Impact of IP address on carding PayPal
The idea of carrying out this experiment was born from the whole mass of conjectures and myths, in the heap of which every stick leader is forced to exist.
After all, when we talk about how it affects (or does not affect) having driven in, say, DNS or risk-score, we are based either on someone's (possibly authoritative for us) opinion, or simply on guesses based on common sense. There is a third option, called “personal experience,” despite the fact that the statistical value of this experience is not assessed in any way other than emotional. What does it mean? If one drive was unsuccessful, and this time we paid attention to DNS, then the failure is attributed to such a DNS, and other reasons are not considered. That is, there is no smell of any serious approach to the study of statistical data. So subjective opinion is passed off as a certain truth, obtained empirically. It has long been noticed that by reasoning logically, you can draw any conclusions based on any data - it all depends on the desire to bring the final thought to a particular result. But a lot can influence the result. And to get a more or less intelligible real picture of the influence of certain parameters on the result, tens and hundreds of correctly performed experiments are required.
Research conditions
Our experiment looked like this: 200 OpenVPN configs and five professional stick leaders - 40 configs each.
Each worked according to his usual scheme - who refuses, who deploys, who shoots - in all cases, a positive result was considered a successful transaction in the amount of more than $ 100, completed within a maximum of a week after the first acquaintance of the stick with the address.
Configs (IP-addresses) were used exclusively by USA, random states.
DNS for 100 of them was used native, from the provider serving the router, on 33 - Google (8.8.8.8), on 33 - Cloud (1.1.1.1) and on the remaining 34 - Cisc OpenDNS (208.67.222.222 ). Thus, we wanted to get confirmation or refutation of the theory about the impact of public dns.
The risk score was measured from three different sources:
maxmind ,
ipqualityscore, and
getipintel . Here we had to take into account that the ranges of possible values for ipqualityscore and maxmind RISK are from 0 to 100, and for getipintel from 0 to 1. Given that for maxmind RISK, an address with risk <1 is considered clean (ideally clean with risk <0.4), and if maxmind RISK> 1, it can be argued that the address is dirty, and for ipqualityscore, an address with risk <70 (ideally clean with risk = 0) is considered clean. getipintel is considered an unauthorized source of data, but was included in the study due to its incomprehensible popularity among the stick leaders.
The distribution of 200 addresses according to different risk-score values.
We looked at whatleks.com for the presence of an address in the blacklists. On this basis, three categories were distinguished: addresses with the CLEAN status (87 addresses), addresses present in the dnsbl.sorbs.net database itself (86 addresses), addresses present in other more serious blacklists (27 addresses)
On half of the routers, we deliberately opened ports 8080, 8888, and 1723 to see the dependency (or independence) on open ports.
WebRTC was half disabled, half enabled.
Two-way ping was also turned on for the sake of the purity of the experiment, and turned off on the half.
Also on half of the configs this value was set
mssfixso that the VPN tunnel is determined by the size of the network frame and in half is not detected in any way (for a mobile network or a very noisy line with a non-standard network frame size) (Connection type parameter on the whatleaks.com website)
52 addresses belonged to the provider Comcast Cable Communications, LLC ; 44 - Charter Communications Inc; 32 - Spectrum; 25 - Cox Communications Inc .; the remaining 47 fell on various small regional providers
Research results
In total, out of 200, a positive result was counted (that is, they allowed to conduct a transaction for more than $ 100 within the first week after the "sign" of a PayPal account with an IP address) on 167 IP addresses, and, accordingly, on 33 addresses the result was recorded as negative
167/33
1.
DNS
Of course, for unambiguous conclusions, it would be necessary to increase the number of tested addresses by at least an order of magnitude, but according to the data obtained, no dependence of success on the DNS used is observed, all data are within the normal error
2.
RiskScore
The results for Maxmind RISK and IpqualityScore correlate well with each other and reflect the result obtained.
But by the value of getIPintel you can only navigate when it goes off scale for 0.8 - this means everything is guaranteed to be bad. Most likely this is due to limited capacity, because of what getIPintel project updates its database no more frequently than once every two weeks (for a time and Maxmind and IpqualityScore have time for 5-7 times to update the value of risk-score in their bases).
But where slide the fact that the rules are fucking invented for the sake of exceptions? Where are these 2 successful transactions at risk from 0.8 soon?
I can only draw this conclusion: according to ONE criterion, even if it burns our entire office, the stick does not unfold transactions unambiguously. For an optimized anti-fraud, tuned for minimal costs, this is logical - you can't just take and send a person to fuck. You can be on your guard and drive him out in all other parameters, letting go of his dullness off the chain, and identify a couple more reasons. There is already one road.
What does it give us? Well, in general, unfortunately, nothing. Only its market capitalization is close to the number of parameters that the stick checks. And this means that we can guarantee their sterility in our PC, unless we create a vacuum inside it. Therefore, you cannot afford a public dns or an IP address that has already been running in a circle.
Of course, we absorbed this with the milk of our first mentors, but the reasons for exactly this behavior of the stick have become clearer now.
3.
Black-lists
An excellent demonstration that the most common spam list dnsbl.sorbs.net does not affect the result in any way. But other black lists are undoubtedly worth taking into account.
4.
Open ports
The question of the impact of open ports can be safely closed.
Here's to you, grandma, and developer's day. What did I say in the second point? Only a set of parameters has a weight ...
5.
WebRTC
It should be noted here that the result obtained is partly due to the setting of the test. Since we ourselves controlled on which accounts WebRTC would be enabled and on which ones it was disabled, we made sure that about half of the “bad” addresses had WebRTC enabled. It can also be considered that this proves the theory that, thanks to WebRTC, the AF receives confirmation of the existence of a LAN behind the router, in which our computer is located after a VPN connection, and, thus, the enabled WebRTC becomes a positive moment.
6.
Double Ping
Paranoid and conspiracy theorists are probably already rubbing their hands, looking at these numbers. But our view does not mean anything. In order to draw conclusions, you should have at least five times more results. In the meantime, the deviation is purely statistical. No one has ever heard of any authoritative evidence that PayPal uses this technology in its AF.
7.
Connection Type
Here the picture is minimally different from that observed above with double ping, so, most likely, additional studies of the influence are required, but experience tells us: here the influence of this parameter is most likely there. It may be insignificant, but it is more likely to exist than not.
8.
Provider
Here it is quite clear that the data is about nothing, too small a sample for at least some conclusions. So Comcast just accounted for a third of all addresses with a bad risk-speed, that's why this is the result. So, this data should be interpreted in the direction of independence from the provider.
Conclusions
This study cannot be considered absolutely complete or absolutely authoritative. No other data obtained in the mode of independent research has so far been published anywhere. And these findings suggest quite definite thoughts.
So, the
independence of the result from the type of DNS looks quite convincing.
We can also reasonably use each of the three popular providers of risk-score data (at least for two of them, since getIPintel still gives a too vague picture, it can only unambiguously determine which IPs should not be used, but to select the valid ones, it is worth taking data from IpqualityScore or Maxmind).
On blacklists,
one should obviously
not pay attention to the set soreness for everyone (in fact, half of the Internet is in it) dnsbl.sorbs.net
WebRTC, when turned on, has a positive effect on driving through vpn.
The impact of double ping is questionable.
The influence of Connection Type is also questionable - but here doubts incline us rather to agree with this fact. Additional tests are needed.
The influence of the provider (assuming that all providers are home, and not hosting and not business) is most likely absent, but much more extensive research is also needed to directly prove this fact.
When you log into your account from IP addresses belonging to different countries or very different in mask, you will receive the limit of your account.
You can get rid of this limit in the following ways:
- Let the account rest for 2-7 days
- Pass additional verification (for example, link a bank account or card)
- Enable two-factor authentication
- Make payments in small small amounts to a reliable account, make small purchases in stores and services, transfer money to another verified account
- Contact support
In order not to receive a limit account, you must:
- Log in from an identical IP address. If it is not possible to pick up the same sox, then choose a close one by mask
- With the same saved cookies
- Make payments for the amounts familiar to this account and avoid paying for large amounts that the account is not used to.
You can find additional details for what reasons the Paypal account receives limits in this thread:
, that he logged in with your detail, also make sure to change your password before doing all this. Anytime i had problem of limit this is what i did.
