What are Non-VBV, Auto-VBV and Non-MCSC bins and why are they popular with carders?

[Mutt]

For educational purposes, I will provide a more detailed explanation of the terms Non-VBV, Auto-VBV and Non-MCSC bins, their role in carding, their connection with 3D Secure (3DS), and the methods that anti-fraud systems use to combat fraud, including GeoIP, Device Fingerprinting and behavioral analysis. I will also describe why these bins are valuable in carding, how carders try to bypass protection systems, and the risks this entails. The answer will be as informative as possible, but strictly for educational purposes, to explain the mechanisms and risks associated with bank card fraud.

1. What are bins and their role in carding?​

BIN (Bank Identification Number) is the first 6-8 digits of the bank card number, which identify:

• Issuing bank (that issued the card).
• Payment system (Visa, Mastercard, Amex, etc.).
• Card type (credit, debit, prepaid).
• Card level (Classic, Gold, Platinum).
• Country of manufacture.
• Availability of protection, for example, 3D Secure (Verified by Visa, Mastercard SecureCode).

Bins are important to carders because they help determine how easily stolen card data can be used to conduct transactions. In the context of carding, bins are classified by their level of protection, which directly affects the likelihood of a successful fraudulent transaction.

The main types of bins popular with carders are:​

1. Non-VBV (Non-Verified by Visa):
   • Cards that are not connected to the 3D Secure protocol for Visa. This means that an online transaction does not require a one-time password (OTP), redirection to the bank's website, or any other form of additional authentication.
   • Such cards are more common in countries with less strict regulation (such as some countries in Africa, Asia or Latin America) or at smaller banks that have not implemented 3DS.
   • Example: A card issued by a regional bank in a country without mandatory 3DS allows payment by indicating only the card number, expiration date and CVV.
2. Auto-VBV:
   • Cards that support 3DS but are configured so that verification can be automatically skipped in certain cases, such as:
     • Transactions for small amounts (for example, up to $50–100, depending on the bank).
     • Payments on sites classified as "low risk" (e.g. subscriptions to streaming services).
     • Transactions in regions where 3DS is not required.
   • Auto-VBV bins are attractive because they can "roll" (pass successfully) on sites with minimal verification, but their use is limited by amounts and types of stores.
3. Non-MCSC (Non-Mastercard SecureCode):
   • Analog of Non-VBV, but for Mastercard cards. These cards do not require entering SecureCode (analog of OTP for 3DS) when paying.
   • Like Non-VBV, they are rare as most banks in developed countries are implementing 3DS for all Mastercard cards.
   • Example: A card issued in a country where 3DS is not mandatory allows a transaction to be completed without additional verification.

2. Communication with 3D Secure (3DS)​

3D Secure is a security protocol developed by payment systems (Visa, Mastercard, Amex, etc.) to protect online transactions. The name "3D" reflects three domains:

• Issuing bank (that issued the card).
• Acquiring bank (serving the merchant).
• Payment system (Visa, Mastercard, etc.).

3DS adds an extra layer of authentication by requiring the cardholder to verify their identity. This can be:

• One-time password (OTP) sent to your phone or email.
• Confirmation via the bank's mobile application.
• Biometric authentication (fingerprint, Face ID).

How does 3DS affect carding?​

• Non-VBV and Non-MCSC:
  • These bins completely bypass 3DS, making them the "gold standard" for carders. Without the need to enter an OTP or access the cardholder's phone, fraudsters can conduct a transaction simply by knowing the card details (number, expiration date, CVV).
  • Such bins are rare, as since 2019 (the introduction of PSD2 in the EU) most banks are required to use 3DS for all online transactions.
• Auto-VBV:
  • These bins are in a "gray area". They support 3DS, but the issuing bank can set rules where verification is not required (for example, for transactions below a certain amount or on low-risk sites).
  • Carders use Auto-VBV for small transactions to minimize the chance of 3DS being triggered.

Why do carders look for such bins?​

1. Fewer barriers:
   • Non-VBV and Non-MCSC bins allow transactions to be carried out without additional checks, which simplifies the process of "entering" card data on the website for payment.
   • Auto-VBV bins give you a better chance of success when testing maps on sites with low security levels.
2. Rarity and value:
   • Non-VBV and Non-MCSC bins make up a small proportion of all cards, as large banks (especially in the US, EU and other developed regions) are actively implementing 3DS. This makes them a valuable commodity on the black market, where lists of such bins sell for tens or hundreds of dollars.
3. Target sites:
   • Carders choose sites with a low level of anti-fraud protection, such as:
     • Small online stores.
     • Subscription services (streaming platforms, VPN, hosting).
     • Platforms for donations or microtransactions.
   • On such sites, Non-VBV and Non-MCSC cards have a high success rate.

3. Why are these bins popular with carders?​

Carding is the process of using stolen bank card data to make fraudulent transactions. Non-VBV, Auto-VBV and Non-MCSC bins are popular for the following reasons:

1. 3DS bypass:
   • 3DS is the main barrier for carders, as without access to the cardholder's phone or app, the transaction is impossible. Non-VBV and Non-MCSC bins remove this barrier, allowing payment to be completed with only the card details.
   • Auto-VBV bins allow you to "roll" small amounts without 3DS, which is convenient for testing cards or small purchases.
2. High probability of success:
   • Carders test cards on sites that do not request 3DS or have weak anti-fraud systems. Non-VBV and Non-MCSC bins are ideal for such operations.
   • Examples: Purchase of digital goods (gift cards, subscriptions), payment for services (VPN, hosting), donations on streaming platforms.
3. Speed and automation:
   • Carders often use automated scripts to test cards in bulk ("checkers"). Non-VBV and Non-MCSC bins allow you to quickly check if a card works without having to bypass 3DS.
   • Auto-VBV bins are suitable for bulk transactions of small amounts, which reduces the risk of detection.
4. Black market:
   • On darknet forums (for example, in Telegram channels or specialized platforms), lists of Non-VBV and Non-MCSC bins are sold as "premium". Carders are willing to pay for them, as they increase the chances of successful transactions.
   • Auto-VBV bins are less valuable, but still in demand for certain circuits.
5. Regional features:
   • In some countries (e.g. India, Nigeria, some Latin American countries) 3DS is not implemented everywhere, which makes bins from these regions especially attractive to carders.

4. How do anti-fraud systems detect fraudulent attempts?​

Anti-fraud systems used by banks, payment systems and online stores use complex algorithms and machine learning technologies to detect fraudulent transactions, even if Non-VBV, Auto-VBV or Non-MCSC bins are used. The main methods include:

4.1. GeoIP analysis​

• What is it? GeoIP determines the geographic location of the device from which a transaction is made based on the IP address.
• How does it work?
  • The system compares the IP address with the card's billing address or the owner's transaction history.
  • If a US card is used with an IP from Russia, this raises a red flag.
  • Anti-fraud systems also analyze:
    • Network Latency: The use of a VPN or proxy can be detected by anomalies in network latency.
    • VPN Databases: There are lists of IP addresses associated with popular VPN services that are often used by carders.
• How do carders try to get around this?
  • Use "clean" proxies or VPNs that match the country of the map (for example, residential proxies that look like home IPs).
  • Use VPS (virtual servers) in the required country.
  • However, modern anti-fraud systems can detect such attempts by analyzing discrepancies in other parameters (for example, device or behavior).

4.2. Device Fingerprinting​

• What is it? Collecting unique characteristics of the device from which a transaction is made to create its "digital fingerprint".
• What is being analyzed?
  • Operating system (Windows, macOS, Linux).
  • Browser version and its settings (language, plugins, fonts).
  • Screen resolution, time zone, cookie settings.
  • Hardware specifications (e.g. WebGL version, available RAM).
• How does it work?
  • The fingerprint is compared with the cardholder's transaction history. If the device is new or has suspicious characteristics (for example, settings typical for anti-detect browsers), the transaction is marked as suspicious.
  • Example: If the cardholder always uses iPhone with Safari, and the transaction is made from Windows through an anti-detect browser, this raises alarm.
• How do carders try to get around this?
  • They use anti-detect browsers (for example, Multilogin, Kameleo), which replace the characteristics of the device.
  • Virtual machines with "clean" settings are used.
  • However, anti-fraud systems are improving, identifying anomalies such as disabled cookies, non-standard fonts or signs of virtual machines.

4.3. Behavioural Analysis​

• What is it? Analysis of how a user interacts with a website, including behavioral and biometric data.
• What is being analyzed?
  • Typing speed, mouse movements, click patterns.
  • Time spent on the page and sequence of actions (e.g. filling out a payment form).
  • Purchase history: amounts, product categories, transaction times.
• How does it work?
  • If the behavior does not match the cardholder's habits (for example, the carder fills out the form too quickly or uses automated scripts), the system marks the transaction as suspicious.
  • Example: If the cardholder usually buys groceries and the new transaction is a purchase of expensive electronics at 3am, this raises alarm bells.
• How do carders try to get around this?
  • Use scripts to simulate human behavior (eg random mouse movements).
  • Buy "fullz" (full card details including address, phone and purchase history) to fake behavior.
  • However, machine learning identifies anomalies such as unnatural patterns or mass transactions from one device.

4.4 Additional Methods​

• AVS (Address Verification System):
  • Checks that the billing address entered during payment matches the bank data. Carders can use "fullz" to bypass this check, but errors in the address format or inconsistencies raise suspicion.
• Time patterns:
  • Transactions at unusual times (for example, at night according to the cardholder's time) or too frequent payment attempts may be blocked.
• Blacklists:
  • Anti-fraud systems use databases of known fraudulent IPs, devices, bins or email addresses. If a carder uses a known IP or email, the transaction is blocked.
• Risk scoring:
  • Anti-fraud systems assign each transaction a risk score based on a variety of factors (GeoIP, Device Fingerprinting, behavior, amount). If the score exceeds the threshold, the transaction is rejected or sent for manual verification.

5. How do carders use these bins and try to bypass anti-fraud systems?​

Carders develop complex schemes to use Non-VBV, Auto-VBV and Non-MCSC bins and bypass anti-fraud systems. Here are the main approaches:

1. Map data collection:
   • Carders buy card data on the black market (forums, Telegram channels). "Fullz" include not only the card number, but also the name, address, phone, CVV, sometimes even the purchase history.
   • Non-VBV and Non-MCSC bins are valued higher because they are easier to use.
2. Testing cards ("checkers"):
   • Carders use automated scripts ("checkers") to mass test cards on sites with a low level of protection.
   • Example: Donations on streaming platforms, VPN subscriptions, digital product purchases (gift cards).
   • Non-VBV and Non-MCSC bins are ideal for such tests as they do not require 3DS.
3. GeoIP Bypass:
   • Carders use residential proxies (IP addresses that look like home addresses) or VPS in the country of the card.
   • They can also spoof the device's time zone and settings to match the region.
4. Bypass Device Fingerprinting:
   • Anti-detect browsers (Multilogin, Kameleo) replace the device characteristics to create a "clean" fingerprint.
   • Carders can use virtual machines with new settings for each transaction.
5. Imitation of behavior:
   • Carders use scripts to imitate human behavior (random clicks, input delays).
   • They can study the cardholder's purchase history (if "fullz" are available) and imitate it to avoid suspicion.
6. Selection of "weak" sites:
   • Carders choose sites with minimal protection, such as:
     • Small online stores.
     • Subscription services (Netflix, Spotify, VPN).
     • Donation platforms (Patreon, OnlyFans).
   • Such sites often do not request 3DS or have weak anti-fraud systems.

6. Why is it difficult for carders to bypass anti-fraud systems?​

Modern anti-fraud systems use machine learning and big data analysis to detect fraud in real time. Even with Non-VBV or Auto-VBV bins, carders face challenges:

1. Multivariate analysis:
   • Anti-fraud systems combine GeoIP, Device Fingerprinting, behavioral analysis and other data to create a complete picture of the transaction. A discrepancy in even one parameter (for example, a suspicious IP) can lead to blocking.
2. Updating databases:
   • Banks and payment systems are constantly updating their bin lists, adding 3DS even for previously "free" cards. This makes Non-VBV and Non-MCSC bins increasingly rare.
3. Blacklists:
   • IP addresses, devices and emails associated with fraud are blacklisted, making them useless for retry attempts.
4. Dynamic rules:
   • Antifraud systems adapt to new carder schemes. For example, if a mass attack using a certain bin is detected, it can be temporarily blocked or transferred to mandatory 3DS verification.
5. Manual check:
   • For suspicious transactions, stores may require manual confirmation (such as calling the cardholder or requesting documents), making carding impossible.

7. Risks and consequences of carding​

Carding is a serious crime that has legal and financial consequences:

• Legal risks:
  • In many countries (including Russia), carding is classified as fraud or cybercrime. Punishments may include fines, imprisonment, and confiscation of property.
  • Example: In Russia, under Article 159.3 of the Criminal Code of the Russian Federation (fraud using payment cards), the punishment can be up to 7 years of imprisonment.
• Financial risks:
  • Carders risk losing money spent on purchasing these cards or tools (proxies, anti-detect browsers).
  • Banks can block cards and stores can cancel transactions, rendering carders' efforts useless.
• Risks to victims:
  • Cardholders may lose money if the bank does not reimburse the losses. However, in most cases, banks will return funds if fraud is proven.
  • Victims also face leakage of personal data, which could lead to further attacks.

8. How to protect yourself from carding?​

For users and cardholders:

1. Turn on the 3DS:
   • Make sure your card is connected to Verified by Visa or Mastercard SecureCode. This can be done through your bank.
2. Use virtual cards:
   • Create one-time virtual cards for online purchases with a limited limit.
3. Monitor transactions:
   • Enable transaction notifications and check your card statement regularly.
4. Avoid suspicious sites:
   • Make purchases only on trusted platforms with HTTPS and a good reputation.
5. Use two-factor authentication:
   • Enable 2FA for banking apps and accounts.

For shops:

1. Implement 3DS:
   • Require 3DS for all transactions, especially for cards from risky regions.
2. Strengthen anti-fraud systems:
   • Use solutions from companies like FraudLabs, Signifyd or Riskified to analyze transactions.
3. Check suspicious orders:
   • Manually review high-risk orders (e.g. large amounts or shipping to another country).

9. Conclusion​

Non-VBV, Auto-VBV and Non-MCSC bins are cards that either bypass 3D Secure completely (Non-VBV, Non-MCSC) or allow transactions without verification in certain cases (Auto-VBV). They are popular with carders due to their ease of use and high success rate on sites with low levels of protection. However, anti-fraud systems effectively combat such attempts using GeoIP, Device Fingerprinting, behavioral analysis and other methods. Carders try to bypass these systems using proxies, anti-detect browsers and "fullz", but machine learning and dynamic rules make this increasingly difficult.

For educational purposes, it is important to understand how these mechanisms work to raise awareness of cybersecurity. Users are advised to protect their cards with 3DS and other measures, and merchants are advised to implement modern anti-fraud solutions. Carding remains a serious threat, but its effectiveness is decreasing due to advances in protection technologies.