Why $5 card validity tests pass, but $100+ transactions are blocked: Anti-fraud mechanisms in the context of carding

[Student]

Introduction​

In the practice of carding — organized financial fraud using stolen credit card data — criminals (carders) often employ a strategy of "test runs" for small amounts (e.g., $1–$5) to verify card validity before larger transactions. These tests may be successfully authorized, but subsequent transactions of $100+ are often blocked by payment gateways, issuing banks, or anti-fraud systems. This is not a random anomaly, but the result of a multi-layered security architecture that uses a risk-based approach: low-risk transactions (small amounts) are subject to minimal checks to avoid annoying legitimate users, but accumulate data for escalating scrutiny.

This educational overview dives into the technical mechanisms, including velocity checks, amount thresholds, and integration with tools like MaxMind minFraud (connected to GeoIP2). We'll explore why tests work, how large-scale fraud is blocked, examples from carding, evasion strategies, and countermeasures. The goal is to raise awareness of cybersecurity and payment system mechanisms (Visa, Mastercard, Stripe) to emphasize the importance of proactive protection. This information is for educational purposes only; any fraud is illegal and punishable by law.

What is carding and the role of "validity testing"?​

Carding involves the theft of card data (through phishing, skimming, or darknet markets), its verification, and monetization (purchases, cash-outs through mules). According to the Chargebacks911 report (2023), carding accounts for approximately 20% of all payment fraud, with losses exceeding $30 billion annually. Testing is a key step:

• Small tests ($5): Purchases on low-threshold websites (e.g., donations on itch.io, gift cards on Amazon for $4.99, or micropayments in games). The goal is to confirm that the card is "active" (not blocked) without significant spending.
• Why it works: These amounts simulate everyday traffic (coffee at Starbucks, trial service), and banks do not waste resources on micro-analysis.
• Moving on to the big one: After 1-3 successful tests, carders try to "drop" the card — withdraw $100-500+ for goods/crypto. At this point, triggers are triggered, blocking 70-90% of attempts (according to Visa stats).

Without understanding these thresholds, carding forums (e.g., on the darknet) divide "tips" into "clean drops," but the systems evolve, reducing success by 40% annually.

Technical reasons: multi-tiered anti-fraud architecture​

Payment ecosystems use a four-tier model (L0–L3 according to EMVCo), where checks escalate based on risk. Small amounts are L1 (authorization), while larger amounts are L2/L3 (with 3D Secure). Here's a detailed breakdown:

1. Velocity Checks: Monitoring Frequency and Patterns​

• Mechanism: Systems (e.g., Stripe Radar or PayPal Fraud Protection) track "velocity" — metrics like transactions/min, amount/hour, IP/device. Limits are dynamic: 5–10 low-value transactions per hour is OK, but >2 high-value transactions raise a flag.
• Why $5 passes: One test is "single noise" (velocity score <10). Banks see ~10^6 of these daily, so they approve based on basic data (PAN, expiry, CVV).
• Blocking $100+: After the test, the velocity increases: if two tests are completed + a large one in 15 minutes, the score is +20–40. Example: Mastercard's Decision Intelligence blocks if >$150/hour for a new card.
• In carding: Carders use "bin walkers" (scripts for mass testing), but the velocity is 65% (FICO reports). Bypass: proxy distribution, but GeoIP2 flags IP changes (+15 points).

2. Amount-Based Thresholds: Transaction Amount Thresholds​

• Mechanism: Gateways have hardcoded rules: <$10 — only AVS (Address Verification) + CVV; $10–$50 — basic 3DS 1.0; >$50 — 3DS 2.0 (with device data, biometrics). Issuers (banks) add their own: e.g., Chase has a $100 limit for "unknown" merchants.
• Why $5 goes through: Below the "micro-transaction threshold" (~$10), it goes through L1 without an OTP. There's no notification to the owner—the fraud isn't immediately noticeable.
• $100+ Block: Activates "high-value flow": 3DS requests a challenge (SMS/app code) that the carder can't pass. Plus, amount_multiplier in scoring (+25 points for >$100).
• Statistics: According to Aite Group, 55% of fraud is in the range of $100, so the thresholds are strict; tests <$5 - only 5% of fraud.

