How Stripe Radar Works

[Mutt]

Stripe Radar is an advanced fraud prevention tool built into the Stripe payment gateway that uses machine learning, data analytics, and integration with modern security standards like 3D-Secure 2.0 to protect against fraudulent transactions, including carding. In the context of carding (the illegal use of stolen card data for unauthorized transactions), Stripe Radar poses a serious obstacle, especially for transactions with Non-VBV, Auto-VBV, and Non-MCSC bins, due to its ability to analyze transactions in real time and identify suspicious patterns. Below, I will describe in detail the technical aspects of Stripe Radar, its features, integration with payment processes, and impact on carding, including specific mechanisms that complicate the use of such bins. The answer is provided for educational purposes only, to clarify how modern anti-fraud systems work and how they combat fraud.

1. General description of Stripe Radar​

Stripe Radar is a fraud prevention system built into the Stripe payment gateway that:

• Assesses transaction risks in real time by analyzing over 1000 signals (characteristics) in less than 100 milliseconds.
• Uses machine learning trained on billions of transactions from millions of businesses in 197 countries, giving you a unique advantage thanks to Stripe's global network.
• Integrates with other Stripe products like Stripe Checkout, Payment Intents, and Setup Intents, providing seamless security without the need for complex setup.
• Supports PSD2 and 3D-Secure 2.0, making it particularly effective in Europe where mandatory two-factor authentication (Strong Customer Authentication, SCA) virtually eliminates the use of Non-VBV bins.
• Offers levels of functionality:
  • Basic Radar: Included for free for all Stripe users, provides automatic protection.
  • Radar for Fraud Teams: Paid version ($0.02–$0.07 per transaction, depending on region and volume) adds custom rules, manual verification, and advanced analytics.
  • Radar for Platforms: For marketplaces where protection applies to sub-merchant transactions.

In the context of carding, Radar effectively counteracts attempts to use stolen cards, especially with Non-VBV (not requiring Verified by Visa), Auto-VBV (automatic 3DS verification) and Non-MCSC (not requiring MasterCard SecureCode) bins, through multi-layered analysis and strict security standards.

2. Technical aspects of Stripe Radar​

a) Machine learning and data analysis​

• Model training:
  • Radar uses adaptive machine learning algorithms that are trained on data from Stripe’s global network (billions of transactions). This includes:
    • Supervised learning: Models are trained on historical data of fraudulent and legitimate transactions to recognize known carding patterns (e.g. multiple attempts with low amounts to verify cards).
    • Unsupervised learning: Detect new, unknown fraud patterns, such as the use of new Non-VBV bins or complex VPN chains.
  • Models are updated daily to adapt to new carding methods, including attempts to bypass 3DS or anti-fraud filters.
  • Stripe is experimenting with increasing the training data size (e.g. 10-100x), which improves accuracy by 5-20% for each doubling of data.
• Feature Engineering:
  • Stripe engineers create features that have high predictive value. Examples:
    • Email Templates: Disposable emails (eg test123@cactuspractice.com) are often associated with carding.
    • Transaction frequency: Multiple attempts from one card in a short period of time (card testing).
    • IP History: Use of an IP previously associated with fraud or an IP that does not match the region of the card.
    • Behavioural signals: Speed of data entry, skipping product review steps, use of bots.
  • Example: If a carder uses a Non-VBV bin with a throwaway email and an IP from a region with a high fraud rate (e.g. via Tor), Radar increases the risk score.
• Global Data Network:
  • There is a 92% chance that the card used in the store has already been processed in the Stripe network, which allows it to be matched with the transaction history.
  • Radar uses data from Visa, MasterCard (e.g. TC40, SAFE reports) and banks about previous fraudulent transactions.

b) Real-time risk assessment​

• Risk Score:
  • Each transaction is assigned a numeric risk score (0-100) based on the analysis of over 1000 signals such as:
    • Card details: BIN, issuer country, card type (debit, credit, prepaid), transaction history.
    • Geolocation: Matching the IP address to the map region via GeoIP or MaxMind databases. For example, an American Non-VBV bin with an IP from Russia increases the risk.
    • Device Fingerprinting: Unique device characteristics (browser, OS, screen resolution, fonts, plugins). Reuse of the device for fraud is easily detected.
    • Behavior: Time on site, speed of data entry, sequence of pages. For example, going straight to payment without viewing products is a sign of carding.
    • Network signals: Data from payment systems about cards previously detected in fraud.
  • Example: A transaction with a Non-VBV bin made over a VPN with an IP from Nigeria gets a risk score >80 and is likely to be blocked.
• Processing Speed: Risk assessment occurs in <100ms, ensuring a seamless user experience.
• Accuracy: Radar blocks only 0.1% of legitimate transactions, minimizing false positives, which is critical for businesses.

