Introduction
Carding is a form of cybercrime involving the theft and use of bank card data (card number, CVV, expiration date) to conduct unauthorized transactions, such as purchasing goods, withdrawing funds, or reselling the data on the black market. With the advancement of authentication technologies, particularly biometric data (fingerprints, facial recognition, voice recognition, iris, and behavioral characteristics), the carding landscape is changing. Biometrics, integrated into bank cards, mobile apps, and online payment systems, improve security but also create new challenges and opportunities for fraudsters. In this answer, we will examine in detail how the growing popularity of biometric data affects carding methods, the new approaches used by criminals, the technologies and regulations shaping this evolution, and the necessary security measures. This answer is geared toward educational purposes, so it includes technical details, examples, statistics, and trend analysis.1. How biometrics are changing the carding landscape
Biometric data is becoming standard in payment systems due to its uniqueness and difficulty of counterfeiting. It replaces or complements traditional authentication methods such as PINs, passwords, or CVV. For example, in 2023, over 60% of new bank cards in Europe and the US supported biometric authentication (primarily fingerprints). Mastercard and Visa are actively promoting tokenization and biometrics, and by 2030, Mastercard plans to completely eliminate 16-digit card numbers, replacing them with tokens and biometric data. This radically changes approaches to carding, complicating traditional schemes.1.1 Making data theft more difficult
- Local storage of biometric data: Biometric cards (such as those with a fingerprint sensor) store biometric data templates on the card's chip rather than in the cloud. This reduces the risk of mass breaches, which are common with databases containing card numbers. For example, the Equifax data breach in 2017 affected 147 million people, providing carders with billions of dollars in dumps (complete card data). Biometrics make such breaches less useful, since without physical access to the card or device, the data is useless.
- Multi-factor authentication (MFA): Modern systems require a combination of biometrics (such as a face scan) and other factors, such as an SMS code or geolocation. According to Visa, the implementation of MFA with biometrics has reduced successful carding attacks by 90% by 2024.
- Liveness detection: Technologies such as 3D facial scanning or eye movement analysis prevent the use of static images or fake fingerprints. This makes it more difficult for carders to counterfeit biometric data.
1.2. Reducing the efficiency of traditional carding
- Online transactions: In traditional card theft, fraudsters purchase goods from online stores using stolen card details. With biometrics, such transactions are blocked unless confirmed by a biometric scan. For example, Apple Pay and Google Pay require a fingerprint or Face ID, making theft of just the card number useless.
- Physical transactions: Biometric cards, such as those from Thales or Gemalto, require a fingerprint to activate the chip. This reduces the effectiveness of skimming (installing magnetic stripe readers on ATMs or POS terminals). In 2022, skimming accounted for 15% of all carding attacks, but with the adoption of biometrics, this figure has dropped to 5% by 2025.
- Dump Market: The black market for dumps (complete card data) is losing popularity. In 2020, the carding market was valued at $1.9 billion, but growth is expected to slow in 2024 due to biometrics, with approximately 70% of attacks blocked at the authentication stage.
1.3. Regulatory changes
- Russia: Since 2022, the Unified Biometric System (UBS), regulated by Federal Law 572-FZ, allows banks to use biometrics for customer authentication. Over 200 banks have integrated the UBS for remote account opening and payments. This reduces the risk of phishing but creates new targets for hackers (centralized biometric databases).
- EU: PSD2 and GDPR require strict protection of biometric data, including encryption and local storage. This limits the capabilities of carders but increases the appeal of attacks on cloud services.
- US: The Federal Trade Commission (FTC) and NIST standards (e.g., NIST 800-63) regulate biometrics, making them mandatory for high-risk transactions. This reduces vulnerabilities but increases data security costs.
| Aspect | Traditional carding | Carding in the Age of Biometrics |
|---|---|---|
| Target of the attack | Card number, CVV, PIN | Biometric data, behavioral patterns |
| Theft method | Phishing, skimming, database dumps | Social engineering, deepfakes, attacks on databases |
| Authentication | PIN/CVV (easy to guess/buy) | Biometrics + MFA (requires a live user) |
| Risks for the carder | Low (data is easy to monetize) | High (biodata is harder to fake) |
| Attack effectiveness | High (116% growth in 2020) | Low (90% blocking in 2024) |
| Examples | Purchase of gift cards, cash withdrawal | Face substitution in KYC, theft of biodata templates |
2. New approaches for carders in the era of biometrics
Biometrics doesn't eliminate carding completely, but it forces fraudsters to adapt. The biometric technology market is growing: the biometric card market is projected to increase from $322 million in 2025 to $6.5 billion by 2035. This is driving the development of "biometric carding," where attackers employ more sophisticated methods.2.1. Using Deepfakes and Biometric Data Forgery
- Deepfake technology: AI can create realistic fakes of faces, voices, and movements. From 2023 to 2025, deepfake attacks increased by 30%, especially in banking mobile apps. For example, fraudsters clone the victim's voice using audio recordings from social media to pass voice authentication.
- Black market for biodata: Similar to card dumps, carders have begun selling "scans" of faces or fingerprints. This data is obtained through phishing sites, fake apps, or leaks. For example, in 2024, hackers sold face templates for $50–$200 on darknet forums.
- 3D Models and Physical Counterfeits: To bypass biometric cards, carders are experimenting with 3D-printed fingerprint replicas (made of silicone or polymers). However, this is expensive and requires access to high-quality templates, limiting their scalability.
