After carding: What cyberthreats will replace card fraud?

[Professor]

Predictions: Attacks on Open Banking, Biometrics, Centralized Digital Currencies (CBDCs)​

Introduction: Evolution Will Not Stop.
Carding as we know it is a product of the era of centralized payments and plastic cards. But the financial ecosystem is rapidly changing: Open Banking, biometric identification, and government-backed digital currencies (CBDCs) are poised to become the new norm. Crime is evolving alongside them. The obsolescence of classic carding doesn't mean the end of cyber fraud — it means its transformation into more complex, automated, and dangerous forms. We are entering an era where the target will no longer be card data, but rather the digital sovereignty and algorithmic trust itself.

Threat 1: Open Banking and AIS/PIS Attacks – "Trusted Bridge Hacking"​

What it is: Open Banking allows third parties (fintech applications) to access bank account data (AIS - Account Information Service) or initiate payments (PIS - Payment Initiation Service) via APIs with user consent.

Future attack vectors:

1. Phishing 2.0: Stealing Consent Tokens. Fraudsters will create fake fintech apps that request unreasonably broad permissions from users ("for spending analytics"). Once they obtain the access token, they will be able to not only steal data but also gain complete control of the account, initiating transfers in real time.
2. Attacks on the chain of trust between TPPs (Third-Party Providers). Compromising a single weak link in the Open Banking ecosystem (for example, a small fintech startup) could compromise thousands of linked accounts at major banks.
3. Algorithmic scoring manipulation. Substitution of financial data transmitted via APIs to obtain unfairly high credit ratings or approval of expensive financial products.

Why it's worse than carding: It's not a one-time transaction that's being attacked, but a permanent channel of access to the victim's entire finances. The damage can be total and cumulative.

Threat 2: Compromise of Biometric Systems – "Once a fingerprint is stolen, it cannot be recovered."​

What it is: Replacing passwords and PINs with fingerprints, facial scans (Face ID), voice, and gait.

Future attack vectors:

1. Deepfake biometrics and voice synthesis. Using neural networks to create digital facial masks or voice copies sufficient to fool verification systems in real time. There have already been cases of banks' biometric systems being hacked using 3D masks.
2. Attacks on biometric template databases. Biometric data (unlike passwords) cannot be changed. A leak of such a database from a government agency or large corporation would create a lifelong digital threat to millions of people. This data would become currency in a new level of shadow market.
3. Attacks on sensors and algorithms. Creating "master fingerprints" to fool sensors, or adversarial attacks on facial recognition neural networks to trick them into seeing someone else.
4. Coercive biometrics. Physically or psychologically coercing a victim to unlock a device or confirm a payment using their face or finger.

Why this is worse than carding: Biometrics cannot be "changed" once leaked. Compromise means the permanent loss of part of your digital identity .

Threat 3: Central Bank Digital Currencies (CBDCs) – “Programmable Vulnerability”​

What is it: State digital currencies are a digital form of fiat issued by a central bank. Their key feature is programmability (the ability to embed smart contracts, time limits, or spending restrictions).

Future attack vectors:

1. Attacks on wallets and smart contracts. CBDCs will be stored in digital wallets (government or commercial). Vulnerabilities in their code, as previously in banking software, will become the number one target. Hacking a smart contract regulating subsidies or benefits could lead to the instant theft of millions.
2. Systemic attacks on the CBDC registry. DDoS or more sophisticated attacks on the distributed ledger infrastructure aiming to disrupt the operation of the entire national payment system.
3. Future cryptographic attacks. With the advent of quantum computers, the cryptographic foundations of CBDCs will be at risk. Criminals can already accumulate encrypted transactions today , decrypting them in the future to reveal the entire financial history or steal funds.
4. Insider abuse of programmability. Corrupt officials or hackers who gain access to the system will be able to remotely "freeze," "seize," or redirect citizens' funds at the political or other level. This is no longer theft, but digital confiscation.

Why it's more dangerous than carding: The threat scales to the national level. A hack can paralyze the economy of an individual country. Programmability creates risks not only for hackers but also for the issuing state itself.

Threat 4: Attacks on digital identity and metaverses​

What is it: The concept of a single digital ID (e.g., through government services) and assets in virtual worlds (metaverses, NFTs, in-game assets).

Future attack vectors:

1. Theft and substitution of digital citizenship. By acquiring the keys to a single digital identity, an attacker can impersonate the victim in all areas: taking out loans, voting, entering into contracts, and receiving government services.
2. Virtual property fraud. Phishing schemes designed to steal valuable NFTs, virtual land, and unique gaming gear. These assets are already worth millions of dollars, and their security is often weaker than that of banks.
3. Economic espionage and sabotage in metaverses. Industrial espionage against corporations doing business in virtual worlds, or sabotage of their digital assets.

Common features of future threats:​

1. High automation and AI. Attacks will be carried out by AI agents capable of adapting to defense systems in real time.
2. Blurring the line between cybercrime and cyberwarfare. Attacks on CBDCs or national biometric identification systems could become tools of hybrid warfare.
3. Irreversibility of damage. Compromised biometrics or transactions in the CBDC's immutable ledger cannot be reversed.
4. The goal is not money, but control. The ultimate goal is shifting from immediate profit to establishing control over a person's digital identity, their financial history, and their opportunities.

Conclusion: From data theft to digital identity theft
Carding was the era of stealing trust symbols (card numbers). The future lies in stealing the trust itself, built into identification systems and algorithms.

Fraudsters of the future won't buy card dumps on forums. They will:

• Generate deepfakes to fool biometric systems.
• Hacking CBDC smart contracts to redirect tax or subsidy flows.
• Manipulate API requests in Open Banking to create invisible, legalized money laundering channels.

Security in this new reality must be proactive, distributed, and privacy-focused. The winner will not be the one who builds the highest walls, but the one who creates a financial ecosystem where the very architecture makes fraud pointless—where trust cannot be stolen because it is never concentrated in a single, vulnerable point.