How to steal a million

I took on a challenge to steal one million Indian Rupees (INR150.000) and become millionaire over a weekend? No, I didn’t succeed. Choosing method, going through the legal matters and talking to all parties took too long. I admit it and it bothers me, I didn’t succeed within the setup time limit but hey, except from time, it was my win!

For you who didn’t read the rules, here there are again:

  1. Get access to at least 1 miljon Indian Rupees (millionaire!!)
  2. Don’t get caught (VERY important!)
  3. Don’t put anyone in trouble in any way (Do good, not bad)
  4. The mission must be finished before Monday (Longer and I would get bored)
  5. Improve security so this can’t be done by anyone else (The whole point!)

The method
IT-security is my passion but in the world today the boarder between computer security and physical security is really thin. For example, what good is a perfect set up firewall if the door is unlocked to let you walk out with the server? Or what good does a strong password do if you write it down next to your computer? This is something I wanted to include on this challenge.

Back in the late 90’s it was the golden years of Credit Card frauds, people exchanged thousands of stolen credit card details in open IRC-channels. Most of these guys were sitting at home, not even using proxys or encryption. They broke into webshop and companies that just started their business online not knowing anything about computers and even had clear text lists with Credit Cards on easy to access server. People exchanged Credit Cards for more Credit Cards or other stuff such as shells, passwords and botnets. The crimes weren’t even investigated as long the money stolen was below the cost to investigate it and we all know what unrealistic pay these incompetent computer guys charged. And still do today…

I even believe Internet had far more crime back then if you compare the numbers of theft/fraud to the number of users. So no, it wasn’t all better back in the days it just wasn’t considered as serious.

Why am I telling about this? Because even if this was ten years ago, Credit Cards are still one of the easiest sources to money and a target for any criminal. Assuming they know what they’re doing I’m targeting the same.

The victims
This is what would have happened for the victims if we took it one more step:

It’s weekend which means people are gladly spending loads of money at the pub/club. Of course they aren’t exactly sober and won’t pay any attention to their bank accounts being robed. The day after, being hung over they will realize that someone last night stole their credit card information and with that all their money.
The memory is a bit blurry but they remember using the credit card twice, once paying the bartender and then the taxi driver. Of course it was one of them! Or maybe it was skimmed back when you were on vacation on the South Pole? Those damn penguins!

The steal
Every time you as a guest pay with a credit card the bartender places five items on the disk after charging it.

  1. Your Credit Card
  2. Your ID
  3. Your receipt
  4. A pen
  5. The pub’s receipt for you to sign

You take #1, #2, #3 and move along to your friends with your beer and leave #4 and #5 on the disk. The bartender on the other hand being in constant stress goes on with his/her work to serve other customers while you sign the receipt and leave. When the bar disk has a couple of signed receipts they are collected into the cashbox.

Me being an extra friendly guest I help the bartender by collecting a few into my cashbox (my pocket). Not all of them, I’m a lazy bastard and of course don’t want to put the bartender out of work! Ohh yeah, it will probably raise some questions as well that all receipts are gone. You know how impossible it is to get the bartenders attention when you want to order a beer, I got just as much attention taking recipes. 30 minutes later I have ten of these.

Let’s say I would continue this averaging 20 an hour for five hours, this would give us 100 receipts. So what can you do with 100 pieces of paper? Well now it just happened to be some interesting stuff on these that could help me to my INR1.000.000.

The tech
Each receipt has following data on them:

  1. Full credit card number
  2. Cards expirations date
  3. Name or full birth date

So we got everything needed to use their card online except from the missing CCV (the 3-digit code on the back) which makes this trick a bit of a hassle. To calculate the CCV we could use the following formula:

PAN x ED x SC x CVK == CCV

PAN == Primary Account Number
ED == Expiration Date
SD == Service Code, probably “000” but only known by the issuer
CVK == A number of DES keys again is only known by the issuer
CCV == Credit Card Verification, 3-digit code to prevent fraud printed on the back

Simply put we can’t use any algorithm to get the CCV due to we don’t know the SD and SVKs. Good security, I like it! But missing only a 3-digit code is not going to stop us. Using bruteforce we have a maximum of 1000 and an average of 500 attempts per card, pretty much any script kiddies dream. Even easier we could just withdraw or buy stuff from one of the many shops online which don’t require CCV (Did I hear USA?).

To test my theory I set out to bruteforce a major Credit Card. 15 minutes later I had filled my poker account simply testing 001, 002, 003… This was done manually but a small script would probably take just as long to create and automate the process for future misuse. Shouldn’t this have triggered some security system? Did I trigger something? It doesn’t really matter, I still succeeded withdrawing money so any protection that alarmed the bank was doing it too late. Before anyone would notice the money is long gone. Oh, also the card still works according to my friend who allowed me to use his. Thanks T! =)