Methods for detecting carding in payment systems: a focus on geo-mismatch and TC40

[Student]

For educational purposes, I'll expand on the previous answer by adding more context about carding as a form of cyberfraud, including historical background, technical details of detection methods, examples, and prevention recommendations. This will help understand how security systems have evolved and why they are important for merchants, banks, and consumers. I'll structure the material for easy reading, using subsections and tables for comparison.

What is carding and why is it important?​

Carding is a type of online fraud in which criminals use stolen credit or debit card information for unauthorized purchases, card validity tests, or other schemes. The term derives from "credit card fraud" and became popular in the 1990s with the rise of e-commerce. According to Visa and Mastercard reports for 2023–2024, global losses from carding exceed $30 billion annually, peaking during holiday periods (e.g., Black Friday).

Fraudsters often purchase "dumps" (card data) on the darknet for $5–50 each and then test them using automated scripts (bots) by making small purchases (card testing). The goal is to confirm the card's validity before committing a major scam. Banks and payment systems (Visa, Mastercard, Amex, and processors like Stripe or Adyen) combat this through multi-layered protection, from real-time to post-analysis. This not only reduces risks but also helps merchants avoid fines (chargeback fees of up to $100 per incident).

Geo-mismatch: Geolocation mismatch detection​

Geo-mismatch is one of the most effective and fastest methods for detecting carding in real time. It's based on the principle that legitimate transactions typically occur in the cardholder's "expected" location. If the mismatch exceeds a risk threshold (e.g., a difference of >500 km), the system flags or blocks the transaction. This method has evolved since the 2000s, when IP geolocation became a PCI DSS (Payment Card Industry Data Security Standard).

How geo-mismatch detection works step by step:​

1. Location data collection:
   • IP address: When a transaction is initiated, the device's IP is verified against databases such as MaxMind GeoIP or IP2Location. Accuracy is 95–99% at the country level and 80% at the city level.
   • Additional signals: GPS (from mobile devices), Wi-Fi hotspots, browser data (HTML5 Geolocation API). If the device uses a VPN or Tor, this in itself is a flag (high risk of masking).
2. Comparison with card profile:
   • Banks store a "billing profile"—historical data about the owner's location (country, region, ZIP code). If a transaction is from a "blacklist" (countries with high fraud rates, according to the Financial Action Task Force (FATF)), the risk increases.
   • AVS and CVV: The Address Verification Service compares the entered address with the bank's address. A partial match adds risk points.
3. Risk calculation:
   • Scoring models are used (e.g., Visa's Account Attack Intelligence). Threshold: if the distance is >1000 km without explanation (e.g., a recent trip), the transaction is performed via 3D Secure (an OTP is sent to the owner's phone).
   • Machine learning (ML): Algorithms like Random Forest analyze patterns—for example, a series of transactions from a single IP address across multiple countries over a period of minutes.

Examples of geo-mismatch in carding:​

• Scenario 1: A US card (billing in New York) is purchased on a Russian website with an IP address in Nigeria. Stripe blocks the purchase, requiring verification.
• Scenario 2: A merchant in the EU sees a surge in orders from Asia with EU cards - this could be a bot attack on card testing.

Table: Comparison of geodata sources for detection​

Data source	Accuracy	Advantages	Flaws	Application in carding
IP address	95% (side)	Fast, cheap	VPN disguises	The main flag for cross-border fraud
GPS/Wi-Fi	99% (city)	Accurate for mobile	Not always available	Supplements IP for device fingerprinting
Billing Address	90%	Direct bank verification	Ignores travel	AVS for shipping mismatch
Historical profile	85% (ML)	Takes behavior into account	Requires data	Velocity checks (movements too fast)

In 2024, geo-mismatch prevents ~40% of fraud according to Juniper Research, but fraudsters bypass it through residential proxies (real IPs from bots).

TC40: Post-monitoring through fraud reporting​

TC40 (Transaction Code 40) is a Visa tool for aggregating data on confirmed fraud, introduced in the 2010s to combat card-not-present (CNP) fraud. Unlike geo-mismatch, TC40 works post-factum: after a cardholder reports fraud, the bank generates a report. This isn't real-time detection, but rather analytics for identifying systemic carding patterns, such as "bin attacks" (attacks on specific BINs—Bank Identification Numbers—of cards).

How TC40 works step by step:​

1. Generating a report:
   • The customer calls the bank: "This purchase isn't mine!" The bank checks (up to 60 days according to Visa rules) and, if fraud is confirmed, creates a TC40 record with the following details: merchant ID, amount (<$1 for tests), date, location, type (card testing or fullz – full data).
2. Aggregation and analysis:
   • Visa collects TC40 from all issuers (issuing banks) and shares it with acquirers (merchant banks). Thresholds: >1% fraud rate or >$100,000 in chargebacks per quarter — merchants are considered "High Risk."
   • Analysis: They look for clusters—for example, 100 test transactions of $0.01 per hour from a single IP address. This is a sign of a carding attack.
3. Consequences:
   • For merchants: Fines ($5–$100 per TC40), increased fees (up to 2% of transactions), or termination from the Visa program. Example: In 2023, Pornhub lost access to Visa due to TC40 complaints.
   • For banks: Improving models – TC40 data trains AI for predictive analytics.

Examples of TC40 in the context of carding:​

• Card Testing: A fraudster tests 1,000 cards on a website selling digital goods (subscription costs $1). 10% are valid → 100 TC40 reports. Visa flags the merchant.
• Large-scale attack: In 2022, an attack on Shopify merchants generated >10k TC40, leading to bans.

Table: Comparison of the TC40 with other Visa instruments​

Tool	Type	Speed	Focus	Effectiveness against carding
TC40	Post-analysis	30–60 days	Chargeback patterns	High for trends (80% detection testing)
Visa RAP (Risk Assessment Platform)	Real time	Instantly	Scoring по geo/velocity	Medium, but can be combined with TC40
SAFE (Mastercard analogue)	Post-analysis	45 days	Fraud alerts	Similar, but broader (includes P2P fraud)

TC40 does not prevent attacks directly, but reduces their effectiveness by 25–30% due to deterrence (fraudsters avoid “hot” merchants).

Additional detection methods and combinations​

Banks don't rely on a single tool—it's an ecosystem:

• Velocity Checks: Too many transactions per minute (eg, >5 from one IP) - block.
• Device Fingerprinting: Fingerprint (browser, OS, screen resolution) is compared; mismatch is flagged.
• AI and ML: Systems like Feedzai analyze 300+ variables, predicting fraud with 95% accuracy.
• 3DS 2.0: Biometrics (face ID) + geo for verification.

In 2025, the trend is tokenization (replacing card numbers with tokens) and biometrics, which will reduce carding by 50%.

Recommendations for merchants and consumers (educational aspect)​

• For merchants: Integrate Stripe Radar or Riskified; monitor TC40 through your bank. Test in sandbox environments.
• For consumers: Turn on transaction notifications, use virtual cards (e.g., Privacy.com).
• Global context: In Russia/CIS, carding is growing due to sanctions; use local systems like Mir Pay.

This overview shows how technology is evolving, balancing convenience and security. If you need any clarification or simulation code examples, please let me know!