Carding is a type of online fraud in which criminals use stolen credit or debit card information to make online purchases without the owner's consent. This type of "card-not-present" (CNP) fraud requires no physical card, and the transaction occurs remotely. Fraudsters obtain card information through phishing, database hacking, skimming, or purchases on the darknet. Reports indicate that global losses from carding exceed billions of dollars annually. For example, in 2024, fraud losses in Japan were estimated at ¥55.5 billion (approximately $370 million), a 2.6% increase from the previous year. Growth is expected in 2025 due to the rise of online commerce, but technologies like 3DS 2.0 help mitigate the risks.
Educational aspect: Carding not only causes financial harm to victims (loss of money, blocked cards), but also undermines trust in online payments. For businesses, this leads to chargebacks, fines, and reputational damage. Understanding carding helps users and companies take precautions, such as using a VPN, two-factor authentication, and transaction monitoring.
In the context of carding: In 3DS 1.0, fraudsters could bypass the system by guessing passwords or using proxies. 3DS 2.0 makes this more difficult, as in 90% of cases (frictionless flow), authentication occurs unnoticed by the user. However, if the risk is high, a challenge flow with additional verification is activated. This reduces the success rate of card fraud, as fraudsters need not only card details but also access to the cardholder's phone or biometrics.
Statistics: According to Visa, 3DS 2.0 reduces checkout times by 85% and abandonment by 70%. In the EU, after PSD2 (where 3DS is mandatory), the fraud rate has fallen by 25% since 2019. Globally, 3DS will prevent €900 million in fraud by 2024.
Educational aspect: These mechanisms are based on the principles of MFA (meaningful authentication). In carding, fraudsters often only have card details (number, CVV), but not authentication factors, making 3DS an effective barrier.
By 2025, 3DS 2.0 is projected to become standard in regions like the EU and Asia. In the US, adoption is growing but still low (2.7% of CNP transactions), where the fraud rate for 3DS is six times lower than the overall rate. For businesses: 3DS integration (via the Visa/Mastercard SDK) increases conversion by 8% and reduces false declines.
Ultimately, 3DS 2.0 is a powerful anti-carding tool that balances security and convenience, with a proven effectiveness of 70-90% of fraud blocking cases.
Educational aspect: Carding not only causes financial harm to victims (loss of money, blocked cards), but also undermines trust in online payments. For businesses, this leads to chargebacks, fines, and reputational damage. Understanding carding helps users and companies take precautions, such as using a VPN, two-factor authentication, and transaction monitoring.
The Evolution of 3D-Secure: From 1.0 to 2.0
3D-Secure (3DS) is a protocol developed by EMVCo to improve the security of online payments. Version 1.0 (introduced in 2001) used static passwords, which caused numerous problems, including high abandonment rates due to inconvenience and vulnerability to phishing. Between 2016 and 2019, 3DS 2.0 was released, which uses a risk-based authentication approach. It analyzes over 100 transaction parameters (IP address, device, purchase history, geolocation) using AI to determine the risk level.In the context of carding: In 3DS 1.0, fraudsters could bypass the system by guessing passwords or using proxies. 3DS 2.0 makes this more difficult, as in 90% of cases (frictionless flow), authentication occurs unnoticed by the user. However, if the risk is high, a challenge flow with additional verification is activated. This reduces the success rate of card fraud, as fraudsters need not only card details but also access to the cardholder's phone or biometrics.
Statistics: According to Visa, 3DS 2.0 reduces checkout times by 85% and abandonment by 70%. In the EU, after PSD2 (where 3DS is mandatory), the fraud rate has fallen by 25% since 2019. Globally, 3DS will prevent €900 million in fraud by 2024.
3DS 2.0 Fraud Prevention Mechanisms
3DS 2.0 operates across three domains: the card issuer (bank), the acquirer (merchant), and the network (Visa/Mastercard). It integrates multi-factor authentication (MFA) to confirm the transaction's legitimacy.- Risk-Based Analysis: Before authentication, the system assesses the risk. If the transaction is typical (for example, a purchase on a familiar device), it proceeds without intervention. In carding, this blocks 70–85% of attempts, as the parameters (new device, suspicious IP) signal a risk.
- OTP (One-Time Password): At medium risk, a one-time code is sent via SMS, email, or in a banking app. In carding, the fraudster won't receive the OTP without access to the victim's phone. Vulnerabilities include SIM swapping, but app-based OTP (push notifications) mitigate this. According to Mastercard, OTP reduces attacks by 60%.
- Biometrics: For high-risk scenarios, fingerprint, Face ID, or voice are used. This requires physical presence, making carding virtually impossible without device theft. Studies show a 90% reduction in fraud compared to passwords. Biometrics integrates with the operating system (iOS/Android), eliminating the need to transmit data over the network.
| Mechanism | How to block carding | Advantages | Flaws | Statistics (2024–2025) |
|---|---|---|---|---|
| Risk-Based Analysis | Analyzes 100+ parameters; blocks suspicious transactions without input. | Seamless (90% of cases); reduces abandonment. | Data dependent; false positives. | Fraud rate <0.1% in authenticated payments. |
| OTP | Requires access to the device; the scammer cannot confirm. | Cheap, simple; works on all devices. | Vulnerable to SMS interception; inconvenient. | Reduces successful attacks by 60%. |
| Biometrics | Unique to the owner; cannot be counterfeited remotely. | High accuracy (99%); convenient for mobile devices. | Requires a compatible device; privacy concerns. | Reduces fraud by 90% vs. passwords. |
Educational aspect: These mechanisms are based on the principles of MFA (meaningful authentication). In carding, fraudsters often only have card details (number, CVV), but not authentication factors, making 3DS an effective barrier.
Liability Shift and business impact
One of the key advantages of 3DS 2.0 is liability shift: responsibility for fraud shifts from the merchant to the card issuer if the transaction is authenticated. In carding, this protects merchants from chargebacks. Without 3DS, merchants risk losing money if the purchase turns out to be fraudulent.By 2025, 3DS 2.0 is projected to become standard in regions like the EU and Asia. In the US, adoption is growing but still low (2.7% of CNP transactions), where the fraud rate for 3DS is six times lower than the overall rate. For businesses: 3DS integration (via the Visa/Mastercard SDK) increases conversion by 8% and reduces false declines.
Recommendations for protection against carding
Educational: To minimize risks, use 3DS-compatible payment gateways, monitor transactions for anomalies, and educate users. For users: Enable transaction notifications, use virtual cards, and avoid suspicious websites. In Russia, the Central Bank of the Russian Federation notes a 40% reduction in online fraud thanks to 3DS in the Fast Payment System (FPS) and Mir Pay.Ultimately, 3DS 2.0 is a powerful anti-carding tool that balances security and convenience, with a proven effectiveness of 70-90% of fraud blocking cases.
