How is social engineering used in carding and how do banks prevent it?

[Mutt]

Social engineering in carding is one of the key methods used by attackers to gain access to sensitive information such as bank card details, one-time passwords (OTP), PIN codes or bank account credentials. Carders (fraudsters who steal and use card data) exploit psychological vulnerabilities to trick the victim into providing information or performing actions that will lead to financial losses. Banks, in turn, develop multi-level protection systems, including customer education, biometric technologies, two-factor authentication (2FA) and other measures. Below, we discuss in detail the mechanisms of social engineering in carding, specific deception techniques for obtaining OTP and PIN, as well as banks' approaches to preventing such attacks.

Social Engineering in Carding: How It Works​

Social engineering is the art of manipulation based on psychology rather than technical vulnerabilities. In the context of carding, it is used to bypass security mechanisms such as 2FA and obtain data that the victim would normally not disclose. The basic principle is to exploit the victim’s trust, fear, greed, or ignorance. Carders aim to minimize technical effort, as deceiving a person is often easier than hacking complex banking systems.

Basic Social Engineering Techniques in Carding​

1. Phishing:
   • Description: Carders send fake messages (email, SMS, messages in messengers such as WhatsApp or Telegram) that look like official notifications from a bank, payment system (Visa, Mastercard) or online store. The goal is to lure the victim to a fake site, where they enter card details, OTP, PIN or login/password.
   • Example scenario:
     • The user receives an email with the text: "Your card has been blocked due to suspicious activity. Follow the link to unblock." The link leads to a phishing site, visually identical to a bank site, where the victim enters the card number, CVV, OTP or PIN.
     • Alternatively, the site may ask you to "verify your identity" by entering data that is then intercepted.
   • Persuasion techniques:
     • Urgency: "Do this within 10 minutes or the account will be frozen."
     • Authority: Use of logos, corporate identity of the bank or fake domains (for example, sberbank-secure.ru instead of sberbank.ru).
     • Personalization: Including the victim's name, part of the card number, or other data obtained from leaks to increase trust.
   • Technical aspects: Phishing sites often use SSL certificates (the green padlock in the browser) to appear legitimate, or use URL spoofing (for example, replacing the Latin letter "o" with a zero in the domain).
2. Vishing (voice phishing):
   • Description: Fraudsters call the victim, posing as employees of the bank, security service, law enforcement or payment systems. They use scripts to force the victim to reveal OTP, PIN or other data.
   • Example scenario:
     • A call from a number similar to a bank number (number substitution via VoIP). The fraudster says: "We have recorded an attempt to write off $500 from your card. Provide the code from the SMS to cancel the transaction."
     • The victim, in a panic, provides the OTP, which is used to confirm the real transaction initiated by the carder.
   • Persuasion techniques:
     • Intimidation: Threats of loss of money or criminal prosecution ("Your account is being used for money laundering").
     • Social Authority: The scammer introduces himself as a "senior security specialist" or refers to "instructions from the Central Bank".
     • Personalization: Using victim data (name, address, recent transactions) obtained from leaks or through OSINT (open source search, including social networks).
   • Technical aspects: Carders can use caller ID spoofing to make the call appear to come from the bank, or automated voice systems (AI bots) for mass attacks.
3. Smishing (SMS-phishing):
   • Description: Fraudsters send text messages with malicious links or callback numbers. The goal is to either lure the victim to a phishing site or force them to provide data in a conversation.
   • Example scenario:
     • SMS: "Your payment of $100 has been declined. Confirm the transaction using the link: [malicious_link]".
     • Or: "Your card is blocked. Call back at +1-XXX-XXX-XX-XX to unblock it."
     • The user follows the link or calls, after which they enter the data or provide the OTP.
   • Persuasion techniques:
     • Imitation of the official style of the bank (for example, "Dear client, your bank...").
     • Creating panic or promising a benefit (e.g. "Confirm payment to receive a bonus").
   • Technical aspects: Links may lead to sites with malware that intercepts entered data or installs keyloggers.
4. UI Spoofing:
   • Description: Carders use malware or fake interfaces to create the illusion of a legitimate banking app or website. The victim enters data that is intercepted.
   • Example scenario:
     • The user downloads a fake banking app from a third-party source (e.g. via a phishing link). The app asks for an OTP or PIN to "log in" or "confirm the transaction".
     • Or: a pop-up window appears on the victim's device, simulating a bank interface, asking for data to be entered.
   • Persuasion techniques:
     • Visual similarity to real banking interfaces.
     • Substituting push notifications or SMS so that the victim thinks that the request comes from the bank.
   • Technical aspects: Malware (Trojans such as Anubis or Cerberus) is used, which intercepts data or displays fake windows.
5. Psychological manipulation:
   • Fear: Scammers create a sense of threat, for example by saying that your account has been "hacked" or that you are "in danger of losing all your funds."
   • Greed: Offering fake bonuses, refunds or discounts (e.g. "Confirm the transaction to get $50 cashback").
   • Trust: Using credible details (such as parts of a card number or data from leaks) to convince the victim.
   • Social pressure: The belief that the victim has an obligation to "help the bank" with the investigation or "prove his identity."

