 Can you guys see okay in the back? We have all this tech stuff for the black and white. Everybody's okay? Okay. All right, thank you for attending credit cards and everything. This is the third year of this. The first year we did a social engineering aspect as long as some light Wi-Fi stuff. Can everybody hear me okay? No. No. Okay, and last year we did a live demo where we actually had some people in the front row interacting, trying to break in. And at the very end Spoonum was nice enough to do some cross-grit site scripting. So thank you Spoonum if you're out there. Okay, this year we're just gonna kind of go over the basics. And when I say basics, I hope you guys don't go, aw, basics. It's like basics on like getting into the industry kind of level. So hopefully it's informative for everybody. So this is credit cards, everything you have ever wanted to know. And we're gonna start off with a brief history of credit cards. 1950 Diners Club was the first credit card style thing. I believe Sears, Robux in like the mid-20s did a like credit where you can buy a washer or dryer or something like that and then pay later. But it was all like on paper and books. It wasn't really in the format we're used to which is plastic or some form thereof. 1958, American Express was the next one to come out with it. It was exclusively in New York City and it was mostly for restaurants and hotel stays. Kind of high society kind of people. And this is an interesting aspect here with American Express because when they came in and Diners Club was already there, it was mostly for the high-end customers. So what people wanted to do was accept these credit cards so that they can draw on the high-end clients. That were the only ones, the elitists that were allowed to actually have credit cards. So the credit card industry created this weird paradox where if you wanna accept a credit card, you have to pay us to accept credit cards. So when you swipe your card, 50 bucks goes through about 35 cents on average. Goes directly to the credit card company for the luxury of having the ability to authorize credit cards for the merchant. And that kind of set a standard and the tone for the industry and also automatically started some security concerns in and itself. A 1958 Bank of America card started by Bank of America which is now, as we all know, Visa. That was in the late 70s when it switched over to the Visa brand when they went to international. 1966, MasterCard International, ICA, the consortium of banks got together and said we wanna also have a credit card so to compete with Bank of America and American Express. And then way, way, way, way late in the game, 1986, DiscoverCard, which was originally started by Sears Roebuck and now Payne-Weber, they just got together and merged and now they're breaking apart. Payne-Weber and a couple other financial institutions took over DiscoverCard and now they're selling it off to itself. So let's talk about the technology behind credit cards. Like we said before, back then, it was all low-tech and everything like that. Seemed to be getting some sort of interruption here. Hello, I am Ribsci with DC 702. We are doing the scavenger hunt and I'm gonna give you a brief discussion about the scavenger hunt. Read the introductory paragraph for you. Welcome again to the greatest DEFCON competition brought to you by DC801. On the back of this page is a list of items, tasks, and their point values. From the time you get this list until noon on Sunday, collect as many of those items and compete complete as many tasks as possible. The team with the most points at noon on Sunday wins the hunt. Prizes are donated from all the vendors, many thanks to all those that donate. And whatever we were able to come up with before getting here. Aside from the great time last year's teams had playing, first, second, and third place went home with plenty of shirts, books, hardware, stickers, and toys. First place took home black badges but we can't promise anything. I really don't have anything original to talk about so that's about all I'm gonna do. Thank you. Thank you for interrupting the speech that you are not scheduled for. And somehow you are not scheduled for that speech and yet you're doing it because you're part of this scavenger hunt. Hint hint, nudge nudge. All right, back on with the normal speech. So okay, so technology. So they had the knucklebusters as we all call them today and American Express was the first to start this and that was where the imposed imprints came on the cards originally because you put them on the, as we all know, whoever's worked in retail at least once in their life and had a card that did not swipe. You put the card down, you have a sheet of paper and then you push over the sheet of paper and it imprints your credit card number, your name, expiration date, that kind of thing. And these receipts were all collected up at the end of every night and they were mailed off to the credit card company and only when they were received by the credit card company did you actually get the money from that client. So if there was any fraud or anything like that it took a very long time before it was discovered. They also did phone authorizations on certain credit cards or certain businesses of high risk that kind of mitigated that risk. And then in the 80s is when dial-up authorization terminals came into play. Dial-up is pretty much those trans-380s or in-genicode devices that you see now where they just swipe the card, punch in how much money and hit enter and then it would pick up the phone line, dial out, connect to get authorization and the interesting thing about this is they originally started off at 1200 Bodd and at 1200 Bodd you'd think, okay, that was so 1985, so 1991 but they still use, to this day, anybody who does dial-up, they still use 1200 Bodd as their connection rate simply because they don't want to upgrade their servers or their mainframes for higher speeds. If anybody wants faster authorization, they say, well, just use lease lines or use direct connections to the bank. Just