Carding - what is it on the Internet and how it works

[Carding 4 Carders]

Content

1. What is carding
2. Carding scheme
3. Credit cards
4. Two-factor authentication, VBV, MCSC
5. Full Info (Fullz)
6. What is carding
7. With physical access to a card or ATM
8. Remote attacks
9. Carding methods
10. Stuff carding
11. Payment systems
12. Transfers on SIM cards
13. Gift certificates
14. Hotels, flights
15. How is the process of stealing funds
16. Why carders avoid punishment
17. How to protect yourself from carding
18. Example of carding
19. Conclusion

Carding is a type of fraud involving bank cards, both credit and debit. Almost everyone has come across carding in one way or another. Many people personally know people who have suffered from this type of fraud.

Today we are going to talk about the types of carding and the most common schemes used by scammers. We will also tell you how to protect yourself from the actions of the carder and what to do if you have lost money.

This article is not a guide to action, it was created solely to inform users about ways to steal money from bank cards. The use of someone else's personal data without the consent of their owner, as well as any other fraudulent actions, are condemned by the author and prosecuted.

What is carding​

So what is carding? This is the theft of non-cash funds in two ways:

1. Transferring money to your card or account.
2. Purchase of goods in online stores for the purpose of subsequent resale.

Criminals who specialize in this type of fraud are called carders. Basically, carders are people who make purchases in online stores on behalf of the owner of the plastic, whose personal data was obtained illegally.

As a rule, the victims of carders are people who neglect basic safety rules. Inattention at the ATM, sending passwords and codes from SMS to people who claim to be bank employees, sending money to a “friend” in a difficult life situation - all this is familiar to many. However, with the development of modern technologies and means of protection, fraud schemes are also being improved. Every bank card holder bears the risk of becoming a victim of a carder.

Much attention is paid to the protection of personal data. However, this law does not always work in our favor, and here's why. Each time you sign a consent to the processing of personal data when you contact a bank, store, medical organization, you only help the employees of these organizations to protect themselves in order to send you advertising and all kinds of spam with a clear conscience, referring to your voluntary consent. Surely you have been called more than once from a "bank" to which you have never applied and have neither a card nor an account there. An employee of the "bank" calls you by name, despite the fact that you have never dealt with this organization in your life. This is the result of the database trading that is conducted through the darknet.

If you ask this person where he got your personal data from - at least a name and phone number, most likely he will just hang up. The fraudster knows perfectly well that you will not contact the police, the maximum is to add the caller's number to the black list. There can be dozens of such numbers, and with the advent of IP telephony and virtual numbers, it becomes even easier to maintain anonymity.

You can, of course, simply not answer if the display shows an unfamiliar number. But there are people who, due to the specifics of their work, simply cannot but answer a call from an unknown number. What if it's a potential client? And in ordinary life, different situations happen. In any case, if it comes to a bank card, disconnect immediately. This is the first rule. But phone fraud is not the only way to take money. Next, let's talk about what schemes the carders use.

Carding scheme​

In fact, there are several carding schemes. The first, well known to many, is that scammers acquire a database with user data. Such databases are sold on the darknet. The data is usually "merged" by employees - current or former - of the companies where clients provide their personal data. In addition, the bases are attacked by hackers, and the personal data of people becomes available to carders. Further, the fraudster acts according to the following scheme:

1. A call to a potential victim (most often, of course, it is not the carder himself who calls, but his "subordinate" who introduced himself as a bank security officer).
2. A message about a "suspicious" transaction for a large amount, awaiting confirmation by the cardholder (plastic holder). The worried person, of course, will answer that he did not perform or planned any such operations.
3. Further, the fraudster reports that the "client" has been attacked by fraudsters (in this case, this is the true truth). And, in order to protect the funds, he asks to dictate a four-digit code that will be received by SMS. Everything, the money has been written off.

The code is generated by the payment aggregator used by the online store. So we come to the second popular carding scheme on the Internet.

I think you have come across advertisements on the Internet for the sale of goods from the USA and Europe at fairly low prices. Using popular online services to place advertisements for the sale of goods, criminals sell items bought with the money of cardholders in foreign online stores.

There are several flavors of the circuit here. The first, already known to you, is described above. Another scheme assumes the absence of two-factor authentication (i.e. SMS messages with a one-time code required for debiting funds). In such cases, to make a payment, it is enough to know the card details, including the three-digit code on the back.

This code can be obtained in several ways:

• directly from the owner of the plastic by misleading;
• as a result of hacking into the user's computer or smartphone;
• unfortunately, there are also known cases when the code was read from the servers of payment aggregators or bona fide stores that were attacked by hackers.

