Adapting Carders to Biometric Authentication Systems: A Detailed Analysis

[Student]

Carders — cybercriminals who specialize in stealing and using bank card data — faced serious challenges following the widespread adoption of biometric authentication systems (fingerprints, facial recognition, voice recognition, iris scanning, etc.). These technologies, implemented within standards such as 3D Secure (3DS) version 2.0, significantly complicated fraudulent transactions by requiring not only static card data (number, CVV, expiration date) but also dynamic identity verification. However, carders, thanks to their ingenuity and access to new technologies, have developed numerous methods to bypass biometric barriers. This response details how they have adapted, the vulnerabilities they exploit, current trends, and how users can protect themselves, with an emphasis on educational value.

Why has biometrics become a problem for carders?​

Biometric authentication systems implemented by banks and payment systems (Visa, Mastercard, Mir, etc.) enhance transaction security by requiring unique physical or behavioral characteristics of the user. Key examples:

• Physical biometrics: fingerprints, facial recognition (Face ID), iris scanning, voice authentication.
• Behavioral biometrics: analysis of finger movements on a touchscreen, text input patterns, and device geolocation.

These technologies complicate traditional carding because:

1. Data uniqueness: Biometric data is more difficult to counterfeit than static passwords or codes.
2. Dynamic verification: Even if card data is stolen, without biometric confirmation the transaction is rejected.
3. Widespread adoption: According to EMVCo, by 2023, more than 60% of online transactions in Europe will require biometric verification via 3DS 2.0.

However, carders don't try to hack biometrics directly, as this is technically difficult and expensive. Instead, they exploit weaknesses: human error, outdated systems, software vulnerabilities, and even cutting-edge technologies like AI. Their adaptation methods are detailed below.

Basic methods for adapting carders to biometric systems​

1. Social engineering and vishing (voice phishing)​

How it works:

• Carders use social engineering to trick victims into providing access to biometric data or verification codes. They call, posing as employees of a bank, payment system, or store, and trick them into providing data.
• Modern schemes include vishing (voice phishing) using fake numbers (spoofing) and even AI voice modulator to impersonate officials.
• Example: A victim receives a call from a "bank" asking them to confirm a transaction through an app that requires biometrics. The carder initiates a fake transaction, and the victim, unknowingly, enters their fingerprint or confirms Face ID.

Why it is effective:

• The human factor is the weakest link. According to Verizon DBIR 2023, 74% of successful attacks on financial systems began with social engineering.
• Biometrics are often used in mobile banking apps, but the victim may not know that they are confirming a fraudulent transaction.

Example from practice:

• In Russia, in 2022–2023, carders called victims en masse, posing as Sberbank, and asked them to "confirm security" through the app. The victim entered biometric data, and the carders redirected the funds to fictitious accounts.

Technical details:

• VoIP services (such as Asterisk) are used to spoof numbers.
• AI tools like ElevenLabs generate realistic voice messages to automate attacks.

2. Phishing and theft of biometric templates​

How it works:

• Carders create fake websites, apps, or emails that mimic banks or payment systems to collect biometric data (such as digital facial or fingerprint templates).
• Phishing forms request not only card details, but also access to the camera/microphone for "verification."
• In some cases, carders use malware (keyloggers, spyware) to intercept biometric data from the victim's device.

Why it is effective:

• Biometric templates (not raw images, but digital hashes) can be stolen through vulnerabilities in the APIs of banks or payment gateways.
• According to Kaspersky, in 2024, 30% of phishing attacks in the financial sector involved the collection of biometric data.

Example from practice:

• In 2023, "dumps" containing biometric templates stolen through phishing sites imitating payment gateways (Stripe, PayPal) were sold on the darknet.
• In Russia, carders used fake "Gosuslugi" websites to collect biometric data under the guise of "identity verification."

Technical details:

• Frameworks for creating phishing sites are used (for example, Evilginx2).
• Malware such as RedLine Stealer intercepts biometric data through mobile app APIs.

3. Biometric spoofing (data falsification)​

How it works:

• Carders create fake biometric data to bypass authentication systems:
  • Fingerprints: Silicone or 3D printed copies of fingerprints created from stolen images (e.g. high-resolution photographs).
  • Facial recognition: Deepfakes (AI-generated videos or photos) or physical masks to bypass Face ID.
  • Voice authentication: AI-generated voice recordings to imitate the victim's voice.
• Such methods are more often used for offline attacks (for example, biometric cards) or for hacking accounts.

Why it is effective:

• Deepfake technologies have become more accessible. According to Europol, the cost of deepfaking software on the darknet will drop to $50–$100 by 2024.
• Weak recognition systems (e.g. 2D cameras instead of 3D) are vulnerable to spoofing.

Example from practice:

• In 2021, carders in India used silicone fingerprints to activate stolen biometric cards at POS terminals.
• In 2024, services appeared on the dark web offering deepfake videos to bypass banking systems with Face ID.

Technical details:

• AI models such as DeepFaceLab or Zao are used to generate fake faces.
• For printing, 3D printers with a resolution of 1200 dpi or higher are used.