c) Classification and actions​

Radar classifies transactions into three categories:

• Safe: Low risk, transaction is approved automatically.
• Suspicious: Moderate risk, sent for manual review (to Radar for Fraud Teams) or requires 3D-Secure.
• Fraudulent: High risk, transaction is blocked automatically. Actions depend on the setting:
• Blocking: Transactions with high risk rate (eg >65) are rejected.
• Dynamic 3D-Secure: 3DS request for moderate risk transactions, especially in Europe under PSD2.
• Manual verification: Transactions are sent to a queue for review by store employees, who may request additional data (such as a photo of a card or document).

d) Integration with 3D-Secure 2.0​

• Mechanism:
  • Radar fully supports 3DS 2.0, which is mandatory in Europe under PSD2 for Strong Customer Authentication (SCA).
  • Radar uses Dynamic 3D-Secure, where 3DS is applied selectively:
    • Frictionless flow: For low-risk transactions (e.g. familiar store, device, amount up to €30) 3DS is skipped if the issuing bank approves.
    • Challenge flow: High-risk transactions require OTP (SMS, push notification) or biometrics (fingerprint, face recognition).
  • Radar transmits up to 100+ transaction parameters (IP, device, amount, history) to the issuing bank via 3DS protocol so that it can decide whether a Challenge is needed.
• Impact on carding:
  • Non-VBV bins lose effectiveness as Radar initiates 3DS for most EEA transactions, requiring an OTP that is not available to carders.
  • Auto-VBV bins can pass Frictionless flow, but only if the transaction has a low risk rate. Any mismatch (IP, device) causes a Challenge.
  • Non-MCSC bins face similar limitations, as Radar applies the same 3DS checks to MasterCard.
• Example: Carder tries to use Non-VBV bin (e.g. 479126, ESL FCU, USA) in a European store. Radar initiates 3DS, redirecting to the bank's page to enter the OTP. Without access to the owner's phone, the transaction is rejected.

e) Custom rules (Rules Engine)​

• Mechanism:
  • In its basic version, Radar applies standard machine learning-based rules to automatically block high-risk transactions.
  • In Radar for Fraud Teams, users can create custom rules via the dashboard or API. Examples:
    • Blocking transactions with risk rate >65.
    • 3DS request for transactions with prepaid cards or amounts >$500.
    • Blocking transactions from IPs from certain countries (e.g. known fraudulent regions).
    • Manual verification of transactions with AVS (Address Verification System) or CVV discrepancies.
  • Rules are backtested to assess their impact on legitimate and fraudulent transactions.
• Rule priority:
  • 3DS rules are evaluated first (e.g. SCA request for PSD2 compliance).
  • The rules for checking, blocking or allowing are then applied.
• Impact on carding:
  • Carders using Non-VBV bins can be blocked by custom rules, such as "Block transactions with mismatched IP and card region".
  • Rules for prepaid cards or high amounts additionally restrict Auto-VBV and Non-MCSC bins.

f) Device Fingerprinting and Behavioural Analysis​

• Device Fingerprinting:
  • Radar collects unique device characteristics (browser, OS version, screen resolution, fonts, plugins, time zone) via JavaScript SDK (e.g. stripe.js).
  • A "fingerprint" of the device is created and compared with previous transactions.
  • Example: If a device has been used for fraudulent attempts (e.g. card testing), Radar increases the risk score for all transactions from that device.
• Behavioral analysis:
  • User actions are analyzed:
    • Time on site: Carders often skip browsing products and go straight to checkout.
    • Input speed: Entering data too quickly indicates automation (bots).
    • Navigation patterns: Chaotic behavior or going straight to checkout increases risk.
  • Example: A carder using a Non-VBV bin via Tor gets a high risk score due to the anonymous IP and lack of normal site navigation.
• Impact on carding:
  • Carders often use VPN, Tor or disposable virtual machines, which makes their devices suspicious. Radar easily detects such anomalies.
  • Behavioural analysis makes automated attacks such as card testing (checking the validity of cards through multiple attempts) more difficult.

g) Network data and partnerships​

• Data from payment systems:
  • Radar uses information from Visa (TC40), MasterCard (SAFE reports) and banks about cards previously detected in fraud.
  • Example: If a Non-VBV bin was used in a fraudulent transaction at another store, Radar adds it to the blacklist.
• Stripe Global Network:
  • There is a 92% chance that the card has already been processed in the Stripe network, which allows Radar to match it with history (e.g. chargebacks, declines).
• Cooperation:
  • Radar exchanges data with banks and payment systems via API, which speeds up the detection of fraudulent cards.