How Carders Get Data for Attacks​

• Data leaks: Carders buy databases (name, phone, parts of card number) on darknet forums.
• OSINT: Collecting information from social networks where users disclose personal data.
• Phishing Sites and Software: Using Trojans or fake sites to intercept data.
• "Second-level" social engineering: Deceiving telecom operators to replace SIM cards (SIM-swapping) in order to intercept SMS with OTP.

How banks prevent social engineering​

Banks recognize that social engineering is a major threat and are taking a comprehensive approach that combines technology, customer education, and regulatory measures. Key methods include:

1. Client training​

• Objective: To raise awareness among customers about fraudulent methods and teach them to recognize suspicious requests.
• Methods:
  • Information campaigns: Banks publish articles, videos and infographics on their websites, apps and social networks. For example, some banks regularly publish materials on phishing, vishing and smishing.
  • SMS Notifications: Send alerts such as "We never ask for OTP or PIN over the phone."
  • Tests and simulations: Some banks (for example, VTB) offer clients online tests to learn how to recognize phishing.
  • Direct training: In bank branches, employees can provide short training to customers, especially older people who are most vulnerable.
• Example: Some banks launched the campaign "Stop, Fraudster!", where it explains how to avoid becoming a victim of vishing and publishes the phone numbers from which fraudsters call.
• Effectiveness: Training reduces the likelihood of successful attacks, but does not eliminate them completely, as many clients ignore warnings or act impulsively.

2. Biometrics​

• Purpose: To replace or supplement OTP and PIN with biometric data that is more difficult to counterfeit or intercept.
• Methods:
  • Fingerprints: Used to log into mobile applications or confirm transactions.
  • Facial recognition: Face ID or similar technologies are used for authentication.
  • Voice biometrics: Some banks (for example in Europe) are testing voice authentication for call centers.
  • Behavioral biometrics: Analyzing user behavior (such as how they hold their phone or type) to detect suspicious activity.
• Example: In the Sberbank Online application, a client can set up login using a fingerprint or Face ID, which eliminates the need to enter an OTP when logging in.
• Efficiency:
  • Biometrics significantly reduces the risk of data interception, as it is more difficult for fraudsters to forge a fingerprint or face.
  • Limitations: Requires reliable protection of biometric data on the bank's servers, since the leakage of such data is irreversible. Also, biometrics may be vulnerable to deepfakes or high-precision counterfeits.

3. Two-factor authentication (2FA)​

• Goal: Make it harder to access an account or transactions by requiring two independent factors: something the user knows (password, PIN) and something they have (device, OTP, push notification).
• Methods:
  • SMS with OTP: Code is sent to the registered phone number to confirm the transaction.
  • Push notifications: Instead of SMS, the bank sends a confirmation request to the mobile application, which is more difficult to intercept.
  • Tokens or authenticator apps: Some banks (e.g. in Europe) use Google Authenticator or physical tokens to generate codes.
  • Biometrics as a second factor: For example, confirming a transaction via fingerprint after entering a password.
• Example: When paying in an online store, the bank sends an OTP via SMS and requests biometric confirmation in the application.
• Efficiency:
  • 2FA significantly reduces the risk, as the carder needs to access two channels (e.g. password and phone) at the same time.
  • Limitations: Vulnerable to SIM-swapping, phishing (if the user provides the OTP themselves), or malware that intercepts push notifications.

