What is 3-D Secure and how does it prevent carding? (Detailed explanation of Verified by Visa, MasterCard SecureCode, their impact on transactions)

S

Student

Professional
Messages
157
Reaction score
129
Points
43
For educational purposes, I will dive into what 3-D Secure is , how it works in the context of carding prevention , and dive into technical, operational, and practical aspects, including Verified by Visa , MasterCard SecureCode (Identity Check) , their evolution, impact on the online transaction ecosystem, and limitations. I will also explain how carders try to circumvent this protocol and why it remains an effective protection tool.

What is carding?​

Carding is a type of cyber fraud in which criminals use stolen payment card data (card number, expiration date, CVV code, sometimes the owner's name) to make unauthorized transactions, most often on the Internet. The main methods of carding include:
  • Purchasing goods: Fraudsters purchase goods or services (e.g. electronics, digital products) from sites that do not require strong authentication.
  • Card Testing: Carders use stolen data to test its validity through small transactions.
  • Chargeback Scams: After a purchase, scammers may attempt to get a refund by claiming the transaction was unauthorized, creating losses for the merchant.
  • Mass automation: Using bots to test large numbers of stolen cards on sites with poor security.

Carding is possible if card data is obtained through phishing , skimming , database hacking , darknet stores or other illegal means. 3-D Secure was developed as a response to this threat to minimize risks for all participants in the payment ecosystem.

What is 3-D Secure?​

3-D Secure (Three Domain Secure) is a security protocol designed to protect online transactions using payment cards. It was first introduced by Visa in 2001 under the Verified by Visa (VbV) brand, and later adopted by MasterCard as MasterCard SecureCode (later renamed Identity Check ). Other payment systems, such as American Express ( SafeKey ) and JCB ( J/Secure ), also use similar implementations.

The name "3-D" reflects the three domains involved in the transaction process:
  1. Issuer domain - the bank that issued the card (responsible for cardholder authentication).
  2. Acquirer domain - the bank that services the merchant (processes payments on behalf of the merchant).
  3. The interaction domain is the infrastructure of the payment system (Visa, MasterCard, etc.), which coordinates the interaction between the issuer, acquirer and merchant.

The main purpose of 3-D Secure is to provide two-factor authentication (2FA) to the cardholder to confirm that the transaction is being made by the legitimate owner and not a fraudster.

How does 3-D Secure work in the context of carding?​

3-D Secure adds an extra layer of cardholder identity verification, making carding significantly more difficult. Here is a step-by-step process of how the protocol works:

1. Transaction initiation​

  • The buyer enters the card details (number, expiration date, CVV code) on the seller’s website.
  • The seller transfers data to the acquiring bank through a payment gateway, which connects to the payment system (Visa, MasterCard, etc.).

2. Checking participation in 3-D Secure​

  • The payment system checks whether the card and the issuing bank support the 3-D Secure protocol.
  • If the card or bank does not participate in the program, the transaction may be processed without additional authentication, which increases the risk of carding.
  • If support is available, the transaction is forwarded to the issuing bank's authentication server.

3. Cardholder authentication​

  • The buyer is redirected to a secure page of the issuing bank (usually via an iframe, pop-up window or redirect).
  • The bank requests verification of identity using one or more methods:
    • One-time password (OTP): Sent to the registered phone number or to the bank's mobile application.
    • Biometric authentication: Fingerprint, face or voice recognition via mobile device.
    • Push notifications: Confirmation via the bank application.
    • Static Password (legacy method): A permanent password that the user set when registering with 3-D Secure (rarely used due to low security).
    • Additional checks: Answering a secret question, entering the code from the token or other methods depending on the bank.
  • This step is critical to preventing carding, as the fraudster, even with the card details, usually does not have access to the cardholder's phone, biometrics, or app.

4. Confirmation of transaction​

  • After successful authentication, the issuing bank generates a unique code:
    • Для Visa — CAVV (Cardholder Authentication Verification Value).
    • Для MasterCard — AAV (Accountholder Authentication Value).
  • This code is passed to the merchant and the acquiring bank, confirming that the cardholder has been verified.
  • The transaction is completed and responsibility for any losses (chargeback) is shifted to the issuing bank ( liability shift ).

5. Refusal processing​

  • If authentication fails (incorrect password, no response to OTP, suspicious behavior), the issuing bank rejects the transaction.
  • The merchant receives a rejection notification and the fraudulent carding attempt is stopped.

