How GeoIP databases work

Mutt

Mutt

Professional
Messages
1,368
Reaction score
912
Points
113
GeoIP databases are specialized databases that match IP addresses with geographic and network information such as country, region, city, ISP, connection type (e.g. residential, data center, VPN) and coordinates (latitude/longitude). They are widely used by anti-fraud systems (e.g. Stripe Radar, Adyen RevenueProtect) to detect fraud, including carding using Non-VBV, Auto-VBV or Non-MCSC bins, by analyzing the IP address to the map region or identifying suspicious networks such as VPN or Tor. For educational purposes, I will describe in detail how GeoIP databases work, their structure, update process, methods of use and impact on carding prevention, as well as limitations.

1. What are GeoIP databases and their purpose​

GeoIP (Geolocation by IP) is a technology that allows you to determine the geographic location and characteristics of a device based on its IP address. Major GeoIP database providers include MaxMind (GeoLite, GeoIP2), IP2Location, IPinfo, Neustar and Digital Element. These databases are used to:
  • Anti-fraud analysis: Detection of discrepancies between the IP address and the map region (for example, an American map with an IP from Russia).
  • VPN/Proxy Detections: Identify IPs associated with VPNs, Tor or data centers.
  • Personalization: Adaptation of content (e.g. website language) depending on the region.
  • Security: Block IP from regions with high fraud levels.

In the context of carding: GeoIP helps anti-fraud systems identify suspicious transactions when a carder uses a VPN or IP from an inappropriate region, which is especially important for protecting against the use of stolen card data.

2. How GeoIP databases work​

GeoIP databases collect, process, and provide IP address data using complex collection processes and algorithms. Here are the main stages of their work:

a) Data collection​

  • Data sources:
    • IP Registrars: Regional Internet Registries (RIRs) such as ARIN, RIPE NCC, APNIC provide information on IP address allocation and their owners (providers, data centers).
    • Internet Service Providers (ISPs): Provide data on the geographic distribution of their IPs.
    • Network scanners: Collect data on network activity, including geolocation of servers and devices.
    • Partnerships: GeoIP providers partner with CDNs (e.g. Cloudflare), VPN providers and anti-fraud systems to obtain information about IP types (VPN, proxy).
    • Crowdsourcing: User data (such as GPS from mobile devices) helps refine geolocation.
  • Example: MaxMind collects data from RIPE NCC about the IP range 104.28.0.0/16, determining that it belongs to Cloudflare (USA) and is often used for VPNs.

b) Database structure​

  • Format:
    • GeoIP databases are stored as tables or files (e.g. CSV, MMDB for MaxMind), where each IP range is associated with metadata.
    • Example of a record in the GeoIP2 database (MaxMind):
      JSON: 
      {
"ip_range": "104.28.12.0/24",
"country_code": "US",
"region": "California",
"city": "San Francisco",
"latitude": 37.7749,
"longitude": -122.4194,
"isp": "Cloudflare, Inc.",
"asn": "AS13335",
"connection_type": "datacenter",
"proxy_type": "VPN"
}
  • Key fields:
    • IP Range: A block of addresses (e.g. 104.28.12.0–104.28.12.255).
    • Geolocation: Country, region, city, coordinates.
    • Network data: ASN (Autonomous System Number), provider, connection type (residential, data center, VPN, Tor).
    • Risk Labels: Indicators that point to VPNs, proxies or anonymizers.
  • Meal format:
    • Binary format (MMDB) for fast searching.
    • Database size: from tens of MB (GeoLite2) to hundreds of MB (GeoIP2 Precision).

c) Search process​

  • Mechanism:
    • The anti-fraud system sends a request with an IP address (for example, 104.28.12.45) to the GeoIP database via API or a local copy of the database.
    • The database uses search algorithms (such as binary tree or hash tables) to match IPs to a range and return metadata.
  • Example API request (MaxMind GeoIP2):
    HTTP: 
    GET https://geoip.maxmind.com/geoip/v2.1/city/104.28.12.45
Authorization: Basic <license_key>
    Answer:
    JSON: 
    {
"ip_address": "104.28.12.45",
"country": {
"iso_code": "US",
"name": "United States"
 },
"city": {
"name": "San Francisco"
 },
"location": {
"latitude": 37.7749,
"longitude": -122.4194
 },
"network": {
"asn": "AS13335",
"organization": "Cloudflare, Inc.",
"proxy_type": "VPN"
}
}
  • Speed: Search takes <1ms thanks to optimized data structures (e.g. MMDB).

