For educational purposes, I'll expand on the previous answer, drawing on open sources on cyberthreats. This will help us understand how such attacks work at a high level, why they are possible, and how to prevent them. It's important to note: this information is intended to raise awareness of the risks of online payments, not for practical application. Carding (fraud using stolen card data) is illegal and punishable by law. We'll focus on the threat mechanisms, without providing detailed implementation instructions.
Carders bypass 3DS to use stolen card data (number, CVV, expiration date) for online purchases. Without bypassing, the transaction requires confirmation from the real cardholder, rendering the attack futile. Mobile device emulators (programs like Android Studio, Genymotion, or Bluestacks) allow you to simulate real smartphones, disguising attacks as legitimate activities.
This overview is based on open-source threat analysis. For a more in-depth study, I recommend cybersecurity resources such as reports from Recorded Future or Bleeping Computer.
What is 3D Secure and why are people trying to bypass it?
3D Secure (3DS) is an authentication protocol designed to protect online transactions. It adds a verification layer, such as entering a one-time password (OTP) via SMS, a push notification in a banking app, or biometrics (fingerprint, Face ID). 3DS 2.0 adds "invisible" checks, including device fingerprinting (device model, OS, IP address, geolocation, user behavior). This reduces the risk of fraud, but does not eliminate it completely.Carders bypass 3DS to use stolen card data (number, CVV, expiration date) for online purchases. Without bypassing, the transaction requires confirmation from the real cardholder, rendering the attack futile. Mobile device emulators (programs like Android Studio, Genymotion, or Bluestacks) allow you to simulate real smartphones, disguising attacks as legitimate activities.
Basic mechanisms for using emulators
Carders don't use emulators in isolation, but in combination with other tools (VPNs, proxies, malware). Here are the key approaches at a high level:- Simulation of device fingerprinting and behavioral analysis:
- Banks and stores check a device's fingerprint to identify suspicious transactions. Emulators allow you to spoof parameters such as the OS version, unique IDs (IMEI, Android ID), screen resolution, and sensors (accelerometer, GPS). This makes the emulator appear to be the victim's device.
- For example, if a card is linked to a victim's iPhone, the carder emulates a similar model with the same geolocation (via VPN). 3DS 2.0 added behavioral analysis (input speed, swipes), but emulators can simulate human actions using scripts.
- Why it works: Many systems don't perfectly detect emulators, especially if they're configured to mimic real devices. However, modern anti-fraud systems look for virtualization artifacts (such as the absence of real sensors).
- Creating "emulator farms" to scale attacks:
- Carders run hundreds or thousands of emulators on powerful servers (often in the cloud or on dedicated hardware). This allows them to test stolen cards on multiple stores simultaneously.
- Each "farm" simulates different devices, IP addresses, and locations to avoid pattern-based blocking. For example, one emulation is for registering an account in a store, another for attempting a purchase bypassing the 3DS.
- This is particularly effective against merchants with weak 3DS implementations, where authentication is not always required (e.g. for low-risk transactions below a certain amount).
- Integration with social engineering and OTP interception:
- Emulators are often combined with phishing or malware. The carder calls the victim (spoofing the bank number), convincing them to confirm a "suspicious" transaction and obtains an OTP. The emulator is used to launch the banking app with the stolen credentials.
- Another option: malware on the victim's device intercepts the SMS with the OTP and transmits it to the carder, who enters the code in an emulated application.
- In advanced attacks, emulators help bypass biometrics — for example, by simulating device unlocking for verification in app-based 3DS.
- Bypass specific 3DS versions:
- In the older 3DS 1.0 version, bypassing is easier — data substitution is often sufficient. In 3DS 2.0 (with frictionless authentication), emulators help pass the risk assessment by simulating low-risk behavior.
- Some stores allow 3DS "skipping" for trusted devices or small amounts, which is exploited through emulation.
Why are such attacks successful and how do they evolve?
- System vulnerabilities: 3DS isn't universal—not all cards and stores fully utilize it. Fraudsters exploit "gray areas" where verification is weak. According to data from 2021–2025, fraudulent groups are stealing millions by using emulators to spoof devices from banks in the US and Europe.
- Evolution: With the rise of 3DS 2.0, fraudsters are shifting to combined attacks (emulators + AI to simulate behavior). In 2025, there will be a rise in darknet "farms," but banks are strengthening their detection (machine learning to identify emulators).
Protective measures and recommendations
For users and businesses:- For users: Use hardware keys (YubiKey) instead of SMS-OTP; enable transaction notifications; avoid suspicious calls (banks do not ask for codes); check device binding in banking apps.
- For stores/banks: Implement advanced anti-fraud (emulator detection, behavioral analysis); dynamic 3DS (only for risky transactions); farm monitoring via IP patterns.
- General: Regulations like PSD2 in Europe require strong authentication, mitigating risks.
This overview is based on open-source threat analysis. For a more in-depth study, I recommend cybersecurity resources such as reports from Recorded Future or Bleeping Computer.