very fast transactions, you don't really need more than 1200 anyways to connect in, get an authorization and close out. The only time that it actually causes a problem is at the end of the night, if you have like three, 500 credit cards that were authorized, you have to wait like 20 minutes as it slowly pushes across the 1200 Bodd modem, all the credit cards that need to be finalized. High-speed lease lines, we kind of just talked about that. High-speed lease lines is pretty much, I'm Walmart and I have all my stores connected and it doesn't make any sense to use any third-party people, just go straight to the bank and get authorizations. And so they have like Walmart, they have all their stuff consolidated into one source and then going out. Same thing with CSK Auto for those that are in the United States, which is Checker Shooks, Cregan, if any of those sound familiar. All theirs go down to Arizona and then from Arizona it goes out and gets authorization, comes back and then goes to your respective store. So for high volume or big names that have a lot of weight to throw around with a lot of money and that kind of stuff, they can usually get direct lines. Gateway processors, these are like Go software, IC Verify, Shift4, that sort of thing. They're for like the middle tier and the low-end clients that don't do more than like, between anywhere between 100 transactions a month to about 200,000 a month, that you usually use a front-end gateway. PayPal can technically be considered a front-end gateway because you have APIs for your websites. CC Bill and iBill and all those other blue light catering ones is also gateways. Co-op lease line, this is actually kind of unique. The only time I've ever seen a co-op lease line, am I going too fast guys? I don't know. Okay, the only time I've ever seen a co-op lease line was here in town, like at the MGM and a few others that are not even directly associated with each other through business arrangements. They have like a direct line and I'm going down. That's what I get for not plugging it in. So, well that's coming back up. So what they did was they were like, well we have a direct line directly to the bank. So we can resell this line or we can all cooperate in paying for the lease line to go out and work that way and it's still being stubborn. Oh, there you are. Hush. I just enumerated, that was great. Luckily there's no direct connects in, I don't think. You'll harbor brute force it, there you go. Okay, so these co-ops, they're just pretty much, everybody just kind of gets together. We're a bunch of small businesses and we don't want to pay. It's like anything else where if we all buy like a sack of potatoes, we can get it for a cheaper price kind of thing. So everybody buys into the same lease line and gets better rates going through. And then we already talked about PayPal a little bit with online API gateways, CCAuth and iBill and I don't go to those sites, what do you guys use? No, she's kidding. Okay, so marketing and technology. So some of these different technologies that are coming out that everybody kind of wants to know about and I'm here to tell you guys, I'm gonna burst your bubble. A lot of them mean nothing. Like the smart cards is the first one. We all know this with the American Express Blue. We have the little silver or gold smart card built into it and it's supposed to be more secure and all this other stuff. Nobody uses it. No vendors use it. There is an actual protocol out. There's a specification for how it works. I know NDC, VisaNet and FDC support it but they're the only ones and that's not enough to actually get full on. And here's a couple reasons why smart cards are not working and why they're not coming to market. It's because the vendors are paying for all the equipment. If you want a terminal to swipe card you have to pay for it. If you want the ability to accept cards you have to pay for it. If you want each individual one, like you wanna accept Visa, you have to have an agreement with them. If you wanna accept MasterCard, you have to have an agreement with them. So on and so forth. So the merchants are the ones that are really getting suckered out of a lot of money here. And then all the ISOs, independent sales organizations and MSPs, merchant service providers, they come to them and say, we have the smart card stuff. All you have to do is take out that one terminal that I just charged you $350 for and put this new one in that's $900. So you can accept smart cards and then you'll be way more secure with only 1% of America actually having smart card on their cards. So it's a very hard bargain. So that's why smart cards just kind of floated along. Virtual one time use cards. I wasn't even aware of these until somebody asked me about it after the speech last year. And then I looked into it a little bit and talked to some people about it. And these are pretty much, you're online and you're super, super, super paranoid that somebody's gonna steal your credit card online. They're gonna do it. I just know they're gonna steal my credit card. I can't handle having my credit card online. So what they do is they go out and they register with, I think Bank of America supports this and Chase Bank supports it and Citibank supports it. That's right, they're the big promoter of it. They pretty much say, we're gonna give you a laundry list of cards and you can use this card number exactly once. And as soon as you use it, it's now a dead card. Or I wanna use this credit card for reoccurring billing which means like you're gonna work out at the gym or you are part of the Jell-O club or something like that. And you want them to keep on billing you 10 bucks a month for all the great jell-os in the world. So you can have a one-time use that will only be authorized to work at that merchant who won't work at any other merchant. So somebody will know right away that the merchant's got a problem and that their credit card was hijacked from that merchant as soon as it gets used somewhere else. And some people ask, well, how does this work? How is this