How carders bypass 3D-Secure (3DS) and how difficult is it?

[Mutt]

For educational purposes, I will provide a more in-depth and detailed analysis of how 3D-Secure (3DS) works, including its technical aspects, how carders try to bypass this system, why it is difficult, what vulnerabilities exist and how they are exploited in the context of carding, and what protection measures are used by banks, merchants and payment systems. I will try to explain everything as clearly as possible, while maintaining technical accuracy, so that you can better understand the protection mechanisms and potential weaknesses.

What is 3D-Secure and how does it work?​

3D-Secure (3DS) is an authentication protocol developed by payment systems (Visa - Verified by Visa, Mastercard - SecureCode, American Express - SafeKey, etc.) to improve the security of online transactions. It adds an additional layer of cardholder identity verification to prevent unauthorized transactions such as carding (using stolen card data for fraud). The current version, 3DS 2.x, is significantly improved over 3DS 1.0, and its implementation has become mandatory in most regions (e.g. in the EU due to the PSD2 directive).

3DS Technical Architecture​

3DS works as an intermediary between the merchant (online store), the acquiring bank (the store's bank), the issuing bank (the cardholder's bank) and the payment system (Visa, Mastercard). Here are the main stages of the process:

1. Transaction initiation:
   • The user enters card details (number, expiration date, CVV) on the merchant’s website.
   • The merchant sends an authentication request through the payment gateway to the 3DS system.
2. Data collection:
   • The merchant and payment gateway collect additional transaction data, including:
     • The amount and currency of the transaction.
     • Geolocation (GeoIP) of the device.
     • Device fingerprint: browser type, operating system, screen resolution, time zone, etc.
     • Behavioral data: transaction history, purchase frequency, merchant reputation.
   • This data is transmitted via AReq (Authentication Request) to the issuing bank through the payment system infrastructure.
3. Risk assessment:
   • The issuing bank uses Risk-Based Authentication (RBA)to assess the risk level of a transaction. This is done using anti-fraud systems that analyze:
     • GeoIP: Does the device's IP address match the geolocation associated with the map.
     • Device Fingerprint: Whether the device settings have changed (for example, changing browser or OS).
     • Behavior: Does the transaction match typical purchasing patterns (amount, merchant category, time).
     • Merchant reputation: For example, a store with a high level of chargebacks is considered riskier.
   • Anti-fraud systems (such as Stripe Radar, CardinalCommerce, or banks' own solutions) use machine learning to detect anomalies.
4. Stream selection:
   • Based on the risk assessment, the issuing bank decides whether to use Frictionless Flow or Challenge Flow.

Frictionless Flow​

• If the risk is low, the issuing bank approves the transaction without further verification.
• Example scenario:
  • A $20 purchase from a familiar online store (e.g. Amazon) from a device the user regularly uses and from an IP address that matches their usual geolocation.
  • Device data and transaction history confirm that this is a legitimate user.
• Technical details:
  • The bank returns ARes (Authentication Response) with an approval code.
  • The merchant continues processing the transaction through the acquiring bank, which requests authorization from the issuer.
• Vulnerabilities for carders:
  • If a carder spoofs a GeoIP, device, or uses stolen data that matches the victim's profile, they can pass Frictionless Flow. However, this requires significant effort and data.

Challenge Flow​

• If the risk is high, the bank requires additional authentication.
• Process:
  • The user is redirected to the 3DS interface (pop-up, iframe or bank page).
  • The issuer requests one of the authentication factors:
    • OTP (One-Time Password): A one-time password sent via SMS, email or to a banking app. The OTP is generated using cryptographic algorithms (e.g. HMAC) and is time-limited (usually 30–60 seconds).
    • Biometrics: Fingerprint, face or voice scanning via banking app.
    • Static Password: Less commonly used in 3DS 2.x as it is less secure.
  • After successful verification, the bank confirms the transaction via ARes.
• Example scenario:
  • A $1000 purchase from a new device in another country triggers an OTP or biometric verification request.
• Technical details:
  • Authentication data is encrypted and verified using HSM (Hardware Security Module).
  • HSM provides secure key storage, OTP generation and biometric data verification.
• Vulnerabilities for carders:
  • OTP interception via phishing, SIM-swapping or malware.
  • Compromising the victim's device to forge biometrics (extremely difficult).