4. Technological measures​

• Anti-phishing systems:
  • Banks work with providers and cyber police to identify and block phishing sites and numbers.
  • Email and SMS filtering systems are used to identify suspicious messages.
• Transaction Monitoring:
  • Artificial intelligence analyzes transactions in real time, taking into account geolocation, amount, type of transaction, and user behavior. For example, if a transaction is made from another country, the bank can block it and request confirmation.
  • Example: Sberbank uses machine learning-based systems to identify anomalies such as unusually large transfers.
• Protection against number substitution:
  • Banks are switching to push notifications instead of SMS, as they are more difficult to intercept.
  • Some banks use encrypted channels to send codes.
• Malware detection:
  • Banks integrate antivirus solutions into their applications that scan the device for Trojans or keyloggers.

5. Regulatory measures​

• In Russia, the Central Bank (CBRF) sets cybersecurity standards, including mandatory use of 2FA for online transactions (in accordance with 3D-Secure).
• Banks are required to comply with PCI DSS (card data security) standards and conduct regular vulnerability checks.
• The Central Bank of the Russian Federation also maintains a database of fraudulent transactions and numbers so that banks can promptly block suspicious transactions.

Practical examples from real life​

1. Phishing attack (Russia, 2023):
   • Fraudsters sent SMS messages on behalf of Sberbank with the text: "Your account is blocked. Follow the link to unblock." The link led to a phishing site, where victims entered card details and OTP. The bank quickly blocked the site, but some clients managed to lose money.
   • Bank counterattack: Sberbank sent out a warning to clients via the app and strengthened filtering of phishing sites.
2. Vishing (Russia, 2024):
   • The fraudster, posing as a VTB employee, informed the victim of a "suspicious transaction" and asked to provide the OTP for "cancellation." The victim provided the code, after which $2000 were debited from her account.
   • Bank counterattack: VTB has introduced automatic call monitoring via AI, which identifies suspicious numbers, and has strengthened customer training via push notifications.
3. SIM swapping (Europe, 2022):
   • The fraudsters forged the victim's documents and convinced the telecom operator to reissue the SIM card. This allowed them to intercept the OTP to access the bank account.
   • Counterattack by banks: Introducing push notifications and biometric authentication for large transactions.

Limitations and Challenges​

1. Human factor:
   • Even with 2FA and biometrics, users may disclose data under pressure or through carelessness.
   • Older people and less tech-savvy customers are particularly vulnerable.
2. Evolution of attacks:
   • Carders use AI to create deepfakes (such as fake voices or videos) to fool biometrics or call centers.
   • Automated calls and chatbots allow you to carry out mass attacks with minimal costs.
3. Technical vulnerabilities:
   • Data leaks from banks or third-party services provide carders with information for personalized attacks.
   • Malware such as banking Trojans can bypass 2FA if the victim's device is infected.
4. Regulatory restrictions:
   • In some countries (including Russia), banks face restrictions on the use of biometrics due to data protection laws.

Recommendations for users​

1. Never disclose your OTP or PIN: Banks never ask for this information by phone, email or SMS.
2. Check the sender: Make sure the message or call comes from the official bank number (check with the number on the card or website).
3. Use official apps: Download banking apps only from Google Play, App Store or the bank's official website.
4. Set up 2FA and biometrics: Use your fingerprint or Face ID to sign in and confirm transactions.
5. Be vigilant: Do not click on links from suspicious messages or install unverified applications.
6. Keep your devices updated: Make sure your phone is protected from malware (antivirus, latest OS updates).

Conclusion​

Social engineering in carding remains one of the most effective threats due to the exploitation of the human factor. Carders use phishing, vishing, smishing and interface spoofing to trick OTP, PIN or other data, relying on the fear, greed or trust of the victim. Banks counteract this through customer education, implementation of biometrics, 2FA, transaction monitoring and anti-phishing measures. However, the success of protection depends on the vigilance of users and the ability of banks to adapt to new attack methods. For educational purposes, it is important to understand that technologies (2FA, biometrics) are effective, but only in combination with customer awareness and strict adherence to security rules.