Why is carding becoming less effective in 2025?

[Mutt]

Carding is a type of fraud in which criminals use stolen credit or debit card details to make unauthorized transactions, purchase goods or services, or resell them. In 2025, the effectiveness of carding is significantly reduced due to the introduction of modern technologies and regulations such as PSD2, mandatory 3DS, EMV chips, advanced anti-fraud systems, and biometrics. Below, we explain in detail how each of these factors makes carding more complex, expensive, and risky, with an emphasis on the educational context.

1. PSD2 (Payment Services Directive 2)​

What is it?
PSD2 is a European Union directive, adopted in 2015 and fully implemented by the 2020s, that regulates payment services in the EU. It aims to improve transaction security, protect consumers, and stimulate competition in the financial sector.

How does PSD2 affect carding?

• Mandatory Strong Client Authentication (SCA): PSD2 requires that most online transactions use two-factor authentication (2FA), which includes at least two of three elements:
  • Knowledge (eg PIN or password).
  • Ownership (eg smartphone or token).
  • Attributability (e.g. biometrics - fingerprint, face).
    Carders who steal only card data (number, expiration date, CVV) cannot pass SCA, as they do not have access to the device or biometric data of the cardholder.
• Dynamic risk assessment: PSD2 allows banks and payment systems to conduct risk analysis in real time. If a transaction appears suspicious (for example, a purchase in an unusual place or for a large amount), additional verification is required, making it more difficult for fraudsters.
• Exceptions to SCA: PSD2 allows for exceptions for low-risk transactions (e.g. small amounts or regular payments). However, banks are increasingly applying SCA even in these cases to minimise risks.

Why is it expensive and risky for carders?
Carders have to develop complex schemes to bypass SCA, such as phishing to obtain passwords or intercepting one-time codes. This requires significant investment in creating phishing sites, social engineering, or bribing insiders (for example, in telecommunications companies to intercept SMS). In addition, even successfully intercepting codes does not guarantee success, since banks can request biometrics or block the transaction based on behavioral analysis.

2. Mandatory 3D-Secure (3DS)​

What is it?
3D-Secure is a security protocol developed by payment systems (Visa, MasterCard, Amex) that adds an additional layer of authentication to online transactions. 3DS 2.0, widely implemented by 2025, is a significant improvement over the first version.

How does 3DS affect carding?

• Additional verification: When attempting to make an online payment, 3DS requires confirmation of the cardholder's identity. This may be:
  • A one-time code sent to your registered phone number or email.
  • Biometric authentication via banking app (e.g. face scanning).
  • Answer a security question or enter a password.
    Carders who do not have access to the owner's phone or biometric data cannot complete the transaction.
• Transaction context analysis: 3DS 2.0 collects over 100 transaction details (device, IP address, geolocation, time, purchase history). If, for example, a carder tries to use a card from another country or from a new device, the system can mark the transaction as suspicious and request additional verification.
• Seamless Integration: Unlike 3DS 1.0, which often annoyed users with pop-ups, 3DS 2.0 works seamlessly for legitimate users but creates additional barriers for fraudsters.

Why is it expensive and risky for carders?
Bypassing 3DS requires either stealing the victim’s device (which is physically difficult and risky) or sophisticated attacks such as SIM swapping or data interception via malware. These methods require significant technical skills, resources, and time, and also increase the risk of detection by law enforcement. In addition, 3DS 2.0 is integrated with anti-fraud systems that quickly identify anomalies, making carding attempts less successful.

3. EMV chips​

What is it?
EMV (Europay, MasterCard, Visa) is a standard for chips in bank cards that replaced outdated magnetic stripes. By 2025, EMV chips will be used in almost all cards worldwide.

How does EMV affect carding?

• Dynamic cryptography: EMV chips generate a unique cryptographic code for each transaction that cannot be reused. This makes card cloning (skimming) virtually impossible, as the data on the chip cannot be simply copied, as was the case with magnetic stripes.
• Limitation on physical transactions: Carders who steal card data cannot create a physical copy of a chip card for use in stores, as counterfeiting an EMV chip requires sophisticated equipment and advanced cryptography skills.
• Online transaction limitation: Even if card data is stolen, it is difficult to use it online due to 3DS and other security measures.

Why is it expensive and risky for carders?
Counterfeiting EMV chips requires expensive equipment and expertise, which is beyond the reach of most carders. Skimming attempts (e.g. installing devices on ATMs) are becoming less effective as banks and merchants actively implement protection against skimmers. In addition, the use of stolen data for online transactions is limited by other measures (3DS, SCA), which reduces the value of the stolen data.

4. Anti-fraud systems​

What is it?
Anti-fraud systems are software solutions that use machine learning, artificial intelligence, and big data analysis to detect and prevent fraudulent transactions in real time.