possible? Well, this kind of gets into a little bit of the more thicker realm of credit cards and how they work. And all your authorizations go all the way back to your bank. So when you swipe the card, it goes through what's called a front-end processor and they pretty much aggregate all the credit cards and say, okay, we have all the phone numbers, we all have all the direct links to all the banks. Because back in the day, you had this small, trans-rated terminal that had like 56K of memory. You can put one phone number, your merchant information, your bid number in it and that was it. So if you had to call a different bank every time that somebody with a different bank came along to get an authorization, you'd fill up all that memory and it would just be a nightmare managing accounts with everyone. So what they said was, well, we'll manage our accounts with everyone and you just connect to us and that's the front-end processor. And then you connect to us and then we'll hop onto what's called merchant link when you go into Visa or Bank of America or we'll hop onto the back-end processors as they call them. We're sure shared networks that are just private networks that connect you directly to issuing banks. So when you use this credit card online, it goes through the front-end processor, through the back-end network and then to the exact bank that issued it. So if you say generate a credit card online and it just generates it, the bank already has it in its database. So whenever you use it somewhere else, it goes directly back to the bank and then the bank knows, oh, hey, I just created that card. Go ahead and send an authorization response back to the merchant. And that's how that's possible is because everything touches the actual issuing bank in every transaction. Secured cards, these are kind of new technology and everything like that. There's, oh, I'm sorry, I'm on the wrong one. Easy pay. Secured cards are those cheesy ones where it's like, hey, give us $200 and we'll give you a credit card with a $200 credit limit. Okay, I have $200 on your credit card. What does that mean? Well, we're gonna charge you service fees and all this other stuff. So you get a credit card. So when you go to the bank or you go shopping or everything, you get to be like, I have a proud credit card holder. Look at me. And you can be like 17, 18 and get these things. So I'm not promoting this, but theoretically online, over 18 authorization, at least usually means if they have a credit card, they're over 18. And if you happen to go to Walgreens and get one of these secure credit cards for $200, you now have a credit card and you're 13. So that's just something I heard from somebody, but I do not promote you going and doing any online transactions under the 2018 that would be bad. But these are pretty much for people who have bad credit, want to rebuild their credit, that kind of thing. You know, various different aspects of rebuilding credit that's not really what the speech is about, but we'll touch by it just really briefly because we're talking secure cards. It doesn't really help you out too much because people know before they were like, oh, he has a credit card and has a $200 limit and he pays it on time. Well, yeah, he pays it on time because it's his money. You know, so he gets better credit, but they got privy to who's doing this and how they're doing it. And so it really doesn't help your credit score to rebuild credit when you, after a bankruptcy or foreclosure or things shutting down yet again. It is another second form of ID. And that does help out to get very different things. And it's easier to get it because you can just log on through the website and say, hey, I am Joe Bob. Give me this credit card and it just gives it to you. Oh, you're Joe Bob, sure thing. So you don't have to have actually any authorization or any proof to get that. All right, okay, so the easy pay RFID cards. There was those guys out at the university that like cracked the ones for mobile. If you guys are familiar with that. And the mobile cards were pretty much, you know, those swipe ones where you're like, I want gas really quick. So you just kind of wave your card, you know? It's just, yeah, I'm gonna do that more time. Wave your card. And boom, you get your gas and everything like that. And Chase also premiered these. And we're trying to get ahold of one of these Chase ones because we wanted to build a RFID sniper rifle. But we're working on it. So maybe by, okay, can I promote other events? Maybe by one of these other conferences we'll have it ready. So we'll keep an eye out for that. But we're gonna work on that with Chase and see if we can crack it just like the university guys did for easy pay. And these are just pretty much you pass it over. The power is generated from the actual terminal you're waving over. And that's how it activates the card to get your information. And we'll talk about some security on that in a little bit. All right, physical fraud features. This is the interactive part of the demo. Go ahead and I'll pull out your credit cards and stare at them and mask them from everybody else. I'll do it myself. Oh, I'm dead serious. So I have my PayPal account here. So we can, it's a 3348, no, I'm just kidding. 