give you a sample.
    518445**********=YYMM10100000000779
    529107**********=YYMM10100000000CVV
    These are track2 info. The RHS is the card number. YYMM is the exp date
    ( year/month) and the CVV is the card verification value. The first 6 digits of the card number is called the BIN . You only neeed to know if the BIN is casahble or vunerable to use the Algo.
    Below is the screenshot of the Algo list I have compiled and tested to work 100% ( About 800) .


    Because some banks fail to actually validate the full track2 info, it is possible to use track2 generators softwares to attack the BINS. You simply enter the credit card number, cvv2, exp date and you get the generated track2. Remember this only works for weak BINS or cashable BINS. To test if the track2 you have generated is working before practically going to the ATM with the PIN to cash out, it is important you check the track2 using online checker. This will save cost for your embossed cards and it will be safer for you. I can offer you this service at a modest price of $3 for one track2 info. If you get 00 approval code and you have the right PIN , you will have about 97% success.

      Current date/time is Mon Dec 05, 2016 2:35 pm