How do scammers test stolen card data? (Carding enumeration methods, using microtransactions, bypassing monitoring systems)

S

Student

Professional
Messages
171
Reaction score
133
Points
43
Carding is a type of fraud that involves using stolen bank card data to make unauthorized transactions or sell it on the black market. To successfully card, fraudsters must ensure that the stolen data is valid and can be used. Card testing is a key step, which includes carding enumeration methods, the use of microtransactions, and bypassing monitoring systems. For educational purposes, I will discuss these aspects in detail, describing how fraudsters operate, the technologies and approaches they use, as well as the risks and countermeasures that exist.

1. Carding Enumeration​

What is it? Carding enumeration is a process of mass checking of stolen card data (card number, expiration date, CVV code, sometimes the owner's name) for their validity. The goal is to filter active cards from inactive ones in order to use them for fraudulent transactions or sell them on the black market.

Methods and techniques:
  • Direct testing on websites: Fraudsters enter card details on websites of online stores, payment gateways or subscription services. They choose platforms with a low level of protection, such as sites without 3D-Secure (additional authentication via SMS or password). Examples: small online stores, donation platforms or services with trial subscriptions.
    • Example: A fraudster enters card details on a website that accepts payments without CVV or 3D-Secure verification. If the transaction goes through, the card is considered valid.
  • Automation with bots: For mass testing, automated tools are used - bots or scripts that send authorization requests through the API of payment systems or sites. Such programs can check thousands of cards in minutes.
    • Technical aspect: Bots emulate the behavior of a real user by sending HTTP requests with card data through payment gateways (e.g. Stripe, PayPal). They can use proxy servers to hide the IP address and avoid blocking.
  • Balance check: Fraudsters may use services that allow you to check your card balance without making a full transaction. For example, some payment systems make a pre-auth request, which confirms the availability of funds but does not write them off.
    • Example: Registration on a site where card verification requires authorization for 0.01 USD, which is then cancelled.
  • Using fake websites: Fraudsters create or use compromised websites that look legitimate but are actually used to test cards. Such websites may not send data to the bank or raise suspicions in monitoring systems.
    • Example: A phishing site disguised as an online store accepts card details and returns a successful result if the card is valid.

Risks for fraudsters:
  • Bank monitoring systems may notice mass requests from one IP or device.
  • The card may be blocked after several unsuccessful attempts to enter data.
  • Law enforcement agencies can track fake websites.

2. Use of microtransactions​

What is it? Microtransactions are small payments (usually between $0.01 and $5) that fraudsters make to verify a card. They minimize the risk of detection, as small amounts rarely arouse suspicion among banks or cardholders.

Methods and techniques:
  • Donations to charity: Charity platforms often have weak checks, as they assume that users are acting in good faith. Scammers make small donations to check whether the card is active.
    • Example: A $1 donation on a crowdfunding site that does not require 3D-Secure.
  • Trial subscriptions to services: Many streaming platforms, cloud services or gaming sites charge a symbolic amount to verify the card upon registration. Fraudsters use such services for mass testing.
    • Example: Signing up for Netflix or Spotify with a trial period where $1 is charged and then refunded.
  • Reversing transactions: After a successful microtransaction, scammers can reverse the payment (if the site allows it) or request a refund to avoid leaving a trace. This helps avoid the attention of the cardholder.
    • Example: Purchase of a digital product with subsequent return via website support.
  • Mass distribution of transactions: Fraudsters distribute microtransactions across multiple sites and platforms to avoid exceeding suspicious activity limits. For example, one card is tested on 10 different sites with transactions of 0.50 USD.
    • Technical aspect: Proxy server pools and virtual machines are used to emulate different users.

Benefits for scammers:
  • Microtransactions rarely attract the attention of monitoring systems, as they look like regular purchases.
  • Cardholders may not notice small charges or mistake them for a mistake.
  • Such transactions often do not require 3D-Secure, especially on international sites.

Risks for fraudsters:
  • Some banks automatically block cards after several microtransactions from different sites.
  • Payment systems may mark a card as suspicious if it is used on sites with a high level of fraud.

3. Bypassing monitoring systems​

What is it? Banks and payment systems use sophisticated fraud detection systems (FDS) that analyze transactions by many parameters: geolocation, device, amount, frequency of transactions, etc. Fraudsters develop methods to bypass these systems and make their actions invisible.

