Track2 generation questions and answers

[Cartographer]

INTRODUCTION
(all the information provided here is solely for educational purposes, it does have no conection with real banks, real card numbers and real credit card tracks, misuse of the given information conducts to infringement of the law of many countries. We do not aim to write complette fraud manual here, but only want to show some banks and payment networks how vulnerable they are)

The given article does not pretend to be the complete manual about this mater, however you can find here most importal things which obviously shows how the technology does work. I wish to inform you that researching in this matter were started 4 years ago and for the moment not so much banks are vulnerable, but stil they are some that is. This article is dedicated to the novices and those dumb-asses which during all 4 years threating me with messages "hiii, need PIN".

For those , who likes not todisclose information: at present I consider, that the theme has enough become obsolete to present it to the masses.

Question: There are a lot of talks about track2 generation posibility. How much is it real?
Answer: Generation process of debit (and some credit) dumps from the credit card number, expiration date and cvv2 code becomes possible because their weak, "nonsaturated" structure. Let's see some expamples for the begining.

Here is the Fleet's credit track2 dump:
4305500092327108=040110110000426
we see card number, an expiration date, 1011 - service code, 0000 is the place for pvn (but it is absent!), and at least 426 is the cvv (do not mix with cvv2)

Now let's take a look on MBMA's track2 dump:
4264294318344118=04021010000044500000
here we see the same - no pvn's and other verification information - just a cvv.

I do not wish to tell that absence of pvn and other verification information considerably facilitates the generation process but... all we have to get is the tresured cvv code ;-)

However, let's examine a special case, when generation is based on weak check by banks of the control values in track2's of their debit cards, e.g. dumps structure can be complettely "saturated", but, SURPRISE, bank checks ONLY card number and the expirstion date, thus checking only observance of structure of the second track for card of this bin (and, SURPRISE, again - sometimes they not carry out even this!). This vulnerability HAD to take a place for not only small banks. Big ones, like BOFA and CHASE were vulnerabled also. For the moment this vulnerability fixed for all the major banks. But still sometimes the idiocy and negligence shown by employees of many American (and not only) banks quite often continues to surpriseus: about 10% of issued cards still vulnerable, even for the moment.

Lets examine Branch Banking and Trust Company's track2 dump:
4661880015236844=05051010113701056
track is complettely saturated with different verification values, 3701 looks like pvn and 056 seems cvv,
but, OOOPS, actually bank DOES NOT CHECK any of values on their track2 and, huh, 4661880015236844=05051010100000000 will work same good as brought above "saturated" one. It is possible to examine more many examples, but the further studying of a material I leave for you.

As it was found out, the reason of such negligence is illiterate (or not complette) configuration of the software and unwillingness of many banks to spend money on cryptoprocessors and other expensive equipment. Many bank as soon as loading of processing computers reached peak value, instead of that, to improve available and to buy the new equipment, they simply switched off many algorithms of protection, by that reducing loading of system.There are many reasons which consideration is not a target of article.

Question: Whether banks which carry out all checks of track2 are still vulnerable? Is there any other opportunities to recover track2?
Answer: I shall not begin to penetrate into subtleties of DES, 3DES and other cryptographic algorithms - i'll just figure out the conception here.
(
In the basic, all functioning in old good private-public key basis. The private key is stored in the banks cryptographic processor (IBM 4758 or similar). Shorlty, cvv, pvv and other values anyhow are derivatives from the keys stored in the bank. There is a bruteforce possibility available for such cases. More detailed specification can be found here: http://www.badb.biz/kernel/content/view/19/2/

But even if bank meets all ISO compliances and observer all the security measures, there is still a lot of openings...

Here is an example:
Israel, the middle of 2002... There is a lot of terminals (not atms) which allows you to access your account or make an account manipulations situated right on the streets. So somehow, were found that israeli ATMs have some value inside which allows to validate the pin without the bank authorization. It was explored during a long process of the experiments. When at last such value were in the hands of interested group of people it turned into a lot of pin codes ;-) I will explain a little: each terminal described above were equiped with the cryptocard which on the session initiation were reveiving some value from bank, which allowed to validate the PIN without request to bank. It became possible the request of the certain type was formed to the cryptocard, installed in the terminal. As the result we were able to receive a boolean value that pin correct or no. There were long procedure of extraction, but the peoples worked on this succeed in the end. As the result after half of year of sucessfully work of those people 2/3 of cards of Israel Discount Bank were reissued. There is a lot more bank in different countries, which is vulnerable... Think...

Using modern technologies it is possible to build large botnets which allows to bruteforce the des keys in hours or even in minutes. There are a lot of software and technologies available.

RESUME: Practically all banks are vulnerable, some more and some less. There are a lot of ways to do it - it is only necessary to think well ;-))

Good luck.

With best wishes and regards, sincerelly yours, (c)BadB