33 would be JCB. I mean, I don't know what's going on right now. Okay, so if you actually want to toll it out and everything, if you're familiar with it, if you have a photograph of memory you can think about your credit card for a minute. And for you guys, those of you in front who better not have photographic memories, you can kind of stare at mine. When we're looking at these we're talking about the imposed numbers. Those originally generated from the knucklebusters but they became a fraud prevention mechanism because as long as the imposed one which is a little difficult to push up is the same as the magnetic strip, then you're okay. Some people we've seen a lot of fraud where people actually push it down and then re-push up new numbers and they're like really easy to spot. So that's a tell-tale sign. Also on them, as far as I'm Bose's concerned you're gonna see the letter of the credit card that is on there. If you ever notice why there's a curse of M or a curse of V or a curse of D or a curse of A those are all saying I'm a master card, I'm a visa. So if you swipe it in it's a visa card and then you look on it and it says M then you know there's something funny going on. Also on these things you have the logos which says master card that's another fraud feature and the holograms, the hologram actually came in in the late 80s because of those guys who were watching people putting in the credit card number and phone booths to make phone calls, long distance phone calls. And they were just like memorizing they can just like photographic memory stare at your card and then boom no. So the last four digits of your card goes over the hologram so it's harder for these people to really visually see your card and take a snapshot and start doing fraud on that. Of course you got the expiration date on there and many different forms. Some banks will have it was issued on this day and then it was expiring on that day and some just say it expires on this day. What else we got? The curse of letter we talked about. First four digits non-imposed. Okay yeah also on most cards when you're looking at the first four digits non-imposed is also printed on the card. The first four digits is a card that's a little bit of a fraud thing there. Magnetic strip of course we're all privy to the magnetic strip. I happen to have a swiper here. There are $35 on eBay from what I understand. They plug right into your keyboard and you can just pretty much swipe any card you want. You wanna see what's on your blockbuster card. You wanna see what's on your PayPal card. You can just swipe it and we'll do a quick demo here I think if the software's gonna work that X's out my account number when I swipe. So we'll see how that works out. The signature panel on the back. The signature panel says the card types. It'll say discover, discover, discover and 45 degree angle or master card, master card, master card. And underneath that if you scratch it with a coin like it's a lottery ticket it says void. So as soon as you see the void merchants are not supposed to accept the card. CVV2 code that's kinda relatively new. It means card verification version two. What was version one? Well version one was magnetic data. The unique data, discretionary data as they call it. The card itself. So card verification version two is mostly used in over the phone sales and online sales. Okay credit card magnetic data. Two tracks for credit cards. I wasn't sure if I was gonna talk about it last year and people said I'll just go ahead and do it. It's pretty much public knowledge and since you can get one of these anywhere and you can look up the specs I'll give you guys the details of what's going on there. Okay so you have three tracks. Each piece of information that gets swiped off of it on the magnetic strip card reader is a track of data and they were originally specified throughout the years of what track one would be, what track two would be and what track three would be. So let's talk about track one. Track one is pretty much, it's if you're gonna be parsing a credit card it's gonna be a carrot, the shift six carrot that's your deliminator to parse it out. When you have a successless swipe on a credit card it's gonna be percent B, capital B. That's gonna be the very first two digits. If you don't see that it's probably not a credit card or it's a fake and it shouldn't go through in any credit card transaction. Next you'll get the carrot that says hey I'm gonna start the next field. The next field is your name and it's usually an all uppercase and as much of your name as they can squeeze on there. Some people actually append the name. So if you have like a really really long name like mine if you noticed on the cue cards, Imhoff douche arm, they actually parse mine so it's Imhoff douche. So that's how that works out because they found that some readers can't read all the characters and it actually drops it off. So they just said well and then it won't even authorize because it breaks, it kind of crashes the box. So if you have a really long name don't go to checkers because your card won't work. Okay so and then after that carrot you're gonna have your credit card number and then it's gonna have the credit card number which is anywhere between 13 and 16 digits. 13 was the original American Express and Diners Club and like I think it's and Visa cards were 14 and 15 and now American Express is 15 and 16. So you can have between 13 and 16. You're allowed up to 19. There's some cards that they're trying to put on the market that'll be 19 digits long. So look forward to those. And then after that you'll have equals and then you'll have four digits. Now these four digits are very special digits because it's a really paid close attention. It'll be your expiration date but if your expiration date is I don't know January 2008 so 0108 it will not show up equals 0108. It'll show up 0801. So that's like their little security through obscurity thing where they just kind of flip them around and it's also susceptible to the Y2K bug. I know we all felt that. No takers on that joke? Okay. Okay right after that it's gonna be a country code, your three digit country code because there's two digit country codes, two letter country codes, all that fun stuff. So your three digit country code which so you'll usually see the expiration date and you'll immediately see 101 for everybody here in the United States because that's our international three digit country code. And after that's the fun data. That's the stuff that everybody really wants because you can get the credit card number off the front. You can get the expiration date off the front. You even know which country it came from. Okay so what's next? Well that's the card verification version one. That's the discretionary data. And that's immediately following all that. And after that you get a carrot which says I'm done and then when track