3. Risk Scoring in minFraud and Similar Platforms: Integration with GeoIP2​

• Mechanism: The minFraud API combines 300+ signals: IP (from GeoIP2), device fingerprint (FingerprintJS), and behavior (mouse moves). Score 0–100: <25 — approve, 25–75 — review, >75 — decline.
• Why $5 works: The base score is low (e.g., 20: +10 for a new account, but the amount is low). Even with a proxy (iCloud Relay +20), the overall score is <40—OK.
• $100+ Block: Amount as a weighting factor: +15–35 points (2x multiplier for high values). Plus, cumulatively: the test leaves a "shadow" in the session, escalating the score. Example minFraud request:
  

  :{
  "account": {"user_id": "carder123"},
  "transaction": {"amount": 150, "currency": "USD"},
  "ip_address": "relay-ip.example"
  }
  // Response: {"risk_score": 82, "reasons": ["HIGH_VELOCITY", "HIGH_AMOUNT"]}

• Connection with GeoIP2: If the test is via relay (proxy flag), +20 base; for large ones - +10 extra for mismatch (billing US vs. relay geo).

4. Issuer-Side and Network-Level Controls: Banks and Payment Networks​

• Mechanism: Issuers use AI (FICO's Falcon, Ethoca Alerts): ML models analyze card history (e.g., >3 tests = fraud pattern). Networks (VisaNet) share data in real time.
• Why $5 goes through: Banks ignore "low-stakes" (saving on false positives; <1% fraud in <$10).
• $100+ lock: "Material loss" trigger: auto-notification + hold. If the card is "compromised" (according to Ethoca), decline all. Time: <2 seconds for L3.
• In carding: "Burner cards" (disposable) pass tests, but are then blacklisted in VISANet.

5. Additional triggers: Geo, Device, and Behavioral​

• Geo Mismatch: GeoIP2 shows relay-IP ≠ billing → +20–30 for large (test ignores).
• Device Changes: Test on mobile, purchase on desktop → +15.
• Behavioral: Quick checkout without browsing → +10.

Factor	Details for the $5 test	Details for a $100+ transaction	Contribution to risk score	Carding success rate (%)
Velocity	1–3/time OK	>2 high-value/15 мин	+15–30	Catches 60%
Amount Threshold	L1: AVS only	L3: 3DS 2.0 + OTP	+20–40	Blocks 70%
minFraud Scoring	Basic <30	Multiplier + cumulative	+25–50	80% detection
Issuer Rules	Ignore micro	Auto-notification/hold	Decline >50%	75% for fresh bins
Geo/Device	Light flag	Strict mismatch	+10–25	+40% with proxy

Example of a carding scenario: from testing to blocking​

1. Preparation: Carder buys "fullz" (card data) for $10 on the darknet, uses a residential proxy (IP in NY, billing CA).
2. Test ($4.99): Donate to Patreon. Velocity=1, amount low, score=25 (GeoIP2 +10 for proxy) → approve in 1 second. Card is "valid" — sells data for $50.
3. Large ($200): Purchase of an iPhone at Best Buy in 10 minutes. Velocity=2, amount high, mismatch +20 (relay flag), 3DS requires SMS → carder fails, declines. Bank flags the card, blocking everything.
4. Consequences: Chargeback after 24 hours, the merchant loses $5 (test), but avoids $200. The carder loses time/proxy.

According to Krebs on Security, 80% of carding campaigns end in velocity/amount.

Carder Evasion Strategies and Advanced Countermeasures​

Bypasses (for threat intel, not instructions):

• Slow-burn: Tests 1/day, amounts $0.50–$10 (simulated subscriptions).
• Multi-drop: Distribution across mules/accounts, SOCKS5 + TOR for IP rotation.
• Spoof & Mimic: Geo spoofing for billing, human-like behavior (bots with delays).
• Crypto ramps: Testing in DeFi (low thresholds), but growing monitoring (Chainalysis).

Countermeasures for merchants/banks:

• AI adaptation: Dynamic thresholds (Riskified: ML based on user profile, reduces false positives by 30%).
• 3DS Universal: For all transactions >$1 with frictionless (no challenge for low-risk).
• Post-Auth Monitoring: Ethoca alerts for refunds within 24 hours.
• Integration: minFraud + device intel + network sharing (Visa Account Updater for data cleanliness).
• Global trends: PSD2 in the EU requires SCA (Strong Customer Auth) for >€30, blocking 85% of fraud.

Conclusion​

Small tests ($5) pass because anti-fraud systems balance convenience and security: low thresholds minimize user churn (false declines <2%) but accumulate intelligence for major threats. $100+ activates escalation (velocity + amount + scoring), blocking 80–95% of carding attacks thanks to GeoIP2/minFraud and 3DS. This is an evolution from static rules to AI-driven ones (loss reduction by 60% over 5 years, according to Juniper Research). For businesses: configure custom rules in gateways; for users: enable alerts and 2FA. For more information: read EMVCo specs or FICO whitepapers. Understanding these mechanisms strengthens the digital economy against fraud.