Evolution of 3-D Secure: From 1.0 to EMV 3DS 2.0​

To understand the effectiveness of 3-D Secure in the fight against carding, it is important to consider its evolution:

3-D Secure 1.0 (2001–2016)​

  • The first version of the protocol, implemented by Visa and MasterCard.
  • Basic authentication methods:
    • Static passwords (the cardholder created the password during registration).
    • Redirection to the bank page to enter data.
  • Problems:
    • Poor user experience: mandatory redirection and password entry for every transaction.
    • High abandonment rate due to complex process.
    • Vulnerabilities: Static passwords could be compromised through phishing or social engineering.
    • Limited support for mobile devices.
  • Impact on carding: 3-D Secure 1.0 made carding much more difficult, as scammers needed access to the password. However, phishing and weak protection of static passwords allowed the system to be bypassed in some cases.

EMV 3DS 2.0 (2016–present)​

  • The second version of the protocol, developed by the EMVCo consortium (includes Visa, MasterCard, Amex, etc.).
  • Main improvements:
    • Seamless authentication (Risk-Based Authentication, RBA): The bank analyzes up to 100 additional parameters (IP address, device, geolocation, transaction history) and decides whether additional verification is required. Low-risk transactions are processed without entering a password.
    • Biometrics support: Use fingerprints, face recognition or voice recognition via mobile devices.
    • Integration with mobile applications: Push notifications and authentication via banking applications.
    • Improved user experience: Fewer redirects, faster processing.
    • PSD2/SCA Compliance: In the EU, 3DS 2.0 is mandatory for most online transactions under the PSD2 (Strong Customer Authentication) directive.
  • Impact on carding:
    • Makes attacks much more difficult as OTP and biometrics require physical access to the card owner's device.
    • Reduces the likelihood of successful phishing, since static passwords are almost never used.
    • Reduces automated attacks as bots cannot interact with biometric verification or push notifications.

How does 3-D Secure prevent carding?​

3-D Secure effectively combats carding thanks to the following mechanisms:

1. Two-factor authentication (2FA)​

  • Carding is usually based on the use of stolen card data (number, CVV, expiration date). 3-D Secure requires a second factor that the fraudster cannot easily obtain:
    • Something the user knows (password, answer to a security question).
    • Something the user has (phone for OTP, mobile app).
    • Something that the user is (biometrics: fingerprint, face).
  • Example: Even if a carder stole the card details through a skimmer, he will not be able to complete the transaction because the OTP is sent to the owner's phone.

2. Liability Shift​

  • If a transaction is confirmed via 3-D Secure, the responsibility for fraudulent chargebacks is shifted from the merchant to the issuing bank. This motivates merchants to implement 3-D Secure, as they are protected from financial losses due to carding.
  • Without 3-D Secure, the merchant suffers losses if the cardholder disputes the transaction.

3. Making automated attacks more complex​

  • Carders often use bots for mass testing of stolen cards (carding bots). 3-D Secure requires interactive confirmation (entering OTP, biometrics), which makes automation almost impossible.
  • Even if a bot bypasses the initial checks, it cannot emulate biometric authentication or access to the owner's phone.

4. Risk Analysis (Risk-Based Authentication)​

  • In EMV 3DS 2.0, banks analyze many transaction parameters (device, geolocation, amount, purchase history). If a transaction looks suspicious (for example, a purchase from another country), the bank requests additional authentication, which prevents carding attempts.

5. Compliance with regulatory requirements​

  • In regions like the EU, 3-D Secure is mandatory for most online transactions under PSD2/SCA . This means that merchants and banks must implement 3-D Secure, reducing the number of points of vulnerability for carders.

How do carders try to bypass 3-D Secure?​

Despite the effectiveness of 3-D Secure, carders have developed methods to bypass the protection. Here are the main approaches and why they often do not work:
  1. OTP Phishing:
    • Fraudsters create fake pages that mimic the 3-D Secure interface in order to intercept one-time passwords.
    • Countermeasures: Modern versions of 3DS 2.0 use secure channels (such as mobile apps) and biometrics, making phishing more difficult. Users are also trained not to enter OTP on suspicious sites.
  2. Social engineering:
    • Carders may call the victim, posing as bank employees, and ask for the OTP.
    • Countermeasures: Banks actively inform customers that OTP is never requested over the phone. Biometrics and push notifications also reduce the effectiveness of such attacks.
  3. Attacks on issuing banks:
    • If a bank uses an outdated version of 3-D Secure (e.g. static passwords), carders may try to compromise them through phishing or hacking.
    • Countermeasures: EMV 3DS 2.0 minimizes the use of static passwords, and banks are required to comply with security standards (e.g. PCI DSS).
  4. Selecting sites without 3-D Secure:
    • Carders look for online stores that do not use 3-D Secure, as such transactions are easier to conduct.
    • Countermeasures: Regulations such as PSD2 make 3-D Secure mandatory in the EU, and large merchants are implementing it voluntarily to protect against chargeback.
  5. SIM Swapping:
    • Fraudsters redirect SMS with OTP to their number, deceiving the telecom operator.
    • Countermeasures: Banks are switching to push notifications and biometrics that do not rely on SMS. Telecom operators are also strengthening their protection against SIM Swapping.