two starts you get a semicolon saying I'm now ready for track two. Credit cards only use track one and track two. They do not use track three. That's mostly used for like players club cards here in town at the casinos and the moose lodge if you're into that sort of thing. You know they have your pin there maybe, I don't know. So track two now switches the format in which you're gonna have a discretionary data. It's gonna be semicolons separating everything so you're gonna parse everything out based on semicolons instead of carrots. And so you're gonna get once again the full credit card number. Then you're gonna get equals and then you're gonna get the expiration date which is traversed. Then the country code 101 then your discretionary data. That's it. Okay so you guys are like well that's just like track one, what's gives? Well, I don't know. You get less, nobody knows the answer they added track two as a security feature. They're like well that's card verification version one even though it's the same discretionary data as track one. And by having that, pretty much what that meant is we're tired of using these old and busted. You know also old and busted, these trans creatives new hotness and genetic codes. You know so we want you to switch over to those which are giving us more revenue which means that you can accept the track two which will give you a better rate on your transactions. So you have track two. And that's what that's all about and it ends with the semicolon and that's the end of the story there. If it doesn't work, if you swipe your card and kind of half swipe or you swipe it too quick or it's a dirty scanner, then you're gonna get a percent E, semicolon percent E, semicolon which means error reading card. Try again. Okay, transaction flow, authorization. There's two flows we should say. I didn't really put a slide before this. Flow one is authorizing the card. Flow two is settling the card and we'll talk about the differences. So when you swipe the credit card and you have the dollar amount and all that fun stuff, you're gonna get an initial authorization. When that initial authorization goes through, like we said, it goes through the front end processor which is our local loop that connects everybody. That's the, if we had a yardstick and we were talking about processors by the way and you have a big, huge long yardstick which say the entire bit of that yardstick except for one inch is first data corporation, FDC. They are the biggest front end processor out there, hands down. And then everybody else, NOVA, NDC, MAP, Sitco Alliance, all those guys, they're one inch. And that's the competition you have to work with out there. So that's something I'll decide a little extra nugget for you guys. So then you get to the front end processor. Front end processor checks the card number. First six digits are gonna tell you on the credit card number who the issuing bank is. So when you have, I don't know, five, you automatically know that's a master card. When you have six, or six, zero, one, one, you automatically know that's discover. When you have four, you automatically know that that's visa. When you have three, eight, it's American Express, three, six, it's JCB, three, five. It's old school visas that were 13 digits long. And I don't believe there's any cards that's now still in existence that had two. There was some people that played around with it but that was mostly reserved. Zero, zero, and one, zero are reserved for private label cards and stuff like that, which we'll get into in a little bit. So the first digit right off the bat tells you what type of credit card it is. Then the next five digits of the first six digit chunk will tell you exactly which bank it's coming from. And I believe there's somebody that's actually working on a project out there right now. It was on Slashed out about six months ago who's trying to get everybody's first six digits and say, which bank do you have? And trying to reverse and numerate. Everybody's credit card banks and everything. So far what we know is that there's some specifications if you ask really, really nicely and say you're an ISO bank, they'll give you them. Some customer service places that you can just call and say, I need the list and the list emailed to you. So yeah, it's kind of goofy. We'll get into that in a little bit too. FEP, the front end processor, this is the beauty. These are the awesome guys. They're like, we have a lot of money and we want to get a lot of more money. How can we possibly do that? Well, we're gonna just authorize people's credit cards and then not even have to worry about doing anything with them. So that's why I say FEPs are hands off because they're bonded. They have like $1 billion insurance policies on all the cards that go through. So, and all they do is say, I have the money to say that I can vouch for this process going through and nothing bad will happen. And then they just let transactions float by them. They just pretty much grab the card, take it, hand it off to the issuing bank, get the response from the issuing bank, record the result, and then send it back. And then record the result on behalf of the merchant because they have these little transferees when we got 56K of memory. Don't have enough to remember everything which is now changing with the new virtual world in the front end process or gateways and everything like that, which they're losing revenue on. So, but they pretty much just say, oh, I'll just remember that you had an authorization and just let me know when to close it out. So they're just handing money back and forth. That's their only purpose is we connect you to us and us to them. And they charge you to connect to them and then front end processors like FDC will charge them because they have all the clients. So they get money from leasing the lines, they get money from the merchants, they get money from the transactions and they get money from the banks. And all they do is just say, thank you, you're welcome. Thank you, you're welcome. So it's a pretty sweet gig to get into if