2.2. Attacks on biometric databases
- Leaks: Centralized systems like the Unified Biometric System (EBS) in Russia and Aadhaar in India are becoming targets. In 2018, an Aadhaar data breach affected 1.1 billion records, including biometric templates. In Russia, the EBS has not yet experienced any major breaches, but the risks remain.
- "Revocable biometrics": Some systems use generated templates (revocable biometrics) that can be replaced if compromised. Carders attack the generation algorithms, attempting to replace these templates or create fake ones.
2.3. Social Engineering
- Fake KYC procedures: Fraudsters create phishing websites or apps that mimic banking portals and ask users to undergo "identity verification" via facial scanning. In Russia, 25% of phishing attacks in 2024 included biometric requests.
- Call/SMS scams: Carders use scams like "your account is blocked, verify your face through an app." Victims download fake apps that steal biodata.
- Targeted attacks: Fraudsters collect data from social networks (photos, videos, voice messages) to create deepfakes or analyze behavioral biometrics.
2.4. Exploitation of behavioral biometrics
- Behavioral biometrics: Banks analyze user behavior (typing speed, phone tilt, gait). Carders use AI to simulate these patterns, but this requires significant resources and skills.
- Attacks on weak systems: Some banks use simplified behavioral algorithms (for example, only keystroke analysis). Carders can bypass these by recording the victim's actions using Trojans or keyloggers.
2.5. Targeting Legacy Systems
- Carders are shifting to attacks on systems without biometrics, such as older POS terminals or stores that don't require MFA. In developing countries, where biometrics are being adopted more slowly, carding remains profitable.
- In Russia, approximately 10% of ATMs do not support biometrics by 2025, making them vulnerable to skimming.
3. Technical aspects of biometric security
Biometrics relies on complex technologies that carders try to circumvent. Here are the key aspects:- Encryption and Storage: Biometric data is encrypted using AES-256 or SHA-3 algorithms. Templates are stored as mathematical hashes, not as original images/scans, making them difficult to exploit if leaked.
- Liveness detection: Algorithms check for liveness in data (e.g., eye movement, thermal radiation). By 2024, 95% of banking apps in the EU have implemented such technologies.
- Tokenization: Instead of a card number, a unique token linked to biometrics is used. Even if the token is stolen, it is useless without biometric verification.
- AI and machine learning: Banks use AI to analyze transaction anomalies. For example, if a cardholder attempts to use a card in an unusual location, the system requires biometric verification.
4. Risks and Challenges
Biometrics reduces losses from carding (in the US, they fell from $11 billion in 2020 to $8 billion in 2024), but they create new problems:- Irrevocable biodata: Unlike a password, a fingerprint or face cannot be changed. A biodata leak (for example, through a database hack) creates a lifelong risk.
- Ethical and legal issues: In Russia, the Unified Biometric System has sparked controversy due to mandatory biometric registration in some cases. Users fear surveillance and data leaks.
- Technological vulnerabilities: Weak liveness detection algorithms or outdated hardware (such as cameras without 3D scanning) are vulnerable to counterfeiting.
5. Recommendations for protection
To minimize the risks of carding in the biometric era, users and organizations should:For users:
- Use MFA: Activate biometrics in combination with other factors (SMS, push notifications).
- Check security: Make sure sites use HTTPS and avoid suspicious links or applications.
- Monitor transactions: Turn on notifications for every transaction and check your statements regularly.
- Be careful with biometrics: Don't provide biometric data on unverified platforms. In Russia, ensure that the bank uses the Unified Biometric System (UBS).
- Update your devices: Use modern smartphones with 3D scanning and liveness detection support.
For banks and organizations:
- Implement liveness detection: Use advanced algorithms to check the liveness of biodata.
- Local Storage: Store biometric templates on devices instead of in the cloud.
- Educate customers: Run cyber literacy campaigns to explain the risks of phishing and deepfake.
- Update your systems: Replace outdated POS terminals and ATMs with biometric ones.
6. The Future of Carding in the Era of Biometrics
Biometrics make card fraud less accessible to beginners, but more sophisticated. Fraudsters are shifting to "elite" attacks that require AI, big data, and social engineering. At the same time, banks and regulators are strengthening their security:- Behavioral biometrics: By 2030, 50% of transactions are expected to use behavioral analysis (e.g. typing rhythm or gestures).
- Quantum cryptography: New encryption algorithms will make biodata theft even more difficult.
- Global standardization: International standards (ISO/IEC 30107) unify biometric security, making it more difficult to attack.
Carding is evolving from mass data theft to targeted attacks on vulnerable systems and users. This requires constant vigilance and technology updates from all participants — banks, regulators, and customers.
Conclusion
The growing popularity of biometric data is radically changing approaches to carding, making traditional methods (phishing, skimming) less effective. Biometrics improve transaction security, but it also incentivizes fraudsters to develop sophisticated attacks such as deepfakes, template theft, and social engineering. Multifactor authentication, modern liveness detection algorithms, and cyber literacy are essential for protection. In Russia, the Unified Biometric System (UBS) play a key role, but they require a cautious approach to data storage. Carding will become more sophisticated in the future, but thanks to biometrics and AI, its scope will decrease if users and banks follow best practices.If you have any questions or would like to delve deeper into a specific aspect (such as the technical details of biometrics or attack examples), let me know!
