The EMV standard (Europay, Mastercard, Visa), introduced to enhance the security of chip-based payment cards, has radically changed the landscape of card fraud. Chip cards use dynamic cryptography, generating unique codes (ARQC – Application Request Cryptogram) for each transaction, making it impossible to use static magnetic stripe data for counterfeiting. By 2025, more than 95% of card-present (CP) transactions worldwide will be conducted through EMV-compatible terminals (according to EMVCo Q4 2025). This has forced carders — fraudsters who specialize in stealing and using bank card data — to adapt, moving from traditional methods to more sophisticated technical and social approaches. Below is a detailed analysis of their adaptation strategies, including technical aspects, tools, regional peculiarities, and implications for the payments ecosystem. This analysis is intended for educational purposes, to illustrate how cybercrime is evolving and what protective measures are needed.
1. Technical adaptation: chip cloning and EMV bypass
Chip cards are protected by cryptographic protocols that generate one-time codes for each transaction. However, carders have developed methods to partially circumvent these measures using specialized software and hardware.1.1. Chip cloning using EMV Software
- How it works: Carders use blank smart cards (such as J2A040 or unfused Java cards) to which they write dump data (stolen card data, including tracks 1 and 2, PINs, and cryptographic keys). These cards are programmed with software that simulates the chip's behavior, including generating ARQC to pass verification at the terminal.
- Tools 2025–2026:
- X2 EMV Software 2025 (All-in-One Bundle):Popular software on darknet forums (e.g., carder.market, omg). It includes:
- ARQC Generator: Generates dynamic cryptograms required to authorize a transaction.
- ATR Tool 7.0: Allows you to connect to banking systems, bypassing ATR (Answer to Reset) checks that banks updated in 2024.
- CardPeek: Used to analyze and validate chip data.
- FCR 2.0 (Full Country Records): Updated database to bypass regional restrictions (e.g. checking if the map and terminal region match).
- Price: $250 to $500 depending on version and vendor. Requires hardware such as the Omnikey 3121 (reader/writer) and MSR605x (for magnetic stripe recording as a backup).
- Limitations: Older software versions (e.g., X2 2019–2023) stopped working due to banking system updates that require up-to-date keys and algorithms. In 2025, banks implemented more complex checks (e.g., EMV 3-D Secure 2.2), forcing carders to constantly update their tools.
- X2 EMV Software 2025 (All-in-One Bundle):Popular software on darknet forums (e.g., carder.market, omg). It includes:
- Use case: A carder purchases dumps on the darknet (the average price for a chip-equipped dump is $20–$50), programs the blank card using X2 EMV Software, and uses it at an ATM or POS terminal. Success depends on the quality of the dump and the terminal's compatibility with legacy protocols.
1.2. Shimming
- How it works: Shimming is the installation of thin electronic devices (shims) into the chip slot of an ATM or POS terminal. The shim reads the chip data (including tracking information and PIN) during a transaction, transmitting it to carders. Unlike skimming, shimming is more difficult to detect due to the compactness of the devices.
- Trends 2025–2026:
- According to FICO (2025), shimming has caused a 20-30% increase in card compromises in regions with incomplete EMV adoption, particularly in the US, where about 10% of terminals still support legacy protocols.
- Shims are sold on the darknet for $100–$500, often with installation instructions. They are compatible with popular ATM models (e.g., NCR, Diebold).
- Limitations: Shimming does not allow direct cloning of the chip, as the data is protected by cryptography. However, it is used to collect data that is then used in other attacks (for example, CNP transactions or dump sales).
1.3. Fallback transactions
- How it works: If the chip can't be read (for example, due to damage or deliberate deactivation), the terminal can "fallback" to a magnetic stripe (a fallback transaction). Carders use cloned magnetic stripe cards based on stolen dumps for such transactions.
- Trends 2025–2026:
- In the US, where the transition to EMV is only partially complete (approximately 90% of terminals by 2025), fallback transactions remain a vulnerability. According to the Federal Reserve (2025), counterfeit fraud using magnetic stripes remains at 15-20% of total cardholder transaction fraud.
- Carders intentionally damage the chips on counterfeit cards so that terminals switch to the magnetic stripe.
- Limitations: Banks and payment systems (Visa, Mastercard) are actively reducing fallback support, requiring a full transition to EMV. By 2026, less than 5% of terminals are expected to support magnetic stripes.
2. Shift to CNP (Card-Not-Present) transactions
As EMV made fraud more difficult at physical points of sale, carders switched to online transactions, where chip security is not available.2.1. Phishing and data theft
- How it works: Carders use phishing websites, emails, or malware (keyloggers, spyware) to steal card details (number, CVV, expiration date) and online banking credentials. This data is used for online purchases that don't require a physical card.
- Trends 2025–2026:
- According to Cybersecurity Ventures (2024), CNP transaction fraud has grown by 47% since 2022, accounting for 78% of total payment fraud ($1.7 trillion in global losses).
- Popular targets: e-commerce platforms (Amazon, eBay) with weak verification (for example, lack of 3-D Secure).
- There is a rise in attacks on mobile wallets (Apple Pay, Google Pay) via Account Takeover (ATO), where carders take over accounts using stolen passwords.
- Tools: Phishing kits are sold on the dark web for $50–$200, including templates for fake bank pages (e.g., Chase, Wells Fargo). Malware such as RedLine or Anubis is used for mass data collection.