3. Impact on carding and Non-VBV/Auto-VBV/Non-MCSC bins​

Stripe Radar creates significant obstacles for carders, especially when using Non-VBV, Auto-VBV and Non-MCSC bins:

a) Non-VBV bins​

• Problem for carders: In Europe, PSD2 requires SCA and Radar automatically initiates 3DS for most transactions, making Non-VBV bins useless without OTP or biometrics.
• Anti-fraud measures: Even if a transaction falls under the SCA exception (e.g. amount up to €30), Radar analyzes:
  • IP and geolocation: Mismatch between the map region and IP (for example, an American bin with a Russian IP) increases the risk score.
  • Device Fingerprinting: Using a VPN, Tor, or a "dirty" device (previously associated with fraud) will result in a ban.
  • Behavior: Direct transition to payment or use of bots is detected by behavioral analysis.
• Example: Carder uses a Non-VBV bin (e.g. 455620, Santander Consumer Bank, Germany) to make a purchase in a European store. Radar initiates 3DS, requiring an OTP. If the transaction falls under an exception, an IP mismatch or suspicious behavior (e.g. disposable email) results in a block.

b) Auto-VBV bins​

• Problem for carders: Auto-VBV bins can pass Frictionless 3DS (without OTP) for low risk transactions, but Radar increases the risk score for any anomalies (IP, device, behavior) by initiating Challenge 3DS.
• Example: A carder uses an Auto-VBV bin (e.g. 440393, Bank of America) to make a $10 purchase. If the IP matches the card region and the behavior is normal, the transaction can go through. However, using a VPN or a disposable device triggers an OTP prompt, making the transaction impossible.

c) Non-MCSC bins​

• Problem for carders: Similar to Non-VBV, Non-MCSC bins face 3DS checks and anti-fraud analysis. Radar applies the same mechanisms as for Visa, requiring SCA for MasterCard.
• Example: A Non-MCSC bin (e.g. 523236, Santander Consumer Bank) is rejected if the IP points to a high fraud region or the device does not match the holder's profile.

d) Card Testing​

• Carders often check the validity of cards through small transactions (e.g. $1). Radar detects such attempts:
  • Multiple Attempts: Multiple transactions from the same card or IP in a short period of time.
  • Low amounts: Recurring small payments typical for testing.
  • Blocking: Radar automatically blocks such attempts and adds the card/IP to the blacklist.
• Example: Carder tries to check Non-VBV bin through 10 transactions of $1. Radar notices the pattern and blocks the card after 2-3 attempts.

e) Bypassing anti-fraud systems​

• Carders try to bypass Radar by using:
  • Clean IP: Proxy or VPN that matches the map region.
  • Fake data: Accurate holder data (name, address) obtained from leaks.
  • Clean Devices: New virtual machines or devices with no history of fraud.
• Radar Countermeasures:
  • VPN/Tor detection through ASN (Autonomous System) and GeoIP database analysis.
  • Check AVS (address match) and CVV, even for Non-VBV binaries.
  • Behavioural analysis that detects unnatural behaviour (e.g. bots).
• Result: Even with clean IP and data, carders rarely bypass Radar, as multiple signals (device, behavior, history) create a high risk score.

f) Efficiency​

• According to Stripe, Radar reduces fraud by 70% without configuration and up to 98% with custom rules (like Kinsta).
• Chargebacks (fraudulent returns) are reduced by 82% when using Radar.
• Radar blocks 99.9% of fraudulent transactions when configured correctly, while maintaining a low false positive rate (0.1%).

4. Integration with the payment process​

• Seamless integration:
  • Radar is built into Stripe and works automatically for all transactions via Stripe Checkout, Payment Intents, or Setup Intents.
  • Does not require separate configuration, unlike third-party anti-fraud solutions (e.g. Sift, Kount), which require transaction marking.
• Dashboard and analytics:
  • In Radar for Fraud Teams, users can view:
    • Risk scores for each transaction.
    • Reasons for triggering (e.g. suspicious IP, AVS mismatch).
    • History of transactions and chargebacks.
  • The dashboard allows you to set up rules and view analytics (for example, the percentage of blocked transactions).
• API and webhooks:
  • Radar provides an API for getting risk rates and managing transactions. Request example:
    

    GET /v1/payment_intents/pi_123456789
    Response: { "risk_score": 85, "risk_level": "high" }

  • Webhooks notify you of suspicious transactions or chargebacks by integrating with systems like Chargebee.
• Integration example:
  • The store uses Stripe Checkout. Radar automatically evaluates the transaction, assigns a risk score, and decides whether to block it or request 3DS. If the risk is high, the store receives a webhook with details for manual review.

