Combine fast-food chains, a staple of American culture, with the country’s long standing tradition of drive-ins and you’ve got one of the biggest food franchises of the US: Sonic Drive-in, with more than 3,500 locations all over the US and serving millions of customers each day. Now throw in the mix an outdated credit card system and you get one of the biggest data breaches of the year 2017.
Let’s see how such a breach was possible and what happens to all of these stolen credit cards.
What happened
The breach was discovered back in September when Brian Krebs, an investigative reporter specialized in cybersecurity received information that several banks had reported unusual transactions from credit cards that had previously been used at, you guessed it, Sonic Drive-ins.
Krebs then linked these transactions to “Firetigerrr breach”, a giant batch of about 5 million credit card accounts being sold on a very prominent credit card black market called Joker’s Stash. Further investigation showed that accounts purchased from Firetigerrr Breach had indeed been previously used at Sonic Drive-in, thus all but confirming that Sonic had indeed been the victim of a hack.
Upon being contacted by the investigator, Sonic officials gave him the following statement:
“Our credit card processor informed us last week of unusual activity regarding credit cards used at SONIC. The security of our guests’ information is very important to SONIC. We are working to understand the nature and scope of this issue, as we know how important this is to our guests. We immediately engaged third-party forensic experts and law enforcement when we heard from our processor. While law enforcement limits the information we can share, we will communicate additional information as we are able.”
The statement confirmed once and for all the expert’s hypothesis.
This is not the first time a credit card breach of that scale was discovered. Back in 2014, more than 40,000,000 credit card informations were stolen from the second-biggest discount store retailer Target, and sold in the black market.
While the Sonic Hack is too recent for us to be a hundred percent sure, experts believe that this is how this sort of hack goes:
- The store’s point-of-sale (POS) systems were remotely hacked into and stuffed with malicious software that disguised itself as the software that handles transactions.
- This software then gathered the information contained in the magnetic strip of each credit card and sent it to the hacker.
- This information could then be used by the hacker to make a clone of the card and then sell it.
Although this method of hacking is mostly rendered moot by the widespread microchip cards in Europe, magnetic strips are still widely used in the US, and credit card data is thus unencrypted, making it easy to get the credit card information once you’ve hacked a point-of-sale system.
Carding, all the kids do it
There are many carding websites and forums out there, whose activity is to thrive on acquiring and selling stolen credit card data, i.e. carding.
Joker’s Stash is one of them. It can be accessed from the Clear Net, i.e. found with a simple Google search, but in order to be able to view and purchase anything, you need an invite code. To get one of these codes, you have to be a trusted user of a carding forum and gain enough trust to gain access to one, or you can buy one online, but be careful of scams!
What Joker’s Stash sells are huge data dumps containg credit card information. The eponymous Joker claims to have stolen the information, that you can easily decypher to get all of the victim’s information. To pay for one or many of these credit cards, the user has to use the famous cryptocurrency, Bitcoin.
The price of credit card account data depends on a lot of factors, including:
- Credit card type: Matercard, Visa, etc.. which can have different security options.
- Credit limit: a bigger one will allow the thief to buy more stuff with it.
- Bank of origin: some of them are more laxist than others
- Freshness of the batch, since an older batch is more likely to have been used more often. The more the batch is used, the more the fraudulent transactions can alert financial institutions, which might cancel these credit cards.
In case the latter happens, Joker’s Stash and most other carding websites have a refund policy, so that if a card purchased less than 3 hours ago has been canceled or doesn’t work, it can be refunded.
Where it gets interesting is that the website is based on a “loyalty” system, so people who buy the most cards and ask the less for refunds gain access to discounts. For big spenders, it becomes possible to buy batches in early access, but also get personalized domain names that get routed through the Tor Network, hence helping to anonymize the premium user’s internet traffic.
This clever system encourages users to not ask for refunds in order to be able to access to fresher, more lucrative batches in the future.
Buying stolen credit cards
Let’s have a look at what you can buy in this kind of website.
What you actually buy is the content of the data stored in the credit card’s magnetic strip. This content, called dump, is a string of letters and numbers, that you can easily decypher to get this information from the victim: his card number, verification code, expiration date, first and last name…
It is possible to use a cloning machine to clone this info into a blank magnetic card but this technique requires specific hardware and can now easily be recognized as fraudulent by most stores.
This is why most people just use this information to buy stuff online.
Safety measures
Before buying anything, it is recommanded to take safety precautions, such as using a VPN or a proxy protocol like SOCKS to obfuscate your IP address, but also to make it look like you live in the same area as your victim. Some users also use RDP, Remote Desktop Protocol, a tool that allows you to connect to another computer, thus making it look like your transactions are made from this person’s computer.
It is important to pick a shopping website that doesn’t ask for too much information, and preferably that doesn’t use securized purchase protocols such as “Verified by Visa”, even if this one can be bypassed using some of the victim’s information, like their date of birth for instance. You then have to register, using the victim’s ID and a fake email address.
Another key element to take into account is, as they call it, the drop address, the address where your illegally bought object is shipped. It is obviously strongly advised not to fill in your own address, but a remote one that would be hard to be traced back to you. Some carders go as far as to wait for a delivery man to call them and then tell them to go to a different address.
It is then advised to buy something small and inexpensive in order to test if your stolen credit card really works.
Now, you’re all set, you can go wild and buy whatever you want, until somebody notices something and the card gets cancelled. Then just purchase another card and start again.
Before we go
While writing this article, we realized how easy it was for anyone to gather enough information to start carding on their own: read about it, take safety precautions, hang for some time in a forum until someone trusts you enough to give you an access code and then go to town.
The actual credit card hacking of magnetic strip cards can be pretty easy to do, since their information isn’t even encrypted. Plus, cards with microchips can also be read using their magnetic strips in countries still using this system, such as the United States.
But don’t start thinking the microchip system is flawless. Researchers proved that even a chip-based credit card could end up on websites the likes of Joker’s Stash. No system will ever be a hundred percent safe, so if one day your credit card appears to have been compromised, just accept this reality and move on (also cancel it.)
Written by Antoine Chwat & Hugo G.
If you want to go deeper:
More thorough retellings of the Sonic and Target Hacks
Infos on carding websites
Carding tutorials