you wanna get on the new hotness there. Just have like one billion dollars laying around and find yourself and you'll be all set. Okay, back end merchant link. We kind of briefly talked about that earlier. How are we doing on time by the way? Where are my folks? Cause I can just ramble for a while. Where's my, 20 more minutes? We should probably speed up then. You guys ready to go into high gear? All right, so back end processor merchant link. We already talked about it, so we're skipping it. A swing banks, we already talked about it, so we're skipping it. Front end processor record updates, we kind of just talked about it. They just update the record, say, hey, I know that you did a transaction. All right, and then in return, the terminal prints out a receipt having the authorization code. You see that authorization code? It's a six digit code on all the receipts. It comes directly from the issuing bank. Your bank itself gave that authorization code, not the back end processor, not the front end processor, not the merchant itself, but your actual issuing bank talk to them. All right, transaction flow settlement. Now at the end of the night, you wanna settle everything out. Has anybody ever had this? Because I certainly haven't, because I'm really responsible with my money. Has anybody had ever had this where it says available balance is $500, but it says that your account balance is $800? You're like, how in the heck can I have two separate balances in my account? How is this possible? This is because of when the check card switched over to Visa and MasterCard to accept that logo. They went through an authorization and settlement cycle that they now acquired from the banks. And authorization pretty much means I authorized this money on your account and I hold it on your account, but I don't actually take it out of your account. That's the important thing to remember about authorization and settlement. I'm just gonna hold it. I'm not gonna do anything with it yet. I'm just making sure, well I can't say that's derogatory, but I'm C-blocking you from actually using that money. So you have that money held, but let's say they don't take it out in a timely manner, let's say a week or two. Well then that money just absorbs away and just disappears and it no longer is held because they can only hold it out of your account for so long before they take it out. So they say, okay, they never took it, maybe they were just kidding, I don't know. And so then they just released the authorization. So now your money comes back available to you. So you're like, wow, they forgot to charge me. How cool is that? I'm gonna go pick me up a new pair of pants. I don't know, I'm gonna go get some pantalones and all that fun stuff. And so then they go, oh, we forgot to charge them. Oh my goodness, close that terminal. And then they charge you and then what happens? You overdraw, you incur bank fees and all that stuff. Why are you irresponsible? Although they were, well, we're still gonna charge you. So that's how that comes into play because of this authorization and settlement thing. And this has happened since the beginning of credit cards and it's like a very bad process and it's impossible to get rid of because it's just so thick in this. So we just kind of went through that whole thing right here. So we're gonna go on to the next slide. Data storage. So there's a lot of grab-ass going on with your personal data, especially by MasterCard. What they like to do is do a lot of data mining. If you guys ever subscribed to Network Security Magazine or Networking Magazine, one of those CMP press ones that's just like, here's a whole bunch of ads and fluff and one good article every month. Sorry to CMP if you're out there. So they actually had a really great article about MasterCard and everything and after reading it, I had to like go dive in and call them and see if this was true. And they have like terabytes upon terabytes upon terabytes of every single transaction that you ever did stored at MasterCard International. Even though it's going to the issuing bank, we kind of talk briefly about that backend processors. Who are those backend processors? Well, MasterCard is just this entity. They're just on paper. They don't really exist. They don't do anything. They just sell their MasterCard name. Visa just sells its Visa name. Doesn't really do anything. Well, they're like, well, we can still do stuff with it. So MasterCard decided it's going through us anyways and it just goes through us because it has to because we're MasterCard. We might as well store that data and do some data mining. So every single transaction you have ever done in your whole life on a MasterCard starting from 2004 is recorded in their database and it's there for the highest bidder. They can say, hey, what's going on? I want to know more about people who like cheesecake. What else do they like? And they can make correlations. Well, guys who like cheesecake also like to buy lipsticks that vibrate for their wives. How about that? So let's have a special. Let's go down to Deja Vu and have cheesecake and lipstick vibrator day. Oh wow, how did they know? That's just amazing, you know? So if you ever wondered like, wow, how do they really know that I like this and that? It's because they data mine all of your credit cards and they see the trends in everything you do. And this has two good benefits, believe it or not. One of the good benefits is if you're just a guy who just goes to Starbucks every single day and gets a latte every single day and then afterward you pick up the newspaper and a carton of milk from the store and it's just repetitive over and over and then one day you're like, I want 18 Starbucks coffees and I bought a big screen TV. They're gonna be like, oh, wait a minute, that's kind of funny. So it does have a benefit there and those of you with the MasterCards actually do get better call responses than some of the other issuing banks that license or card associations that license their name out. So you do get that benefit but mostly it's just for, hey, we