A Game of Cat and Mouse: How Banks and Payment Systems Have Been Warring Against Carders for Decades

[Professor]

History of Security Technology Implementation: Chips, 3DS, Biometrics​

Introduction: The Endless Evolution of the Shield and Sword
The history of payment technologies is the story of a continuous duel. Each new means of protection gives rise to a new attack method, which, in turn, stimulates the next round of innovation. The fight against carding is the most vivid illustration of this principle. It is not a linear race, but a spiral, where each loop is more complex than the previous one. Let's trace the key turns of this spiral over the past 30 years.

Era 1: Magnetic Stripe – The "Golden Age" of Carders (1990s – Early 2000s)​

Protection (Shield): The magnetic stripe itself contained no cryptography. It was simply a carrier of static data. Security relied on physical control of the card and the fact that terminals were isolated and rare.

Attack (Sword): The methods were crude but effective.

• Skimming: Peak in the 2000s. Installing overlays on ATMs.
• Photographing/Recording Data: The waiter or salesperson would take the card "to the back room."
• Simple cloning: Writing data to a blank disc. The clone was a complete copy.

The end result: Carding had become widespread. Losses were running into the billions. A technological breakthrough was needed.

Revolution 2: The EMV Chip – The First Technological Revolution (2000s–present)​

Protection (Shield): The introduction of the EMV chip (Europay, MasterCard, Visa) was a turning point. The chip-and-pin principle changed everything:

• Dynamic authentication: For each transaction, the chip generates a unique cryptographic code (cryptogram) that cannot be reused.
• Offline verification: The terminal could check the card's legitimacy without contacting the bank.
• Liability Shift: Since 2006, in the European Union, and later globally, liability for chip card fraud has shifted to the party (bank or merchant) that does not support the chip technology.

Attack (Sword): The carders didn't give up. They found workarounds.

1. Fallback transactions: Forcing the terminal to process payments using the old magnetic stripe (especially in countries that have not switched to EMV).
2. Shimming: Installing a thin shimmer plate inside the card reader to read data from the chip. This is a more complex, but effective method.
3. Shifting the attack to CNP (Card Not Present): This is how modern online carding was born . If a physical card can't be copied, online payment data (number, expiration date, CVV) must be stolen.

The upshot of this turn: The chip killed mass card cloning, but shifted the war into the digital realm. The battle shifted to the physical-digital boundary.

Revolution 3: 3-D Secure – An Attempt to Tame Online Payments (2000s–2010s)​

Protection (Shield): 3-D Secure Protocol (Verified by Visa, MasterCard SecureCode). Added another authentication factor to online payments: a one-time password (OTP) sent via SMS.

Attack (Sword): Social engineering and technical tricks.

1. Phishing and vishing: Fake bank pages and calls from "security" aimed at tricking you into giving out OTPs.
2. Trojan Interceptors: Malware on the victim's phone that intercepts SMS messages.
3. Attacks on mobile operators (SIM swap): Fraudsters, using forged documents, reissued the victim's SIM card in their own name, gaining access to all SMS messages.

The bottom line: 3-D Secure created a barrier, but became a source of irritation for legitimate users (making purchases more difficult) and a new headache due to the vulnerability of SMS.

Cycle 4: Machine Learning and Behavioral Analysis (2010s–present)​

Protection (Shield): Banks have stopped relying solely on static rules ("purchase in another country = block"). Real-time systems based on AI/ML have been implemented.

• Analysis of thousands of parameters: Not only “what was purchased”, but also “how”: data entry speed, phone tilt angle, sequence of actions, IP address and its reputation, typical time of purchases.
• Risk scoring: Each transaction is assigned a score. A high score means additional authentication or blocking.
• Network analysis: Identification of linked accounts, drop addresses, and patterns characteristic of carding bots.

Attack (Sword): Adaptation and camouflage.

1. Bot training: Bots imitate human behavior — they pause randomly and move the cursor along a "human" trajectory.
2. Using residential proxies and anti-detection browsers: To simulate the unique "digital fingerprint" of a legitimate user from the desired region.
3. Attacks on ML models themselves (Adversarial ML): Finding “blind spots” in the bank’s algorithms.

The outcome of this cycle: The arms race has reached the level of artificial intelligence. Now it's not people who fight, but their algorithmic "agents."

Vol 5: Biometrics and Tokenization (2020s – Future)​

Protection (Shield): Rejection of passwords and codes as unreliable factors.

• Biometric authentication: fingerprint, face, voice, behavioral biometrics (gait, typing rhythm). Unique and difficult to steal from a distance.
• Tokenization: Replacing real card data with a unique token ("virtual number"). Even if the token is stolen, it cannot be used on another website. This technology underlies Apple Pay/Google Pay.
• FIDO standards (Fast Identity Online): Password-less authentication using physical keys (USB/Yubikey) or device biometrics.

Attack (Sword): New Frontiers.

1. Deepfake biometrics: Voice and video fakes to fool verification systems.
2. Sensor Attacks: Theoretical Attacks on Fingerprint Scanners.
3. Sophisticated Phishing: Spear phishing using stolen personal information to trick call center employees into disabling biometric account security.
4. Attacks on the chain of trust: Compromising the device itself (smartphone) on which the biometric keys are stored.

The result of this cycle: Security becomes "invisible" to the user (just a finger), but incredibly complex internally. The threat shifts to the system's outermost points — to the person and their device.

The Next Wave: Quantum Threats and Privacy​

New challenges are on the horizon:

• Quantum computers have the potential to crack modern cryptography protecting EMV chips and tokens. Banks and payment systems are already preparing by developing quantum-resistant algorithms.
• Security and Privacy Conflict: Behavioral Analysis and Biometrics Mean Total Control. Where is the Line Between Fraud Prevention and Client Surveillance?

Conclusion: A Perpetual Engine of Innovation.
The cat-and-mouse game with carders is a powerful driver of technological progress in the financial sector. Each new development makes mass, primitive fraud increasingly difficult, raising the bar for criminals.

But the paradox is that complete victory is impossible in principle. Perfect protection, eliminating 100% of fraud, would be incredibly expensive and inconvenient, which would kill the business itself. Therefore, the goal is not destruction, but risk control and its containment at an economically acceptable level.

This war is a permanent state. Carders have been, are, and will be. They are the dark side of progress, a perpetual challenge forcing the system to become smarter, faster, and more complex. Ultimately, the average user benefits from this war: their payments become safer, faster, and more convenient. But the price for this is their data and digital footprint, which have become the new currency and battlefield in this endless game.