What's new
Largest cc shop C2bit

Exploiting Credit Card Track2 Info

M

_Mike74

The following article explains practically how vulnerable banks are in the operation of ATM cards. ATM cards (Credit cards) usually has a magnetic stripe that contains the raw data called tracks for its operation.
The physical layout of the cards is standard. The LOGICAL makeup varies from institution to institution. There are some generally followed layouts, but not mandatory.
There are actually up to three tracks on a card.
Track 1 was designed for airline use. It contains your name and usually your account number. This is the track that is used when the ATM greets you by name. There are some glitches in how things are ordered so occasionally you do get "Greetings Bill Smith Dr." but such is life. This track is also used with the new airline auto check in (PSA, American, etc)
Track 3 is the "OFF-LINE" ATM track. It contains security information as your daily limit, limit left, last access, account number, and expiration date. (And usually anything I describe in track 2). The ATM itself could have the ability to rewrite this track to update information.
Track 2 is the main operational track for online use. The first thing on track to is the PRIMARY ACCOUNT NUMBER (PAN). This is pretty standard for all cards, though no guarantee.
Example of Track1
B4888603170607238^Head/Potato^050510100000000001203191805191000000
Example of Track2

4888603170607238=05051011203191805191
Usually only track1 and track2 are needed to exploit the ATM card.
Let us examine track1.



Take the Credit Card account number from Track 2 in this example it
is:4888603170607238 and add the letter "B" in the front of the number like
this B4888603170607238 then add the cardholder name YOU want to show on the
card B4888603170607238^Head/Potato^(Last name first/First Name)next add the
expiry date and service code (expiry date is YYMM in this case 0505,and in
this case the 3 digit service code is 101 so add 0505101 ,

B4888603170607238^Head/Potato^0505101

No add 10 zero's after service code:

B4888603170607238^Head/Potato^05051010000000000

Next add the remaining numbers from Track2 (after the service code)

B4888603170607238^Head/Potato^050510100000000001203191805191

and then add six zero's (6) zero's

B4888603170607238^Head/Potato^050510100000000001203191805191000000 this is
your Track 1



Track 1:B4888603170607238^Head/Potato^050510100000000001203191805191000000


REMEMEBER THIS IS ONLY FOR VISA AND MASTER CARD(16digits) , AMEX HAS 14
DIGITS, this doesn't work for Amex

FORMAT FOR TRACK2
CC NUMBER: YYMM (SERVICE CODE)(PVV)/(CVV)
Here is the Fleet's credit track2 dump:
4305500092327108=040110110000426
we see card number, an expiration date, 1011 - service code, 0000 is the place for pvn (but it is absent!), and at least 426 is the cvv (do not mix with cvv2)

Now let's take a look on MBNA's track2 dump:

4264294318344118=04021010000044500000
here we see the same - no pvn's and other verification information -just a cvv.

As clearly shown above it is possible to generate track1 from track2 using the method shown above. However track2 gen software automates the process.
The major process of getting the track2 info is through skimming. Fraudulent POS (Point of sale) merchants can use handheld devices called skimmers to read off and download the tracks data from your credit card if you are not careful. This is the main method of obtaining the original tracks from the credit card.
However this article will focus on the exploitation of ATM cards using credit card info such as Credit card number, cvv2, Exp date and PIN and then using algorithms commonly called ALGOS to generate the track2. These credit cards infos are normally obtained by spamming. There are a lot of reviewed vendors who sells these infos in some carding forums.
Now it is interesting to note that there are a lot of talks about track2 generation possibility. How much is it real? However in my own candid opinion, it is very possible to generate track2. The simple truth is this.

Generation process of debit (and some credit) dumps from the credit card number, expiration date and cvv2 code becomes possible because of the banks? weak, "nonsaturated" structure and the banks failure to actually carry out proper validation of the track2 info. It might interest you to know that about 10% of banks are vulnerable. This vulnerability called pvv loophole have been fixed for the major banks But still sometimes the idiocy and negligence shown by employees of many American (and not only) banks quite often continues to surprise all: about 10% of issued cards still vulnerable, even for the moment.
During the last 2 years I have come to discover so many banks which are still vulnerable to this attack. This forms the basis of this article. Armed with the right tool, you can actually encode cards using cc number, cvv2, Exp date, PIN and the algos.
Now what is the nature of the algos you might ask? I will give you a sample.
518445**********=YYMM10100000000779
529107**********=YYMM10100000000CVV
These are track2 info. The RHS is the card number. YYMM is the exp date
( year/month) and the CVV is the card verification value. The first 6 digits of the card number is called the BIN . You only neeed to know if the BIN is casahble or vunerable to use the Algo
Because some banks fail to actually validate the full track2 info, it is possible to use track2 generators softwares to attack the BINS. You simply enter the credit card number, cvv2, exp date and you get the generated track2. Remember this only works for weak BINS or cashable BINS. To test if the track2 you have generated is working before practically going to the ATM with the PIN to cash out, it is important you check the track2 using online checker. This will save cost for your embossed cards and it will be safer for you.
CONCLUSION: Practically all banks are vulnerable, some less, some more; It is only reasonable to think well.
 
Top