wanna sell telemarketers here information, we wanna sell marketing firms your stuff because they gotta do a new commercial this month. So who else holds it? The front end process we talked about, right? They temporarily hold it but they have to actually hold it for five years for auditing and accounting purposes and accountability. So the front end processor has your information and of course, if you guys were ever like driving across country, because that's always fun, just kind of cruise from Florida to Texas, I don't pick the two obscure states and somewhere in between there, there's this place called Louisiana and you go into the gas station and they don't have a cooler, they have an igloo cooler for their sodas and everything like that and they just got stuff all over the place and you're swiping your card and it's an old terminal and your credit card data is just showing up on all the receipts and they're just stuffing it in a shoebox because they were told to do that but they didn't know that they only had to stuff in a shoebox for two years. So they got 10 years of like, every guy that traveled from Florida to wherever else through Louisiana who just wanted a cola out of their igloo cooler, they got all their credit card information that's sitting there. So they're holding your data. Hotels, auto rental, the worst of the worst because hotels, very high rate for fraud, auto rentals, it's a car, you're gonna break it, that kind of stuff, it's probably no good. So you're running into these two things to where they take a bunch of information from you. I need your address, I need your zip code, I need your first born, I need all this other stuff and you're just like, oh my God, they have my address, my full name, it's social security number, I don't know, all this other goofy stuff just for me to check in and that's bundled right there with your credit card. So if I were some guy who's a carter as they're called in the scene, the test scene, right? If I was one of those guys, I would go out and I would probably be going after a hotel or an auto rental, especially one of those Po-Dunk ones way out in the middle of Louisiana that has all their stuff sitting in a shoebox along with your full address and everything like that and they can just data mine all their stuff and you'll never know. So there you got some information there and of course your issuing bank also keeps a record of everything. So you got issuing bank, you got the card association, you got the front end processor and you got the merchant. All these people have your information. Is that a good thing? Probably not. Are they changing it? Not in the least bit. But that's just the way things are. Time? Where's my speaker goon guy? He's supposed to tell me. How much? 12 minutes, okay. Oh hey, there you go. We actually are at the questions and answers section so we actually made it in time. We are at the questions and answers section. Hint, hint, nudge, nudge. RFID, RFID, what exactly do you wanna know about RFID? They wanna make money. They really wanna make money, it's all about marketing and money. They want RFID because you have to pay for, you have to have new vendors come in to get the RFID enabled and it's gonna speed up the process. McDonald's wants RFID really, really badly. Why? Because I can sling you a microwave hamburger and get you the hell out of there so I can get somebody else to sling him a microwave hamburger and get him the hell out of there. So it just swipes. So does Walmart, they're working on it. Yes, right there. I believe that man has bees on him. Damn scavenger hunt kids. Okay, I'm sorry, you were saying. Well, I can't repeat what you said to everybody else because that's not supposed to be disseminated. So, but yes, he was talking about encryption and stuff like that. We didn't really get into debit cards. I really wish we could. They didn't have enough room for a two hour because we can talk about duck put. By the way, duck put and all that fun stuff is the encryption used for debit pin card. So if you know how to crack that one, which is super easy, it's like a one way. You can get people's pin numbers flying across the line. Yes sir, I cannot give you a concrete answer personally but I would assume so. Oh, for sure. Personally, that would be a much easier way to data mine because it takes time for, the question was do they data mine pin cards and debit cards? And I'd probably say yes. I'm not gonna say yes, but probably yes because as soon as you swipe, it doesn't say this was at some place somewhere and we'll tell you later where it was. It says right away, he bought cookies at an AMPM, like right away. So it's actually more data in that because it's a newer technology that they can add more data. So I would believe that that would be the juicy nugget, so-called that they would really want. Anybody else that doesn't have B problems? That gentleman right back there, it's similar and easier. The mobile, the question was the easy pay is the new ones that coming out from RFID in general and Chase has been promoting theirs. Is it anything like the easy pay that's promoted by mobile? It's not exactly like it but it's actually easier because the mobile one actually has like strong encryption that was like Texas Instruments proprietary till those cats over at the university broke it. But this one is not even proprietary. If I'm, don't remember it off the top of my head because it put me on the spot there but it would be the equivalent of like ROT 13. It's like almost embarrassing. Yeah, so. Actually, if you wanna do some more driving fun with gas stations and stuff like that, which I would not promote. But if on the off chance you wanted to do something like that all the terrible herps here in town use radio frequencies to throw all those LCD video onto those screens and it's push not pull. So if he does push data to what you can push, you know, goat see onto all the screens and then we'd get a crack out of that. I gotta give my friend Ripschy here a shout out. He's the one that actually war drive that one and found