Methods and techniques:
  • Disguised as legitimate transactions: Fraudsters collect information about the cardholder's behavior (geolocation, device type, browser, operating system) and adjust their actions to these parameters.
    • Technical aspect: VPNs or proxy servers are used to make the IP address match the region of the card owner. For example, if the card belongs to a person in the US, the fraudster connects via an American VPN.
    • Example: A scammer uses a browser with fake User-Agent headers to emulate a device similar to the one the victim is using.
  • Transaction fragmentation: Instead of one large purchase, scammers break transactions into many smaller transactions that do not exceed the FDS trigger threshold.
    • Example: Instead of a purchase of 500 USD, the fraudster makes 10 transactions of 50 USD on different sites.
  • Using Drops: Fraudsters use fake people (drops) or compromised accounts to make transactions appear to be made by a real user.
    • Example: A dropper registers an Amazon account using stolen card details and makes a purchase, which is then forwarded to the scammer.
  • Bypassing 3D-Secure: 3D-Secure (Verified by Visa, Mastercard SecureCode) requires additional authentication (e.g. SMS code). Fraudsters look for sites that do not use this protection or use social engineering to obtain codes.
    • Example: A fraudster calls the victim, posing as a bank employee, and asks to provide the code from the SMS, supposedly to “restore access”.
  • Time Window Manipulation: Fraudsters conduct tests during periods when monitoring systems are less active, such as at night or during holidays when banks operate in a limited mode.
    • Example: Testing cards at 3:00 am local bank time to minimize the chance of immediate blocking.
  • Using darknet services: There are platforms on the darknet that specialize in testing cards. These services automatically check the data through their gateways and return the result (valid/invalid) for a small fee.
    • Example: A darknet service accepts a list of 1000 cards and returns a report showing active cards and their limits.

Risks for fraudsters:
  • Modern FDSs use machine learning that can detect even complex camouflage patterns.
  • Proxy servers may be marked as suspicious if they are used for fraudulent purposes.
  • Law enforcement agencies are actively monitoring darknet services.

4. Additional aspects of carding​

  • Sources of card data: Stolen data is usually obtained through phishing, skimming (devices on ATMs), database leaks, darknet stores (card shops) or payment system hacks. Fraudsters buy "dumps" (full card data) or "CC" (card credentials) for a few dollars per card.
  • Monetization of valid cards: After successful testing, cards can be used for:
    • Purchases of expensive goods (electronics, gift cards).
    • Withdrawal of funds through cryptocurrency exchanges.
    • Black market sales (valid cards are more expensive than unverified ones).
    • Example: Buying an iPhone through Amazon with delivery to a dropshipping address, which then forwards the item to a scammer.
  • Social engineering: Fraudsters may contact the victim to obtain additional data (e.g. 3D-Secure codes). They pose as employees of a bank, payment system or store.
    • Example: A call from a fake bank number asking to "confirm the transaction" via SMS code.

5. Anti-carding measures​

For banks and payment systems:
  • FDS Enhancement: Use machine learning to analyze transactions in real time, including geolocation, user behavior, and transaction frequency.
  • Mandatory 3D-Secure: Introduce strong authentication for all online transactions.
  • Limiting data entry attempts: Blocking the card after several unsuccessful attempts to enter the CVV or number.
  • Darknet Monitoring: Track data leaks and carder activity on the darknet.
  • Cooperation with law enforcement agencies: Exchange information on suspicious transactions and sites.

For users:
  • Using virtual cards: Create one-time use cards with a limited limit for online purchases.
  • Enable Notifications: Set up SMS or push notifications for each transaction.
  • Regular statement monitoring: Check your bank statements for suspicious charges, even small ones.
  • Be careful with your data: Do not enter your card details on suspicious websites and do not pass on 3D-Secure codes to third parties.
  • Antivirus and device protection: Regularly update your software and use antivirus software to protect against phishing and malware.

For online stores:
  • Implementation of 3D-Secure and additional checks (e.g. IP address check).
  • Limit the number of attempts to enter card data.
  • Using CAPTCHA to protect against bots.
  • Monitoring suspicious orders (e.g. delivery to an address not associated with the cardholder).

6. Ethical and legal aspects​

Carding is a criminal offense in many countries. Fraudsters risk not only having their cards blocked, but also being arrested, especially if their actions are tracked through the darknet or international payment systems. For educational purposes, it is important to understand how such schemes work in order to develop effective protection measures. However, any attempt to reproduce these methods is illegal and can lead to serious consequences.

If you want to go into a specific aspect (for example, technical details of automation or FDS examples), write and I will expand the answer!
 
You must log in or register to reply here.

Similar threads

S
What is Phishing and How is it Used to Steal Card Data? (Phishing Methods, Attack Examples, Protection from Phishing Sites)
Replies
0
Views
27
Student
S
Mutt
How blacklists (Visa TC40, MasterCard SAFE) work in the fight against carding?
Replies
0
Views
202
Mutt
Mutt
Mutt
What is card testing and how is it detected?
Replies
0
Views
183
Mutt
Mutt
S
How do skimmers work and how are they detected? (Skimmer design, their installation on ATMs/POS terminals, protection methods)
Replies
0
Views
33
Student
S
Mutt
How are banks and stores improving anti-fraud systems?
Replies
0
Views
248
Mutt
Mutt
Back
Top