How do anti-fraud systems affect carding?

• Behavioral analysis: Anti-fraud systems track user behavior patterns, including:
  • Geolocation (where the transaction takes place).
  • Device type (model, operating system, browser).
  • Time and frequency of transactions.
  • Type of purchases (e.g., items that are unusual for the user).
    If a transaction deviates from normal behavior (e.g., a purchase in another country at an unusual time), the system may block it or request additional verification.
• Machine learning: Algorithms are constantly learning from new data, identifying even complex carding schemes such as using VPNs or proxies to hide location.
• Cooperation between banks: Anti-fraud systems exchange data on fraudulent transactions between banks and payment systems, which allows for faster identification and blocking of carders.
• Transaction testing: Carders often conduct small test transactions to check if the card works. Anti-fraud systems quickly recognize such attempts and block the card.

Why is it expensive and risky for carders?
Anti-fraud systems make carding less predictable. Even if carders bypass one protection, their actions can be detected due to mismatched behavior patterns. Bypassing such systems requires the use of complex tools such as device emulation, geolocation substitution, or the creation of plausible transaction scenarios, which significantly increases costs. In addition, frequent card blocking reduces the profitability of carding, since the stolen data quickly becomes useless.

5. Biometrics​

What is it?
Biometrics are technologies that use a person's unique physical characteristics (fingerprints, facial recognition, voice, iris) for authentication.

How does biometrics affect carding?

• Integration into banking apps: Most banking apps in 2025 will require biometric authentication to log in or confirm transactions. For example, access to mobile banking may require a face or fingerprint scan.
• Transaction verification: Even if carders gain access to card data, they cannot pass the biometric verification required for large transactions or to log into a bank account.
• Difficulty of stealing biometric data: Unlike passwords or card numbers, biometric data is difficult to steal without physical access to the victim’s device or body. Even if compromised (such as through a data leak), biometrics are often tied to a specific device, limiting their use.

Why is it expensive and risky for carders?
Bypassing biometrics requires either physical access to the victim (which is extremely risky and impractical) or sophisticated attacks such as creating fake biometric data (e.g. 3D facial models to bypass recognition). Such attacks require expensive equipment and technical skills, and also increase the risk of criminal prosecution, as such actions are classified as serious crimes.

Why is carding becoming expensive and risky?​

1. Technical complexity:
   Bypassing modern protections (3DS, SCA, biometrics) requires complex tools and knowledge. For example, to intercept one-time codes, carders need phishing sites, malware, or access to the victim's SIM card. This significantly increases the costs of preparing an attack.
2. Reduced Profitability:
   The success rate of fraudulent transactions is reduced due to multi-layered protection. Even if carders obtain card data, the probability of a successful transaction is low, as additional verification is required. This reduces the profitability of carding, as the costs of purchasing data on the black market (e.g., the darknet) often exceed the potential profit.
3. High risk of detection:
   Anti-fraud systems and international cooperation between banks and law enforcement agencies make carding more risky. Carders can be tracked by IP addresses, devices, or money laundering schemes. In addition, using stolen data often leads to rapid blocking of cards, which limits the window of opportunity.
4. Difficulty scaling:
   In the past, carders could automate attacks using databases of thousands of stolen cards. Now, due to individual checks (3DS, biometrics), each transaction requires manual intervention, making mass carding impractical.
5. Legal implications:
   In 2025, law enforcement is increasingly using technology to track cybercriminals. International agreements and improved digital forensics techniques (such as blockchain analysis to track cryptocurrency transactions) increase the likelihood of catching carders.

Educational context: how does it work in real life?​

For a better understanding, let's look at a typical carding scenario in 2025:

• The carder buys card data (number, CVV, expiration date) on the darknet for $10–50.
• He tries to use the data to make a purchase on an online store website.
• The site requests 3DS verification by sending a code to the cardholder's phone.
• Without access to the phone, the carder cannot complete the transaction.
• If a carder tries to use a VPN or a fake device, the bank's anti-fraud system notices the discrepancy (for example, an IP from another country) and blocks the transaction.
• Even if a carder somehow bypasses 3DS (e.g. through phishing), the bank can require biometric authentication through the app, making the attack virtually impossible.
• As a result, the carder spends money and time, but does not receive profit, and his actions can be tracked.

Conclusion​

In 2025, carding becomes less effective due to the synergy of modern technologies and regulations. PSD2 and 3DS require multi-factor authentication, EMV chips prevent card cloning, anti-fraud systems detect anomalies, and biometrics add a unique layer of protection. These measures make carding technically complex, financially expensive, and legally risky. For educational purposes, it is important to understand that cybersecurity is a dynamic field, where banks, payment systems, and law enforcement agencies are constantly adapting to new threats, and carders, in turn, are forced to look for increasingly sophisticated (and expensive) ways to bypass protection.