5. Practical examples in the context of carding​

• Scenario 1: Non-VBV bin in Europe:
  • The carder uses a Non-VBV bin (eg 455620, Santander Consumer Bank) to make a €50 purchase in a European store.
  • Radar initiates 3DS (via PSD2), redirecting to the bank's page to enter the OTP. Without OTP, the transaction is rejected.
  • If a store applies the SCA exception (amount <€30), Radar analyzes the IP (e.g. Russia instead of Germany) and blocks the transaction due to a high risk score (>80).
• Scenario 2: Auto-VBV bin in the US:
  • The carder uses an Auto-VBV bin (eg 440393, Bank of America) to make a $20 purchase at a US store.
  • Radar evaluates the transaction as low risk (IP matches, behavior is normal) and passes it without 3DS (Frictionless flow).
  • However, when using a VPN or disposable email, the risk score increases and Radar requests 3DS, making the transaction impossible.
• Scenario 3: Card Testing:
  • The carder tests a Non-MCSC bin (eg 523236) through 5 $1 transactions in the store.
  • Radar detects a pattern (multiple attempts from one IP/device) and blocks the card after 2 attempts, adding it to the blacklist.
• Scenario 4: Custom Rules:
  • The store sets up a rule: "Block transactions with prepaid cards and amounts >$100".
  • A carder uses a Non-VBV prepaid card to make a $150 purchase. Radar enforces the rule and blocks the transaction even though 3DS is not required.

6. Advantages and limitations​

Advantages:​

• High accuracy: False positives are only 0.1%, minimizing the loss of legitimate transactions.
• Speed: A score of <100ms does not impact user experience.
• Global data: Access to Stripe network data (92% of cards already known) increases efficiency.
• Flexibility: Custom rules and Dynamic 3DS allow you to adapt protection to your business.
• Anti-carding effectiveness: Reduce fraud up to 98% with custom rules.

Limitations:​

• False Positives: Incorrectly configured rules can block legitimate transactions, especially for international customers.
• Data Dependency: Performance depends on the quality of the data (IP, address, behavior) provided by the store.
• Cost: Radar for Fraud Teams requires an additional fee ($0.02–$0.07 per transaction), which can be expensive for small businesses.
• Ecosystem Limitation: Radar only works with transactions through Stripe, which limits its use for other gateways.

7. How carders try to bypass Radar and why it is difficult​

Carders use various techniques to bypass Radar, but its multi-layered protection makes this extremely difficult:

• Clean IP: Use proxy/VPN that matches the map region.
  • Countermeasure: Radar analyzes ASN and GeoIP databases, identifying popular VPNs (e.g. NordVPN) or anonymizers (Tor).
• Fake data: Accurate holder data (name, address) from leaks.
  • Countermeasure: AVS and CVV checks identify inconsistencies, and behavioral analysis detects unnatural behavior.
• Clean Devices: Using new virtual machines or devices.
  • Countermeasure: Device Fingerprinting matches devices with history, and the lack of normal navigation (eg browsing products) increases the risk.
• Small transactions: Verifying cards through small amounts ($1–$5).
  • Countermeasure: Radar detects card testing through frequency and pattern analysis, blocking the card after a few attempts.
• Social Engineering: Attempts to reset 3DS password through calls to the bank.
  • Countermeasure: Banks require additional data (SSN, passport), and suspicious calls lead to card blocking.

Why it is difficult to get around:

• Multi-layered analysis (IP, device, behavior, history) makes it almost impossible to perfectly impersonate a legitimate user.
• Integration with 3DS 2.0 requires OTP/biometrics for high-risk transactions, which is not available to carders.
• Stripe's global network and payment processor data allow us to quickly identify cards previously associated with fraud.

8. Conclusion​

Stripe Radar is a powerful anti-fraud system that uses machine learning, analysis of 1000+ signals, Device Fingerprinting, behavioral analysis and integration with 3D-Secure 2.0 to prevent fraud. In the context of carding, Radar makes the use of Non-VBV, Auto-VBV and Non-MCSC bins extremely difficult, especially in Europe where PSD2 requires SCA. Even outside the EEA, anti-fraud measures (geolocation, device, behavior) effectively block suspicious transactions. Custom rules, daily model updates and access to Stripe's global data ensure fraud reduction of up to 98% with minimal false positives (0.1%). For carders, this means the need for complex and expensive schemes (clean IP, fake data, new devices), which increases risks and reduces profitability.

If you'd like to dive deeper into specific aspects, like how to create custom rules in Radar, how the risk management API works, or the Chargebee integration, let me know!