4. Bypassing biometrics through legacy systems and low limits​

How it works:

• Carders are looking for systems that don't require biometrics:
  • Legacy protocols: Some banks and stores still use 3DS 1.0 or do not require biometrics at all for small transactions.
  • Transactions below the threshold: Most countries have a limit (e.g. 500-1000 rubles in Russia) below which biometrics or 3DS are not requested.
• Carders split large sums into smaller transactions or use platforms with minimal security.

Why it is effective:

• Not all banks have implemented 3DS 2.0 at the same time. According to Visa, in 2023, 20% of online transactions in the CIS were processed without biometric verification.
• Small transactions often go unnoticed by fraud monitoring systems.

Example from practice:

• In 2022, carders in Russia used stolen cards to purchase digital goods (games, subscriptions) from small online stores that didn't require a 3DS.
• Lists of "non-3DS bins" (card numbers from banks that do not require biometrics) are popular on the darknet.

Technical details:

• Carders use bots to mass test cards on sites with poor security (carding bots).
• Proxies and VPNs are used to mask geolocation.

5. Creating a synthetic identity​

How it works:

• Carders combine stolen data (including biometrics) with fictitious ones to create "synthetic identities." These profiles are then registered as new users at banks or stores.
• Example: using a stolen biometric template + fake passport to open an account or obtain a credit card.

Why it is effective:

• Synthetic fraud is more difficult to detect because systems do not see a direct match with stolen data.
• Deloitte predicts that synthetic fraud will account for 30% of all fraudulent transactions by 2030.

Example from practice:

• In 2024, "combo packs" containing biometrics, passport data, and card numbers for creating synthetic profiles appeared on the darknet.
• In Russia, carders use such profiles to register "mules" (front men) through banks' biometric systems.

Technical details:

• Generative AI models (such as Stable Diffusion) are used to create fake passport photos.
• Data is purchased on the darknet (markets like Genesis Market).

Trends and statistics​

1. Rise of social engineering: According to Verizon's DBIR 2024, 68% of attacks on financial systems began with phishing or vishing. Biometrics have increased the popularity of these methods, as direct hacking is difficult.
2. AI as a tool for carders: Since 2023, AI tools (deepfakes, voice clones) have become available on the darknet for $50–$200, lowering the barrier to entry for carders.
3. Reduced attack success: According to Mastercard, biometrics have reduced the success of fraudulent transactions by 60-70%, but carders compensate for this with volume (millions of stolen cards).
4. Regional characteristics: In Russia, carders actively use Telegram channels to sell biometric dumps. According to Group-IB, over 500 carding-related channels were discovered on Telegram in 2024.
5. Synthetic Fraud on the Rise: Juniper Research predicts that losses from synthetic fraud will reach $15 billion annually by 2028.

How to protect yourself from adapted carder schemes​

It's important for users and organizations to understand how to minimize risks. Here are detailed recommendations:

For users​

1. Transaction monitoring:
   • Enable push notifications in your banking app for all transactions.
   • Check your statements weekly to spot small "test" transactions.
2. Two-factor authentication (2FA):
   • Use hardware keys (YubiKey, Google Titan) instead of SMS, as SMS are easily intercepted through SIM swapping.
   • Do not confirm transactions with calls from "banks".
3. Anti-phishing:
   • Install antivirus software (Kaspersky, ESET) to protect against phishing sites and malware.
   • Check website URLs (for example, https://bank.com, not http://bank-secure.com).
4. Card restrictions:
   • Use virtual cards for online purchases with limits (for example, 1000 rubles).
   • Disable online transactions for your primary cards in your bank app.
5. Education:
   • Ignore calls from "banks" asking you to confirm a transaction or enter biometrics.
   • Take cybersecurity courses (for example, on the Coursera platform or from banks).

For organizations​

1. Biometrics enhancement:
   • Use 3D facial recognition instead of 2D to protect against deepfakes.
   • Implement behavioral biometrics (analysis of movements, input patterns).
2. Monitoring and analytics:
   • Use fraud monitoring systems (FICO Falcon, SAS) to analyze transactions in real time.
   • Monitor for anomalies such as multiple small transactions.
3. Customer training:
   • Conduct phishing and vishing awareness campaigns.
   • Send out instructions on how to use biometrics securely.
4. System update:
   • Completely abandon 3DS 1.0 and legacy protocols.
   • Update APIs regularly and check them for vulnerabilities.

Future Challenges and Forecasts​

1. AI as a threat: Generative AI models (deepfakes, voice clones) will make biometric spoofing cheaper and more accessible. By 2030, Deloitte predicts, synthetic fraud will increase by 250%.
2. Quantum Threat: With the development of quantum computing (expected by 2035), biometric data hashes may become vulnerable to decryption.
3. Regulation: Biometric requirements are becoming stricter in the EU (PSD2) and Russia (Federal Law No. 161 "On the National Payment System"), but carders will continue to look for loopholes in countries with less stringent regulations.

Conclusion​

Biometric systems have made life significantly more difficult for carders, but haven't stopped them. They've adapted using social engineering, phishing, spoofing, bypassing legacy systems, and synthetic identities. The key to protection is a combination of technologies (behavioral biometrics, 3DS 2.0) and user awareness. For educational purposes, it's important to understand that no system is completely foolproof, and protection requires a comprehensive approach: from technical solutions to user education. If you'd like to delve deeper into a specific method (for example, deepfakes or phishing), let me know, and I'll explore it in more detail!