Роль HSM (Hardware Security Module)​

• HSMis a physically secure device used to:
  • Generation and storage of cryptographic keys.
  • Encryption and decryption of data.
  • Checks the integrity and authenticity of transactions.
• In 3DS HSM is used to:
  • Generating OTPs using algorithms such as TOTP (Time-based One-Time Password).
  • Biometric data checks (e.g. comparing an encrypted fingerprint template).
  • Ensuring the security of data exchange between the merchant, acquirer and issuer.
• Why HSM is hard to hack:
  • HSMs are certified according to security standards (FIPS 140-2/3, PCI HSM).
  • They are physically isolated and resistant to physical and software attacks.
  • Keys can only be accessed through strictly controlled APIs.
  • Hacking an HSM requires physical access and government-level resources.

Antifraud systems​

• Stripe Radar: A machine learning-based system that analyzes millions of transactions to identify suspicious patterns (such as multiple transactions from the same IP, unusual amounts, or geolocations).
• GeoIP: Checks if the IP address matches the geolocation of the card. For example, a transaction from Nigeria for a card registered in Russia is suspicious.
• Device Fingerprinting: Collects device data (browser, OS, screen resolution, fonts, plugins) to create a unique identifier. Any change triggers a risk flag.
• Behavioral Analytics: Analyzes user behavior (time of purchase, product categories, frequency of transactions).
• Example: If a carder uses a VPN to spoof an IP, but the device or behavior does not match the victim's profile, the anti-fraud system may block the transaction.

Why is 3DS bypass difficult for carders?​

Carding is the process of using stolen card data to make purchases or withdraw money. 3DS creates significant obstacles for carders due to the following factors:

1. Cryptographic protection:
   • OTP is generated using time tokens and cryptography (e.g. HMAC-SHA256) stored in the HSM. Intercepting OTP is useless without the context of a specific transaction.
   • Biometric data is stored encrypted and verified via HSM. Even if the device is compromised, counterfeiting biometrics requires sophisticated attacks (such as creating synthetic fingerprints).
2. Multi-Factor Authentication (MFA):
   • 3DS 2.x complies with the SCA (Strong Customer Authentication)requirements of PSD2, requiring a minimum of two factors:
     • Knowledge: Password or PIN (less common).
     • Possession: OTP, device, SIM card.
     • Biometrics: Fingerprint, face, voice.
   • The carder needs to compromise multiple factors at once, which makes the attack much more difficult.
3. Antifraud systems:
   • Systems like Stripe Radar, CardinalCommerce, or Falcon (FICO) use machine learning to analyze transactions in real time. They detect anomalies such as:
     • GeoIP mismatch (eg transaction from another country).
     • Change device fingerprint.
     • High frequency of transactions or attempts on different sites.
   • Even if a carder fakes an IP via VPN, anti-fraud systems analyze additional parameters (HTTP headers, mouse behavior, data entry time).
4. Regulatory requirements:
   • In the EU, the PSD2 directive requires mandatory SCA for most online transactions. Exceptions (such as low-value transactions or recurring payments) are strictly limited.
   • This makes bypassing 3DS rare, as merchants and banks are required to implement it.
5. Limited Time OTP:
   • The OTP is valid for 30-60 seconds and is tied to a specific transaction. Even if a carder intercepts the OTP, they will not be able to use it for another transaction.

How do carders try to bypass 3DS?​

Carders use a variety of methods to bypass 3DS, but most focus on vulnerabilities unrelated to cryptography or HSM. Here are the main approaches in the context of carding:

1. Social engineering:
   • Phishing: Carders create fake websites that mimic the 3DS interface (e.g. a bank page) to trick the user into entering their OTP or card details. These websites often use domains that look similar to the real thing (e.g. bankofamerica-login.com).
   • Vishing (voice phishing): Fraudsters call the victim, posing as bank employees, and ask for an OTP or to confirm a transaction.
   • SMS Phishing (Smishing): Sending fake SMS asking to click a link or provide an OTP.
   • Example: A carder buys card details on the darknet, makes a purchase and redirects the victim to a phishing page to enter the OTP.
2. SIM-swapping:
   • The carder convinces the telecom operator to reissue the victim's SIM card in his name, gaining access to the SMS with the OTP.
   • How it works:
     • The carder collects the victim's personal data (name, date of birth, address) through leaks or social engineering.
     • Calls the operator, pretending to be a victim, and asks to transfer the number to a new SIM card.
     • Gains access to SMS and can intercept OTP.
   • Difficulty: Requires social engineering and victim data, but in some countries operators have weak verification procedures.
3. Malware and Trojans:
   • Carders use Trojans (e.g. Anubis, Cerberus) to compromise the victim's device. Such programs can:
     • Intercept SMS with OTP.
     • Take screenshots or record keystrokes.
     • Replace the interface of the banking application.
   • Example: A Trojan on an Android device intercepts the OTP and sends it to the carder in real time.
   • Complexity: Requires infecting the victim's device, which can be achieved through phishing or installing malicious applications.
4. Exploitation of weak merchants:
   • Some online stores disable 3DS for customer convenience or use the outdated 3DS 1.0, which is less secure.
   • MOTO Transactions (Mail Order/Telephone Order): In rare cases, carders will attempt to process transactions as phone orders, which sometimes do not require 3DS.
   • Example: A carder finds a store with a disabled 3DS and uses the stolen card details to make a purchase.
   • Complexity: PSD2 and other regulations make such cases rare in 2025.
5. Purchase full data (fullz):
   • On the darknet, carders buy "fullz" - complete sets of data, including card number, CVV, name, address, email, phone, transaction history and even answers to security questions.
   • This allows the carder to spoof the victim's profile (GeoIP, device) to pass Frictionless Flow.
   • Complexity: Expensive and requires precise data matching to avoid raising suspicions of anti-fraud systems.
6. Card testing:
   • Carders conduct small transactions (e.g. $1–$5) on low-security sites to verify card validity and bypass 3DS via Frictionless Flow.
   • They may use VPNs, proxies, or fake devices to impersonate a legitimate user.
   • Example: A carder tests a card on a site with 3DS disabled, then uses it to make large purchases.
   • Complexity: Anti-fraud systems quickly detect such attempts, especially if transactions are made from different IPs or devices.
7. Compromise of banking applications:
   • If a carder gains access to the victim's banking application (via phishing or a Trojan), he can confirm transactions using biometrics or OTP.
   • Complexity: Requires a sophisticated attack on the victim's device and bypassing the application's protection.
8. Attacks on infrastructure:
   • In rare cases, carders attempt to attack a merchant's or payment gateway's infrastructure to replace transaction data or disable 3DS.
   • Difficulty: This requires advanced hacking skills and is rare in carding.

How hard is it to bypass 3DS for carders?​

Bypassing 3DS is a complex task that requires significant resources, skills, and data. Here are the difficulty ratings for each approach:

1. Technical hacking (HSM, cryptography):
   • Difficulty: Almost impossible.
   • HSMs are protected physically and software-wise, and cryptographic algorithms (AES-256, HMAC) are resistant to attacks. Hacking requires access to the bank or payment system infrastructure, which is only available to government or highly advanced hackers.
2. Social engineering:
   • Difficulty: Medium, depends on the victim.
   • Phishing, vishing and smishing are the most common methods, as they exploit the human factor. Success depends on the user's inattention.
   • Example: The carder sends an SMS with a fake link to a "bank page" where the victim enters the OTP.
3. SIM-swapping:
   • Difficulty: Medium-High.
   • Requires personal data of the victim and weak procedures from the carrier. In some countries (e.g. the US) SIM-swapping was popular until 2023, but tightening of procedures has reduced its effectiveness.
4. Malware:
   • Difficulty: High.
   • Requires infecting the victim's device, which is difficult without phishing or exploiting vulnerabilities. Modern devices (iOS, Android) have built-in protection mechanisms (e.g. Google Play Protect, App Sandbox).
5. Exploitation of weak merchants:
   • Difficulty: Low-medium.
   • In 2025, such cases are rare due to the mandatory implementation of 3DS 2.x, but some small shops or regions with low levels of regulation are still vulnerable.
6. Frictionless Flow Counterfeit:
   • Difficulty: High.
   • The carder needs to fake GeoIP, device, behavior and have access to the victim's full data. Anti-fraud systems quickly detect discrepancies.
7. Compromise of banking applications:
   • Difficulty: Very high.
   • Requires sophisticated attacks on the device and bypassing application protection (e.g. biometric authentication).

3DS Vulnerabilities in the Context of Carding​

1. Human factor:
   • Users often become the weak link by revealing OTPs through phishing or vishing.
   • Solution: User training, two-factor authentication for email and phone, anti-phishing filters.
2. Legacy Systems (3DS 1.0):
   • Some regions still use 3DS 1.0, which relies on static passwords or simple questions. It is less secure than 3DS 2.x.
   • Solution: Complete transition to 3DS 2.x, which has already been implemented in most developed countries.
3. Device compromise:
   • Trojans, keyloggers or fake apps can intercept OTP or biometric data.
   • Solution: Antivirus software, regular OS updates, use biometrics instead of SMS OTP.
4. Weak merchants:
   • Some stores disable 3DS or use weak settings to increase conversion.
   • Solution: Regulatory requirements (e.g. PSD2) and checks by payment systems.
5. SIM-swapping:
   • Telecom operators in some countries have weak verification procedures, which allows carders to intercept SMS.
   • Solution: Strengthening identification procedures, switching to OTP via applications.
6. Disadvantages of antifraud systems:
   • Some anti-fraud systems may not be configured strictly enough, allowing suspicious transactions to pass.
   • Solution: Regularly update machine learning models and integrate with global fraud databases.

Anti-carding measures​

1. For users:
   • Security training: Do not enter OTP on suspicious sites, ignore calls from the "bank".
   • Two-factor authentication: Enable 2FA for email, phone, and banking apps.
   • Antivirus software: Install security programs and update your OS.
   • Biometrics: Use fingerprint or face recognition instead of SMS OTP.
   • Transaction Monitoring: Set up real-time transaction notifications.
2. For banks:
   • Implementation of 3DS 2.x with mandatory Challenge Flow for high-risk transactions.
   • Using HSM to protect keys and data.
   • Integration of advanced anti-fraud systems (Stripe Radar, Falcon).
   • GeoIP, device fingerprinting and behavioral data analysis.
   • Limit SMS OTP in favor of biometrics or in-app push notifications.
3. For merchants:
   • Full implementation of 3DS 2.x, even if it reduces conversion.
   • Integration with anti-fraud systems (for example, Stripe Radar, Kount).
   • Checking customer reputation and monitoring suspicious transactions.
   • Regular security audits.
4. For payment systems:
   • Mandatory implementation of SCA (as in PSD2).
   • Developing new standards to protect against social engineering.
   • Monitoring global fraud trends and sharing data between banks.
5. For telecom operators:
   • Strengthening verification procedures when reissuing SIM cards.
   • Implementation of additional authentication factors for SIM change.

Summary​

3D-Secure (especially 3DS 2.x) is a powerful anti-carding tool thanks to cryptography, HSM, multi-factor authentication, and anti-fraud systems (Stripe Radar, GeoIP). Bypassing 3DS is extremely difficult, as technical hacking (e.g. HSM) requires resources that are unavailable to most carders. The main vulnerabilities are related to social engineering (phishing, vishing), SIM-swapping, and device compromise, but these methods require significant effort and victim data. Carders most often exploit the human factor or weak merchant settings, but regulations (e.g. PSD2) and advanced technologies reduce the effectiveness of such attacks.

To protect against carding, users must be vigilant, use biometrics and 2FA, and banks and merchants must implement 3DS 2.x, anti-fraud systems, and HSM. In 2025, 3DS remains one of the most reliable online transaction security systems, and carders have to find increasingly sophisticated ways to bypass it.

If you have additional questions or want to delve deeper into a specific aspect (e.g. technical details of HSM or anti-fraud algorithms), let me know!