d) Updating databases​

  • Refresh rate:
    • The databases are updated daily or weekly to account for new IP ranges, provider changes and the emergence of new VPNs.
    • MaxMind, for example, publishes GeoLite2 updates weekly, and GeoIP2 Precision updates daily.
  • Process:
    • Collecting new data from RIRs, ISPs and partners.
    • Analyze the activity of VPN providers (e.g. NordVPN, ExpressVPN) to add their IPs to lists.
    • Fixing geolocation errors based on user feedback.
  • Example: A new NordVPN IP range (e.g. 172.67.0.0/16) is added to the database as a VPN after it is registered with the RIPE NCC.

e) Integration with anti-fraud systems​

  • Mechanism:
    • Anti-fraud systems (Stripe Radar, Sift) integrate GeoIP databases via API or local copies to analyze transactions in real time.
    • Example: Stripe Radar requests customer IP data when creating a Payment Intent and uses it to calculate the risk score.
  • Application:
    • Checking whether the IP matches the region of the map.
    • Detect VPN, proxy or Tor.
    • Blocking transactions from regions with high fraud levels (e.g. Nigeria, Russia).
  • Technical details:
    • API integration: GET /geoip/104.28.12.45 returns data for analysis.
    • Local database: The anti-fraud system downloads the MMDB file and performs a search on the server for speed.

3. How GeoIP databases help in anti-fraud analysis​

GeoIP databases play a key role in preventing carding, especially when using VPN or mismatched IPs:

a) Geographical compliance check​

  • Mechanism:
    • The anti-fraud system compares the IP country/region (from GeoIP) with the map region (based on the BIN - the first 6 digits of the map).
    • Example: A card with BIN 479126 (ESL FCU, USA) and IP from Russia (GeoIP: country_code=RU) causes a high risk score.
  • Impact on carding:
    • Carders using Non-VBV or Auto-VBV bins often use VPN to simulate the map region. GeoIP reveals VPN (e.g. Cloudflare IP) and increases the risk.

b) VPN and proxy detection​

  • Mechanism:
    • GeoIP marks IPs as VPN if they belong to data centers or well-known providers (NordVPN, ExpressVPN).
    • Example: IP 104.28.12.45 (Cloudflare, ASN AS13335) is marked as VPN, which triggers 3DS or blocking.
  • Impact on carding:
    • Carders using popular VPNs are easily detected as their IPs are listed in GeoIP databases.
    • Even residential proxies (simulating home IPs) can be flagged as suspicious if their ASN is associated with proxy providers (eg Luminati).

c) Detection of Tor and anonymizers​

  • Mechanism:
    • GeoIP contains lists of Tor exit nodes (about 1000-2000 IPs) that are updated daily.
    • Example: IP 185.220.101.10 (Tor exit node) is automatically blocked by anti-fraud systems.
  • Impact on carding:
    • Carders using Tor for anonymity are immediately identified, since Tor exit nodes are blacklisted.

d) Analysis of risky regions​

  • Mechanism:
    • GeoIP allows anti-fraud systems to flag IPs from regions with high fraud rates (e.g. Nigeria, Indonesia).
    • Example: A transaction with an IP from Nigeria (country_code=NG) gets a high risk score even if the card is from the US.
  • Impact on carding:
    • Carders from high-risk regions are blocked even if they use VPN, since anti-fraud systems analyze additional signals (device, behavior).

e) Behavioural analysis with GeoIP​

  • Mechanism:
    • GeoIP data is combined with behavioral analysis (e.g. IP change, time zone).
    • Example: IP from the USA, but time zone UTC+3 (Russia) points to VPN.
  • Impact on carding:
    • Carders cannot perfectly fake all parameters (IP, time zone, device), which leads to detection.