all that. Yes sir. Actually, no. We actually had a hard enough time to actually get to the laptop because we screwed up with some a lot of stuff organizing, getting here. Like dropping off cars and picking new ones up and it was in it. And we didn't get the program on here. That actually, I can swipe it and you can see it but then you'd all see my credit card that's still active. And that wouldn't be fun. If you have a canceled credit card I would be more than happy. Thank you, this is a team player right here. And now, a dingo ate her baby. All right, dance, scavenger, hunt kids, I tell you what. Awesome. So okay, if you guys just noticed up on the screen I just opened up, how are we doing on time? He doesn't know. Six minutes, all right. If you noticed, I just opened up a notepad, notepad. Nothing special. Hell, I can make a new file and just like rename it and then swipe my card. So we're just gonna swipe this really quick and see what happens. And somehow his name is not there. Is this like ghost card or something killer? I don't know if your corporate would like that too much. Okay, so your name didn't pop up. At the very beginning there, for whatever reason is it just font issues? Well, we'll try this Vans card as well and show you the differences. All right, there's that Vans card. Well, at the very beginning the first one you see there and we probably should do this for you people with the Coke bottle glasses. Okay, I'm just kidding. All right, let's do 36. That's good enough. So we can kind of see this discretionary data and I'll go through this. If we notice right here, right? It is not an expired card. Oh, it's canceled, okay. If we notice we talked before about how they reverse them so can everybody shout out what the expiration date is? Oh, that's right, February 2007. And then what did we say was the next three digits? March, I know my Valentine's Day. I get suckered every time. I thought it was the third month. Come on, give me some slack. March, March 2007. Okay, so then what did we say was the next three digits? Country code and 101 is? US don't ask me to call anything else. And then here's all this discretionary data. It's just a bunch of zeros and then there's that five, six, four, zero, whatever. And then you see there's the question mark. That's actually, good thing we swiped this because I left out that delimiter. Question mark means end of track one. Then you have the semicolon. Then once again, you have the credit card number in full equals 0703, which is backwards, just as we said, 101, international code. And look, the discretionary data is exactly the same. And then question mark to say it's done. And then the next one is a Vons card. As you can see, private label cards and stuff and fun stuff to get discounts on stuff that it should already be that cheap has its own format and everything. So that's your swipe code. And once again, let me remind you, if you go to the Hackajar eBay sale for 35, no, I'm just kidding, I don't have one. For like 35 to $40, you can get these online. Believe it or not, the PS2 ones are more expensive than the USBs. I used the, excuse me, I used PS2 ones because they're universal costs. Everything, you don't have to deal with USB drivers or stuff that thinks it needs drivers but doesn't really need drivers and all that. So that's why they're a little bit more expensive and they're also harder to find. So are we done? Are we got more time? We've got a couple more questions, maybe? Time check? Time check? Four minutes. Yes, sir. The one-time virtual cards, do they recycle their numbers? The numbers, one thing we didn't get into and we should probably cover that real fast for all you guys, they're team players that stuck around. LUN mod 10 check. It's pretty much just barcodes, UPC codes. You put the number through an algorithm and if it returns one, then that means that it's valid if it doesn't, it's not. LUN mod 10 is the algorithm they use to verify the cards. So it's very possible, it's just like MD5, you're gonna have some collisions. It's very possible that you go through so many cards and that have to conform to this LUN mod 10 that you're gonna run into it again. It's not too much of an issue right now because there's so many combinations but when those things get really popular it might be an issue for those individual banks for carded cards colliding when you have virtual cards. And I think we can do one more question and then that way we can get everybody out. So there's some guy waving like a banshee back there. I think it's a girl actually. The SISP, C-I-S-S, or C-I-S-P, the Card Holder Information Security Program. That's nothing like the Cubics Information Security stuff. SISP, it was created by Visa and it sucks. Hands down, they have what's called the Dirty Digital Dozen and it's stuff like, you have to conform to this in order to authorize credit cards in an internet world or in a brick and mortar to internet authorization world. And they're like stuff like, do you have a firewall? Does everybody log in with their own account? And so it's like, well thank you, Captain Obvious. But they certify these independent auditors and no offense to you guys because it's good money for you, I know. They certify these independent auditors to go out and be SISP certified auditors that charge 25,000 to 40,000 per site just to say, yep, you have a firewall. Yep, you have limited access. Yep, you have individual account names. Great, you're certified. Give us $25,000 and you gotta do this every year. In some cases. So I think it sucks, I think they're just using it as another way to grab money and not using what it's supposed to be used for to secure credit cards, to make sure our transactions are safe, all that fun stuff. And I believe that's the last question we're gonna have unless you're like, no, no, what about that last thing, anybody? The who's? The bees? These scavenger hunt guys, man, I tell you what. You know, they just go nuts. All right, well thank you so much guys for your patience and everything. And I appreciate everything you've done.