2.2. Buying dumps on the darknet
- How it works: Carders purchase dumps (full card data) on darknet marketplaces. The dumps include data for CNP transactions: card number, CVV, cardholder name, and address.
- Trends 2025–2026:
- Dump prices vary: $10–$20 for a magnetic stripe card, $20–$50 for chip card data with a PIN. High-quality dumps (with a high balance or tokenized data) cost up to $100.
- The rise of tokenized data sales (e.g., Apple Pay tokens) that carders obtain through ATO or mobile device compromise.
- Limitations: The implementation of EMV Tokenisation (replacing card data with unique tokens) reduces the value of dumps, as tokens are tied to a specific device or platform.
2.3. Using tokenized cards
- How it works: Carders attempt to circumvent tokenization by hijacking user accounts in mobile wallets or payment systems. This is accomplished through phishing, password theft, or exploitation of app vulnerabilities.
- Trends 2025–2026:
- Attacks on mobile wallets have increased by 20% (Thales Group, 2025). Carders use stolen tokens to make purchases in systems where tokenization does not require additional verification.
- Popular targets: Platforms with single-factor authentication or older versions of 3-D Secure.
3. Hybrid attacks and social engineering
Carders combine technical methods with social engineering to bypass EMV protection.3.1 Social engineering to obtain a PIN
- How it works: Carders use phishing calls, SMS, or fake websites to trick users into revealing PINs, 3-D Secure codes, or one-time passwords (OTPs). This data is used for CNP transactions or to authorize counterfeit cards.
- Trends 2025–2026:
- According to the Federal Reserve (2025), "lost-or-stolen" fraud (where a card is physically stolen or data is obtained through deception) has increased by 15% since the widespread adoption of EMV.
- Popular methods include vishing (voice phishing), where scammers pose as bank employees, and smishing (SMS phishing) with fake links to banking portals.
- Example: A carder calls the victim, posing as a bank security service, and asks to confirm the transaction by extracting the OTP or PIN.
3.2. Combined attacks
- How it works: Carders use data collected through shimming or phishing to create counterfeit cards (for CP transactions) or conduct online purchases (CNP). For example, chip data obtained through shimming can be used to create a dump, which is then used in a fallback transaction.
- Trends 2025–2026:
- Increased attacks on dual-message systems (where authorization and clearing are separated), which are more vulnerable to counterfeiting (Federal Reserve, 2025).
- Using malware (such as TrickBot) to steal data, combined with social engineering to obtain additional codes.
4. Regional features
Carder adaptation depends on the level of EMV implementation and regulations in different regions.- US: Despite the transition to EMV (approximately 90% of terminals by 2025), vulnerabilities remain due to magnetic stripe support and fallback transactions. Shimming and counterfeit fraud remain a problem, especially at smaller merchants.
- Europe and Asia: High EMV adoption (95%+ of transactions) has shifted the focus to CNP fraud. European regulations (PSD2, 3-D Secure 2.2) make attacks more difficult, but phishing and ATO are on the rise.
- Developing countries: In regions with low levels of EMV adoption (e.g., some countries in Africa and Latin America), carders continue to use skimming and magnetic stripe counterfeiting.
5. Carder Tools and Resources
Carders actively use darknet forums and Telegram channels to exchange tools and data.- Software and hardware:
- X2 EMV Software 2025: $250–$500, requires Omnikey 3121 ($50) and blank cards ($5–$10 each).
- MSR605x: Magnetic Stripe Recorder, $200–$300.
- PWM devices: $100–$500, often shipped from China.
- Darknet sites:
- Carder.su, carder.life: Sale of dumps, phishing kits, and tutorials.
- Telegram channels: Offer video tutorials on cloning and installing shims.
- Tutorials: In 2025, carders are actively sharing video instructions (for example, on YouTube and the darknet) on setting up X2 EMV and bypassing new bank checks.
6. Countermeasures and restrictions
Despite the adaptation, carders face new challenges:- Tokenization: EMV tokenization (replacing card data with tokens) is widely implemented in mobile wallets and e-commerce. Tokens are tied to specific devices, reducing their value to carders.
- Biometrics: Cards with biometric authentication (e.g. Thales EMV Biometric Card, 2025) require a fingerprint, making card theft less effective.
- 3-D Secure 2.2: The updated standard requires multi-factor authentication for CNP transactions, which reduces the success of phishing.
- Regulations: In Europe, PSD2 requires banks to use strong authentication (SCA), which reduces fraud by 30% in e-commerce (Visa, 2025).
- Risks for carders: Banking system updates (such as new ATR checks) make old tools obsolete, forcing carders to spend more on software updates.
7. Consequences and forecast for 2026
- Economic impact: Global losses from payment fraud in 2025 were estimated at $1.7 trillion, of which 78% were attributed to CNP transactions (Cybersecurity Ventures). EMV has reduced card fraud in CP transactions by 60% since 2015, but the growth of CNP has offset this effect.
- Forecast for 2026:
- CNP fraud has increased by 20-30% due to the increase in online trading.
- Shimming efficiency decreased due to terminal upgrades.
- Increase in attacks on mobile wallets and ATO.
- Further development of biometrics and tokenization may reduce the opportunities for carders in CP transactions.
- Recommendations for protection:
- For users: Use two-factor authentication, avoid suspicious links, and check statements regularly.
- For business: Implement 3-D Secure 2.2, tokenization, and real-time transaction monitoring.
- For banks: Accelerate the phase-out of magnetic stripes and the introduction of biometric cards.
