Carding: technological fraud or a test of attentiveness?

[Man]

Carding is a popular method of cyber fraud using the client's banking data. First of all, payment data, online banking password and all sorts of CVV/CVC codes

At the same time, the carder can be either a high-level technical specialist or an ordinary fraudster from a conditional "bank call center". In this article, we talked about the main methods of carding, their relevance and methods of combating them.

Carding with the help of "special means"​

This is carding using technical solutions that are used to steal confidential payment information. Most often, these are low-profile cameras, keyboard overlays, and card readers that are installed directly on the ATM.

The main drawback of all these technical solutions is the need to physically visit the crime scene. The fact that most ATMs are equipped with cameras and are located in busy places creates additional difficulties for the attacker.

In this case, the tracking equipment must not only be installed discreetly, but often also removed – for data reading or reuse. Direct fraud with ATMs and other payment terminals is quite rare, compared to other ways to find out card data.

"Advanced" carding​

This is a search for vulnerabilities and attacks on banking infrastructure. We can say that this is the most "science-intensive" type of carding, requiring a high level of competence and long-term preparation (similar to APT attacks), as well as reconnaissance and analysis of external sources. But the result can exceed all expectations.

For example, the story of hacker Sergey Pavlovich, founder of the Carding.pro portal, is widely known. Together with Albert Gonzalez and a number of other people, he participated in the greatest theft of bank card data in history: over 170 million bank card numbers were sold. Theft of this level can be called a full-fledged operation.

Along with high-profile hacks and data leaks, there is a less noticeable, but quite “advanced” method associated with the use of skimmers. To implement it, the attacker must gain access to the infrastructure of the online store and install a skimmer - a tracking malware that records and transmits payment information. The required level of competence here directly depends on the level of protection of the online store.

Sergey Voldokhin.
Director of Antiphishing LLC.
The most common method of carding today is the theft of card data from online store users. Cybercriminals hack the websites of trading platforms and introduce special code fragments - Internet skimmers. When a buyer enters card details to pay for a purchase, the skimmer code sends the card data to the criminals. Using this data, fraudsters withdraw funds to their accounts in various ways or sell the collected card information on underground forums.
This is how hackers from groups known under the collective name Magecart work. Initially, they specialized in online stores created on the basis of the Magento engine, but gradually developed Internet skimmers and hacking methods for other engines.

The client cannot “find” the skimmer on their own, so they learn about the leak of their data after the fact – most often, at the moment of attempting to write off funds from their account. Therefore, it is especially important for owners and operators of online stores to conduct a security audit of their infrastructure.

"Mass" carding​

Mass – means generally accessible and does not require a high level of technical knowledge, the ability to search for and exploit vulnerabilities in information systems. This type of carding is based on two pillars: phishing and social engineering.

There are several examples of such fraud, for example:

1. Calls from the "economic police" or bank security service. Using already known information, the attackers create the impression in the victim that they really represent the said service, therefore inspiring trust. And they find out the data that they "miss" to steal money.
2. Winning a lottery. In a talent show, city draw or any other non-existent event. "Leave your contact and payment details to receive your winnings".
3. "Combined" phishing. When an attacker cards, "masking" himself as a well-known legitimate process. For example, on the Blablacar service, you can encounter an offer to "get insurance before a trip" in a third-party, but mandatory service. After "registration" on such a site, uncontrolled write-offs of funds begin.
4. "Pure" phishing. It differs from the previous one in that the attacker mimics not the process, but a specific platform. A copy of the page of a bank, marketplace or other popular service.

In the context of "mass" carding, parsing and OSINT skills are of great importance. Parsing allows you to form a target base of victims, OSINT methods - to collect information about them from open sources. As a rule, such bases are acquired by attackers through the darknet, but with long-term work or a sufficient level of skills, they can be collected independently.

OSINT technologies are especially relevant in cases where it is necessary to obtain specific information about a potential victim, for example, answers to security questions: maiden name, pet name, etc.

Risks by sector​

The financial sector can be considered one of the most advanced in terms of implementing protective tools and conducting security audits of its infrastructure. Largely due to high requirements from the state.

Evgeniy Tsarev.
Managing Director of RTM Group.
The main method of theft using payment card data is to indicate them in payment systems after compromising the databases of banks or payment agents. According to our data, this type accounts for more than 60%.
Other methods are related to social engineering or phishing, they are in second place. These types of theft account for slightly more than 30%.
The rarest cases are related to the compromise of ATMs and payment gateways - such cases are few and far between.
Methods related to reading the magnetic strip are a thing of the past - all cards in the Russian Federation now have a chip, which does not count.

The situation is somewhat worse for marketplaces and online stores that work with payment data. The problem exists both in terms of infrastructure security and in terms of using such stores as a way to cash out funds.

If we consider crypto exchange fraud as a new field for carders and their activities, then the situation here is most acute, primarily due to the lack of any legal regulation. However, the audience of crypto exchangers is much narrower and, as a rule, has a higher level of financial and information literacy.

Methods of protection against carding​

An ordinary client can reduce the risks of successful carding in relation to himself several times by paying attention to just three points:

1. Attentiveness. To dubious calls and sites – first of all. You can always take a break to think and analyze. A delay of ten minutes will not be critical in the vast majority of cases, but will protect your money.
2. Banking tools. Do not neglect authentication and confirmation methods, various passwords and notifications. This reduces convenience, but increases security.
3. Differentiation. The ideal case is if you have a separate card for online purchases. For example, Ozon offers its own card for transactions on its platform.

If most of society follows these simple measures, the number of cases of "low-skilled" carding will be significantly reduced. This will significantly raise the threshold for entry into the profession and will generally reduce the interest of criminals in this activity.

Source