4. Practical examples in the context of carding​

  • Scenario 1: Non-VBV bin with VPN:
    • The carder uses Non-VBV bin (479126, ESL FCU) and NordVPN (IP 104.28.12.45).
    • Stripe Radar requests GeoIP2: IP is marked as VPN (Cloudflare, ASN AS13335). Transaction is blocked or requires 3DS.
    • Result: Carder can't bypass 3DS without OTP.
  • Scenario 2: Auto-VBV bin with resident proxy:
    • The carder uses Auto-VBV bin (440393, Bank of America) and a residential proxy (IP 192.168.1.1).
    • GeoIP2 shows that the IP belongs to ASN Luminati (proxy provider). Radar initiates 3DS, asking for OTP.
    • Result: Transaction is rejected due to missing OTP.
  • Scenario 3: Tor for card testing:
    • Carder tests Non-MCSC bin (523236, Santander) via Tor (IP 185.220.101.10).
    • GeoIP marks IP as Tor exit node. Radar blocks transaction after first attempt.
    • Result: The card is added to the blacklist.
  • Scenario 4: Region Mismatch:
    • The carder uses a card from the USA (BIN 455620) with an IP from Nigeria.
    • GeoIP2 returns country_code=NG, which increases the risk rate. The transaction is blocked.
    • Result: Even without VPN, the region mismatch is detected.

5. GeoIP database limitations​

  • Geolocation accuracy:
    • At country level the accuracy is >95%, but at city level it can be lower (70-80%) due to dynamic IP allocation.
    • Example: An IP may be labeled as San Francisco even though the user is in Los Angeles.
  • Updates:
    • New VPNs or proxies may not be in the database until the next update (1-7 days).
    • Residential proxies are harder to identify because they mimic home IPs.
  • False positives:
    • Legitimate users using VPN for privacy may be flagged as suspicious.
    • Anti-fraud systems must balance so as not to block such users.
  • Dynamic IP:
    • Mobile operators often change IP, which makes it difficult to accurately determine the region.

6. How Anti-Fraud Systems Strengthen GeoIP​

  • Combination with Device Fingerprinting:
    • GeoIP data is supplemented with device fingerprint (browser, OS, fonts), which increases the accuracy of VPN detection.
    • Example: IP from the USA, but a device with Russian language and UTC+3 raises suspicions.
  • Behavioral analysis:
    • GeoIP is combined with behavioral analysis (typing speed, navigation) to detect bots or unnatural actions.
  • Machine learning:
    • Algorithms (like those in Stripe Radar) are trained on historical data to identify new VPNs not included in GeoIP databases.
  • Blacklists:
    • IPs associated with fraud (as reported by Visa TC40, MasterCard SAFE) are added to blacklists, strengthening GeoIP.

7. Conclusion​

GeoIP databases work by matching IP addresses with geographic and network information (country, city, ASN, connection type) by collecting data from RIRs, ISPs and partners. They use optimized formats (MMDB) and API for fast lookups (<1ms), integrating with anti-fraud systems like Stripe Radar to detect VPN, Tor and region mismatches. In the context of carding, GeoIP makes the use of Non-VBV, Auto-VBV and Non-MCSC bins difficult, as it identifies suspicious IPs (VPNs, data centers) and initiates 3DS or blocking. Despite its limitations (inaccuracy at the city level, residential proxies), the combination with Device Fingerprinting, behavioral analysis and blacklists makes GeoIP a powerful anti-fraud tool.

If you want to dive deeper into a specific aspect, such as how to create custom rules in Stripe Radar based on GeoIP or how residential proxies work, let me know!
 
You must log in or register to reply here.

Similar threads

Mutt
How Anti-Fraud Systems Detect VPNs
Replies
0
Views
29
Mutt
Mutt
Mutt
Как работают базы GeoIP
Replies
0
Views
30
Mutt
Mutt
Mutt
How AntiFraud Systems Analyze IP and Device Fingerprinting
Replies
0
Views
63
Mutt
Mutt
Mutt
How IP Leaks via WebRTC
Replies
0
Views
75
Mutt
Mutt
Mutt
How Machine Learning Detects Anomalies
Replies
0
Views
68
Mutt
Mutt
Back
Top