The Impact of 3-D Secure on Online Transactions​

Positive influence​

  1. Reduced carding levels:
    • According to Visa and MasterCard, the implementation of 3-D Secure has reduced fraudulent transactions by 70-80% in regions where the protocol is mandatory.
  2. Seller protection:
    • Liability shift reduces financial risks for sellers, which is especially important for small businesses.
  3. Improving trust:
    • Users feel safer knowing their transactions are protected by two-factor authentication.
  4. Compliance with standards:
    • 3-D Secure helps banks and merchants comply with regulatory requirements such as PSD2 in the EU.
  5. Improved User Experience (in 3DS 2.0):
    • Seamless authentication and biometrics reduce the time it takes to confirm a transaction, reducing purchase abandonment.

Negative influence​

  1. Complicating the payment process:
    • In version 1.0, mandatory redirection and password entry resulted in purchase abandonment (up to 20% in some studies).
    • Even in 3DS 2.0, OTP delays or mobile signal issues can be annoying for users.
  2. Uneven support:
    • Not all banks and merchants have implemented 3DS 2.0, which creates vulnerabilities for carders.
    • In some countries (such as emerging markets), 3-D Secure is used less frequently.
  3. Technical failures:
    • Problems with OTP delivery or incorrect operation of authentication servers may block legitimate transactions.
  4. Limited protection against other threats:
    • 3-D Secure does not protect against phishing, account hacking, or data theft before the card is entered.

Practical examples​

  1. Successful protection against carding:
    • A carder buys electronics from a website using stolen card details. The website requires 3-D Secure, and the bank sends an OTP to the cardholder's phone. The fraudster cannot complete the transaction because he does not have access to the phone.
  2. Attempted bypass via phishing:
    • The carder creates a fake website that mimics a 3-D Secure page. The user enters the OTP, but the bank notices suspicious activity (such as an IP address mismatch) and rejects the transaction.
  3. Seamless authentication:
    • The customer regularly purchases from Amazon. 3DS 2.0 analyzes the transaction history and the device, determines low risk, and approves the payment without entering the OTP.

Limitations and Prospects​

Limitations of 3-D Secure​

  • Not 100% secure: Carders can use social engineering or bypass the system on sites without 3-D Secure.
  • User Dependency: If the cardholder carelessly transmits the OTP or becomes a victim of phishing, the protection will not work.
  • Technical Barriers: OTP delivery issues or incompatibility with some devices may block transactions.

Prospects​

  • Widespread adoption of 3DS 2.0: Regulations such as PSD2 make the protocol mandatory, reducing the number of vulnerable transactions.
  • Integration with new technologies: Using artificial intelligence to analyze risks and biometric data.
  • Global Standardization: Expanding 3-D Secure into emerging markets to create a single security standard.

Conclusion​

3-D Secure (Verified by Visa, MasterCard SecureCode/Identity Check) is a powerful anti-carding tool that uses two-factor authentication to protect online transactions. It effectively complicates fraudulent transactions, shifts the responsibility for losses to issuing banks, and complies with modern security standards such as PSD2. The evolution of the protocol (EMV 3DS 2.0) has made it more user-friendly thanks to seamless authentication and biometrics, while maintaining a high degree of security. However, carders continue to look for ways to bypass it, such as phishing or attacks on legacy systems, which highlights the importance of a comprehensive approach to security (user education, infrastructure upgrades, implementation of new technologies).

If you want to dive deeper into specific aspects (e.g. technical details of the protocol, code samples for 3-D Secure integration, or analysis of specific carder attacks), write me and I will continue the analysis!
 
You must log in or register to reply here.

Similar threads

Mutt
How carders bypass 3D-Secure (3DS) and how difficult is it?
Replies
0
Views
172
Mutt
Mutt
Mutt
How does PSD2 work in Europe and does it affect Non-VBV BINs?
Replies
0
Views
168
Mutt
Mutt
S
How do banks investigate carding cases? (Chargeback processing, interaction with payment systems)
Replies
0
Views
26
Student
S
S
What is tokenization and how does it protect against carding? (Principles of tokenization, its application in Apple Pay, Google Pay and other systems)
Replies
0
Views
25
Student
S
Mutt
Technical aspects of payment gateways
Replies
0
Views
127
Mutt
Mutt
Back
Top