How does two-factor authentication at the payment gateway level reduce the success of carding?

[Student]

Two-factor authentication (2FA) at the payment gateway level is a powerful tool for combating carding, as it significantly improves the security of online transactions, making fraudulent transactions with stolen card details less successful. For educational purposes, let's explore how 2FA works, its impact on carding, and the specific aspects that make it effective.

What is carding and why is it a problem?​

Carding is a type of fraud in which criminals use stolen bank card information to conduct unauthorized transactions, most often online (card-not-present, or CNP transactions). Card information can be obtained through:

• Phishing: Fraudulent websites or emails that trick users into revealing information.
• Skimming: Devices installed on ATMs or terminals that read card data.
• Data leaks: Hacking of databases of online stores, payment systems or other services.
• Darknet: Purchasing stolen data on shadow markets.

The carder's main goal is to use this data to purchase goods, withdraw funds, or resell them. The problem with carding is financial losses for banks, merchants, and users, as well as an increase in chargebacks, which increases business costs.

What is two-factor authentication (2FA)?​

2FA is an authentication method that requires a user to provide two independent factors to confirm their identity. These factors fall into three categories:

1. Knowledge (something the user knows): For example, a password, PIN, or answer to a security question.
2. Possession (what the user has): For example, a smartphone to which a one-time code is sent, or a token.
3. Biometrics (something that is part of the user): Fingerprint, face scan or voice scan.

In the context of payment gateways, 2FA most often uses a combination of card details (knowledge) and a one-time code sent to the user's device (possession). For example, when using the 3D-Secure protocol (such as Verified by Visa, Mastercard SecureCode, or American Express SafeKey), the user enters card details and then confirms the transaction via a code sent via SMS, a push notification in the banking app, or biometric verification.

How does 2FA reduce the success of carding?​

2FA creates additional barriers for fraudsters, reducing the likelihood of successfully completing a transaction using stolen data. Here's a detailed breakdown of the mechanisms:

1. Additional level of identity verification​

• When using 2FA, card details (card number, expiration date, CVV) alone are not sufficient to complete a transaction. The payment gateway requires a second factor, such as a one-time code sent to the cardholder's registered phone number or confirmation via a banking app.
• A carder who only has card details can't access this second factor unless they have physical access to the owner's device or account. This makes the stolen data virtually useless for transactions.

2. Reducing automated attacks​

• Carders often use automated tools (bots) to mass-test stolen cards on websites to check which ones are valid. These attacks are called "card testing" or "card stuffing."
• 2FA disrupts this process, as automated systems cannot bypass the one-time code or biometric verification prompt. This dramatically reduces the effectiveness of mass attacks.

3. Compliance with safety standards​

• Most payment systems (Visa, Mastercard, Amex) use 3D-Secure protocols, which integrate 2FA into the online payment process. These protocols require the card issuing bank to verify the user's identity before approving the transaction.
• For example, when attempting to pay on a website that supports 3D-Secure, the user is redirected to the bank's page, where they are required to enter a one-time code or undergo biometric verification. Without this, the transaction is rejected.

4. Dynamic protection against static data​

• Stolen card data is static (the card number, CVV, and expiration date do not change). However, 2FA adds a dynamic element, such as a one-time code, which changes for each transaction and is only valid for a short time (usually 5-10 minutes). This makes it impossible to reuse the stolen data without access to the dynamic factor.

5. Reducing financial and reputational risks​

• For merchants, 2FA reduces the incidence of chargebacks, as fraudulent transactions are less likely to be successful. Chargebacks occur when a cardholder disputes a transaction, resulting in a refund and additional fees for the merchant.
• For banks and payment systems, 2FA increases customer confidence in the security of online payments, which contributes to the growth of digital transactions.

6. Adaptive risk assessment​

• Modern 2FA implementations, such as 3D-Secure 2.0, use risk-based authentication (RBA) based on transaction data. This means that low-risk transactions (such as small amounts or purchases from trusted merchants) may not require 2FA, improving the user experience. However, suspicious transactions (such as large amounts or unusual behavior) require mandatory confirmation.
• This makes it more difficult for carders to operate, as they often attempt to conduct large transactions that are more likely to trigger a 2FA request.

An example of 2FA in a payment gateway​

1. The user enters card details on the online store website.
2. The payment gateway checks whether the card supports 3D-Secure.
3. If so, the user is redirected to the issuing bank's page, where they are asked to enter a one-time code sent via SMS or confirm the transaction via a push notification in the banking app.
4. If the code is entered correctly, the transaction is approved. If not, it is rejected.

Carder scenario: A carder using stolen card details enters them on a website. The payment gateway requests a one-time code, which is sent to the real cardholder's phone. Without access to this code, the carder cannot complete the transaction, and the payment is declined.

Statistics and efficiency​

• According to Visa and Mastercard, the implementation of 3D-Secure reduces the level of fraudulent transactions by an average of 70-85% depending on the region and type of transaction.
• The European Directive PSD2 (Payment Services Directive 2) made 2FA mandatory for most online transactions in the EU, leading to a significant reduction in fraud in the region.
• A Juniper Research study found that global losses from carding would be approximately $32 billion in 2022, but the implementation of 2FA and other security measures (such as tokenization) has reduced potential losses by tens of billions of dollars.

Additional aspects and limitations​

1. 2FA limitations:
   • If a fraudster gains access to the victim's phone (for example, through SIM swapping or SMS interception), 2FA can be compromised. However, this requires significantly more effort than simply using stolen card details.
   • Some users may find 2FA inconvenient, leading to abandoned carts, but modern technologies like 3D-Secure 2.0 minimize this through adaptive authentication.
2. Synergy with other measures:
   • 2FA works best when combined with other technologies, such as tokenization (replacing card data with unique tokens), real-time transaction monitoring, and machine learning to identify suspicious transactions.
3. Global implementation:
   • In regions where 2FA is mandatory (such as the EU), carding rates are lower than in regions with less stringent regulations. This demonstrates that widespread implementation of 2FA at the payment gateway level has a systemic effect.

Conclusion​

Two-factor authentication at the payment gateway level reduces the success of carding by creating a barrier that requires fraudsters not only to provide card details but also to access an additional factor, such as the cardholder's phone number or biometric data. This makes fraudulent transactions complex, costly, and less attractive to carders. Protocols such as 3D-Secure, adaptive risk assessment, and mandatory requirements (e.g., PSD2) amplify this effect, reducing financial losses and increasing the security of online payments. For maximum effectiveness, 2FA should be used in conjunction with other measures, such as tokenization and transaction monitoring.