The Rippleshot Data Breach Blog

How Hackers Steal Card Data and What They Do With it Afterward

Written by Kaleigh Simmons | Jul 3, 2015 1:06:00 PM

While the breadth of data being stolen in breaches has reached critical mass, the most valuable still remains payment card data - which is why many hackers still target it directly. Wondering how they do it? Follow along as we dive into the different ways fraudsters steal card information and how they then use it.

What Data Are They Stealing

Track Data

Every payment card has at least two tracks of data on its magnetic stripe. There is sometimes a third track, though it’s rarely used. Both tracks hold enough data to process a transaction, and most POS terminals are programmed to read both tracks, in case one is damaged.

Track one provides a bit more data - the account holder’s name and the format code, which will tell you whether or not it has come from a bank.

Track 1 Data (courtesy of Authorize.net)

Field Name

 

Length

 

Comments

Start Sentinel (SS)

 

1 character

 

Indicates the beginning of Track 1; set to "%"

Format Code (FC)

 

1 character

 

Indicates the card type; "B" indicates a credit/debit card

Primary Account Number (PAN)

 

up to 19 digits

 

Always numerical; usually set to the credit/debit card number

Field Separator (FS)

 

1 character

 

Delimits Track 1 fields; set to "^"

Name

 

2-26 characters

 

Account holder's name

Field Separator (FS)

 

1 character

 

Delimits Track 1 fields; set to "^"

Expiration Date (ED)

 

4 digits

 

Always in the format MMYY

Service Code (SC)

 

3 digits

 

Indicates what types of charges can be accepted

Discretionary Data (DD)

 

Variable*

 

Determined by card issuer--may include Card Code and/or PINs

End Sentinel (ES)

 

1 character

 

Indicates the end of Track 1; set to "?"

Longitude Redundancy Check (LRC)

 

1 character

 

Used to verify that Track 1 was read accurately


Track 2 Data

Field Name

 

Length

 

Comments

Start Sentinel (SS)

 

1 character

 

Indicates the beginning of Track 2; set to ";"

Primary Account Number (PAN)

 

up to 19 digits

 

Always numerical; usually set to the credit/debit card number

Field Separator (FS)

 

1 character

 

Delimits Track 2 fields; set to "="

Expiration Date (ED)

 

4 digits

 

Always in the format MMYY

Service Code (SC)

 

3 digits

 

Indicates what types of charges can be accepted

Discretionary Data (DD)

 

Variable*

 

Determined by card issuer--may include Card Code and/or PINs

End Sentinel (ES)

 

1 character

 

Indicates the end of Track 2; set to "?"

Longitude Redundancy Check (LRC)

 

1 character

 

Used to verify that Track 2 was read accurately

E-Commerce Data

Far less information can be stolen from online transactions, which prevents card data hijacked in this manner from being used in a card present situation. It does, however, still allow for fraudsters to use it for continued online purchases.

Data Typically Available:

Account Holder Name

Address

Card Type

Card Account Number

Expiration Date

CVC (Card Verification Code)

 

How They’re Stealing It

Track data is typically being stolen in two primary places - either the storefront POS terminals, or at a centralized back of house server where transaction data is stored (graphic courtesy of Trustwave Global Security Report).


For e-commerce transactions, the data is typically stolen from the application server where customer information is stored.

In our How Cybercriminals Can Steal Your Credit Card Data post, we cover five different scenarios where card data can be stolen.

 

What They’re Doing With It After

Track data is far and away the most valuable information to steal, as there are a couple ways hackers can profit from the stolen it. The most obvious is to take the information and sell it on the underground market. But another option that can only be done with track data is to take the information and write it onto another card, which can then be used just like the original one. The technology required to do this is incredibly easy and relatively inexpensive for hackers to acquire. This video from WIRED shows you exactly how it’s done.

E-commerce data can be sold on the underground market as well, though it's far less valuable than track data. It can also be used to make purchases, but only online, as there isn’t enough information available to clone a card.

The quickly approaching switch to EMV will have a large impact on the way hackers steal this information, but is highly unlikely to prevent it altogether. Rather, it will just shift to other areas - and if we follow the path set forward by Europe and Canada in their implementations, e-commerce (card-not-present) fraud is set to see a massive boom in response.

To learn more about how the EMV implementation will affect credit and debit card fraud, check out our whitepaper below: