What is carding in 2024

[Tomcat]

Theft of money via the Internet is common and very common. The victims are bank clients with active accounts and plastic cards attached to them. Understand what online carding is and take measures to protect yourself from hackers. Use two-factor authentication and keep your password and PIN secret. Fraud is characterized by using a person's debit or credit payment card without their consent. The carder gains access to banking information and uses other people's funds. This article describes in detail carding methods, basic schemes and recommendations for protection against such types of fraud.

The content of the article:

• What is carding
• General carding scheme
• The most common carding schemes
• Types of carding
• How carders avoid punishment
• You have become a victim of carding: what to do?
• FAQ
• What is important to remember

What is carding​

In fact, this is the theft of funds from an individual's bank account, which is linked to a debit or credit payment card. Typically, theft is carried out through Internet access by obtaining information about the owner of the plastic card - first name, last name, passwords for logging into accounts linked to online stores, PIN codes and other information. Question: carding, what is it in simple words? This is gaining access to the owner’s personal data and using funds from a bank card without his knowledge.

Most often, scammers act in two ways:

• transfer other people's funds to their bank account;
• make purchases in online stores, paying for them with someone else’s card.

People involved in such manipulations are called carders. Most often, a person neglects basic security measures to protect his savings - he enters a password at an ATM in the presence of strangers who see the characters being entered, he tells scammers over the phone the codes from SMS and other data that gives access to the card account.

But the development of Internet technologies contributes to greater sophistication of scammers, sometimes their victims become attentive people who ensure the maximum security of their savings and accumulations. For example, when an online store is hacked, all identified and registered users automatically become easy prey for carders, since a payment card is attached to the account.

General carding scheme​

As a rule, carding scammers on the Internet operate according to certain proven schemes, which are improved and changed as banking technologies develop. Despite the precautions of making payments through secure bank gateways with the HTTPS protocol, the scam works quite successfully. There are different schemes for gaining access to money in a card account.

The basic scheme used by carders:

• the carder acquires a database with access to personal data of payment card owners, which contains personal information of the alleged victims - telephone numbers, first name, last name;
• the carder's representative calls the person on the phone, introduces himself as a bank security employee and reports any suspicious activities regarding the plastic card;
• the victim is confused and does not confirm the actions announced by the scammer;
• After this, the caller reassures the card holder, declaring a fraud attack and offers assistance in protecting the card account - you need to dictate a 4-digit code that is sent via SMS.

The combination of symbols is generated automatically by the online store aggregator. If you dictate this code, the carder will gain access to the account and the telephone connection will be interrupted. Especially gullible are older people or young people who are new to banking, for whom a payment card has become the first virtual storage of money in their lives.

The extraction of personal data by scammers does not depend on the actions of the victim. In most cases, such information is sold via the Darknet or generated to order - for example, bank employees with access to clients’ personal information can sell databases with addresses, phone numbers, card numbers and bank account status. On the Darknet you can buy phone numbers, lists with the names of alleged victims and a specific number of plastic storage media indicating the amount.

The most common carding schemes​

The development of e-commerce has crossed the 30-year mark, and simultaneously with the advent of the first online stores, the first carders appeared. In the 1990s, the schemes were quite simple due to the lack of secure banking for merchants. 30 years ago, carders worked according to the following scheme: they created non-existent plastic cards and used them to pay for purchases in online stores. The lack of real money in the account of the owner of the trading service was not immediately detected; reconciliation with the issuer was carried out approximately once a month.

More complex fraudulent schemes for stealing money from bank accounts have now been developed. In addition to the basic method of calling the cardholder, other methods are common: plastic cards, two-factor authentication, MCSC, VBV and fulka.

Carding with plastic cards​

The cards used have different classifications - for example, they are debit, credit. All plastic cards contain basic and detailed information about the owner:

• last name and first name in Latin;
• time interval to use;
• variety - for example, Mastercard;
• name of the issuing bank;
• three-character security code - CVV.

Some payment systems through which online trading platforms operate accept payments only based on this information without additional confirmation of the transaction. Carders specifically find such stores, hack them and gain access to the cards of customers who have already made a transaction or simply managed to register on the website of such a platform. This also includes requests from the seller to pay for goods through a strange or little-known payment service. As a rule, these are hackers who have already hacked the store; it is better to refrain from purchasing.

MCSC, VBV and two-factor authentication​

MCSC and VBV are methods of protecting payment cards using two-factor authentication, widespread mainly in Western countries, without using SMS codes and phone numbers. The cardholder independently creates a special security password at an ATM or in a bank account. MCSC and VBV methods have disadvantages due to repeated use and often cause fraud by carders. Two-factor authentication via SMS code is less vulnerable to hacking.

Two-factor authentication is popular, but also imperfect - access to a card account can be obtained through fake cookies or using virus software embedded in a computer or smartphone. It is necessary to install modern anti-virus programs that ensure the correct operation of electronics and mobile devices.

Specially designed malware is injected into user accounts with linked payment information and reads the information. For example, a Google account containing passwords for access to online stores, social networks and a linked payment card - all information ends up on the Darknet, is sold and leads to the loss of money.

Fake cookies are no less dangerous because they perform the functions of the original ones - they read actions and information about the user. The information obtained is quite useful for hackers and is also used by carders to gain access to other people's money on a bank card.

Fullz (full info)​

The most expensive type of information on the Darknet and special hacker forums is fulka or fullz. This is hacker terminology, meaning the most complete information about a person. This includes data:

• passport and other identification documents;
• last name, first name, patronymic of the bank client;
• registration address, registration and date of birth;
• email details and telephone numbers;
• all details of available payment cards;
• list of card account transactions.

In this case, carding is carried out using microtransactions. That is, the owner is using an application infected with malware. You receive a notification asking you to check the authenticity of your details by transferring a small amount, which will be returned after verification - for example, you need to transfer 1 ruble. In this way, payment information is read and the card is hacked. The scheme is not suspicious, since the notification comes from a long-installed application or software that has not previously caused any complaints.

Other schemes​

Some methods of fraud are not considered known and common, but also apply to carding. For example, BlackBox is a sophisticated method used by experienced hackers. A small computer is connected via a special wire to an ATM and cash is transferred to your own accounts. Payment terminals are also hacked in the same way; unfortunately, it is impossible to protect against such carding schemes.

Types of carding​

There are two key types of carding - with physical access to payment card data and remote theft of money. Both methods are used and sometimes part of the blame lies with the carelessness of the owner of the money account.

Physical access. It sounds strange, but even now bags and wallets are stolen that contain plastic cards with a piece of paper with a written PIN code glued to them. Other options for physical access - you forgot your card at an ATM in front of strangers, lost the envelope with the password, when paying for goods at the checkout in a store, the seller, cashier or people in line remembered the entered password. Or you withdraw money from an ATM at night in a secluded, crime-free place. If you are forced by physical threats to withdraw money from your account, this is cash carding, which is a type of physical access. Remote carding is the theft of money from the account of the owner of a plastic card.

Clothes carding (stuff carding)​

The item method is called carding by driving in - this is the purchase of various items on trading platforms on the Internet without the consent of the card holder. Drivers work according to a long-established scheme - the purchase is paid for using someone else’s card, delivery is made to fake addresses through legal services. Intermediaries receive the goods and resell them - the chain can be quite large or consist of one person. As a rule, carders prefer to work via ID with foreigners whose two-factor authentication of payment cards is not tied to a phone number.

Electronic payment systems​

In this case, it means the theft of monetary assets from electronic wallets. Hackers use two methods with payment systems:

• hack a real user's account;
• are registered under someone else's data, which is taken from the Fulka.

The first method is more complicated than the second. Using a clone account allows you to use all types of payments thanks to access to SIM cards, bank accounts and electronic wallets. That is, the clone buys goods on the Internet, transfers money to other accounts, and so on.

Replenishment of SIM cards​

Carders use several SIM cards, which are topped up using an international service. The money comes from a hacked account. Using money on your phone account, you can pay for purchases on the Internet, cash out and carry out other transactions - the variability depends on the mobile operator and the capabilities of the fraudster.

Phishing​

Creation of fake websites or pages of banks, online stores and other services where you need to enter payment card data. Typically, the URL differs by one letter or symbol and can be misleading due to user inattention. One of the phishing methods is to send emails to the cardholder on behalf of the bank asking them to confirm details using a PIN code.

Vishing​

An analogue of phishing is called scam carding - this is a method in which scammers use the most common scheme - telephone calls. In this way, they steal your card details, ask you to enter a code received on your phone, and steal money from your bank card account.

Skimming​

Carders can install special equipment on ATMs that is invisible to visitors. When the card is inserted into the slot, the data is read and stored on the skimmer. They also use special keyboard attachments and miniature cameras to obtain PIN codes. Particularly advanced hackers use fake ATMs. When performing actions with a card, a person sees an error and thinks that the ATM is not working.

Shimming​

An improved type of skimming. The method is completely identical, but the so-called “shim” inside the device may not be noticed even by bank technical service employees. “Shim” is a thin miniature device that reads data from a payment card using an ATM.

How carders avoid punishment​

Quite often, calls to the police do not bring the desired effect. Internet scammers think through every step and protect themselves from liability as much as possible. For example, the Criminal Code provides for an article and liability for such actions, but it is often impossible to physically find the culprit.

Carders use multi-factor protection, access the Internet through different IPs using VPN services and use schemes with intermediaries. For example, carding can lead the police to a drop - a person who receives goods from a store, but is not a burglar.

You have become a victim of carding: what to do?​

The first action is to inform the bank and block the card, the second is to contact the police. Unfortunately, carding victims realize the scam after the fact. Accordingly, it is unlikely that you will be able to return the money. But you need to protect yourself from future attacks of this kind. After contacting the bank and the police, you must take the following actions:

• change passwords in all accounts;
• cancel all payment card bindings on the Internet;
• use two-factor authentication using a phone number for all accounts.

Open a separate bank account for online shopping. That is, it must be an empty plastic card; replenish it through the terminal physically (deposit cash) immediately before making a purchase. It is not recommended to link a credit card or debit card with savings stored on it to accounts or trading platforms.

FAQ​

What is carding?​

This is clothing carding, in which stolen money is used for shopping in online stores.

What is phishing and skimming?​

Phishing - fake websites of trading platforms or banks that lure payment card data. Skimming is reading plastic card data at ATMs using special equipment.

Who are carders on the Internet?​

These are scammers who steal money from payment cards of bank clients.

What is important to remember​

Carding is a common method of fraud, which thrives in part due to inattention and negligent attitude towards one’s personal data. Protect your personal and payment information as much as possible - try to get ahead of carders and not fall into their networks. Be careful with phone calls from the bank, do not enter any codes on the Internet, check information about online stores.

(c) https://profunds.ru/carding