In general terms, I think the scheme of actions is clear. Carders are scammers who use modern technical means. They use VPNs, virtual phone numbers and wallets tied to the names of various people, often unaware that their names are being used to commit illegal acts.

Credit cards​

In this case, we mean any plastic cards - not necessarily credit cards. The term "credit card" came from the West, where credit card payments have existed for several decades.

With the advent of non-cash payments in Russia, debit cards began to be issued, but the term "credit card" remained.

So, the plastic card contains the following information:

• surname and name of the owner in Latin letters;
• validity;
• type (VISA, MasterCard, etc.);
• the name of the issuing bank;
• number;
• CVV (three-digit security code).

For some online stores and payment systems, this data is sufficient. Finding a store that accepts payments using a CVV code is not an easy task, but such stores exist. Searching for them in the network is one of the main activities of the carder.

I would also recommend sticking to the following rule. If the seller asks to transfer money through some little-known payment service, the name of which does not tell you anything, refrain from buying. In most cases, two-factor authentication and other security methods are used.

Two-factor authentication, VBV, MCSC​

So, two-factor authentication is the same SMS message with an automatically generated numeric code that comes to your phone to confirm the payment. In theory, only you should know the code. Unfortunately, in order for a fraudster to recognize the code, it is not always necessary to inform him personally. Information can be read by malware embedded on your device or by substituting cookies.

Cookies are files that are sent to your device when you visit a website. You've probably seen a pop-up message like this: "This site uses cookies, please confirm access for your safety, etc.". This inscription often interferes with viewing the content, and in most cases we simply click “Accept” to make the annoying banner disappear. What are these files and what information do they collect about you?

In most cases, cookies are completely safe. Their main function is to identify you as a unique user. It is known that many sites make money from advertising. In this case, the website owner's income depends on the number of views.

In addition, by registering on a site, such as an online store, you create an account. Often, card details are also linked to the user's account, so as not to enter them again every time a payment is made.

How can they be dangerous? The most harmless thing is that your data can be used for intrusive advertising. Sometimes, website owners sell cookies to advertisers along with information about you. In addition, there is also contextual advertising, when the history of your requests is tracked using cookies. The methods of obtaining data in these cases are not always legal, but this is a separate topic.

It also happens that cookies are intercepted by a hacker in order to create a copy of them and act on your behalf, including carding using your account.

VBV and MCSC are two-factor authentication methods without using a phone number. In this case, the plastic owner independently creates a password for making payments and installs it on the card through an ATM or the bank's website. In Russia and the CIS countries, these methods are not very popular, but in the West they are widely used. These codes are more vulnerable than SMS authentication. are used many times.

Sometimes the carder himself can install such a code on an unsuspecting person's credit card and make purchases on the network on his behalf.

Full Info (Fullz)​

Fullz (from the English full) - in the jargon of carders means "full information about the card holder." This includes:

• Full name of the bank client;
• passport data;
• Date of Birth;
• registration address;
• phone number and email address;
• all card details, including the code word specified during registration;
• a list of devices used to perform operations with their IP addresses;
• a list of programs through which payments were made (mobile application, web client, etc.);
• list of account transactions.

Fullz are the most expensive carding product on the market, allowing transactions to be performed using microtransactions.

Surely you have seen this: 1 ruble is debited from your card, which will then be returned to you in order to verify the account holder's data. In this way, sometimes scammers can get complete information about you.

Next, let's move on to classification. Let's consider the main types of carding.

What is carding​

With physical access to a card or ATM

Here we will not talk about stealing credit cards with pieces of paper with a pin code glued to them or about stealing a bag, where it is easy to find such a piece of paper in the documents. However, let me remind you that when using an ATM, you should be careful and cover the keyboard with your hand when entering the PIN code.

In addition, sometimes there are cases when only the keyboard for entering the PIN code is available to the payer, and the seller takes the credit card, because the terminal is under the counter. Such devices - PIN-Pad with a portable keyboard - are used in medical organizations and other institutions where the cash register is a room with a window for payments. That is, in fact, you do not see the terminal, and the seller's actions are outside your field of vision. In this case, the seller has enough time to see the CVV code. This means that you are not immune to carding.

In addition, even if you pay on your own, theoretically the seller has the ability to remember the credit card details.

There are cases when bank employees using a special device scanned the card data for subsequent production of its copy. Fortunately, with the advent of contactless payments, such stories are extremely rare.

It is worth mentioning a special device that can be connected to an ATM and withdraw all funds that are available. Such miniature computers, called BlackBoxes, pose a serious threat to the US banking system. However, the injured party is still the bank, not the credit card holder. Our article is about how an individual can protect their funds.

The second type of card fraud is much more widespread. In a sense, remote carding is improving along with the development of security technologies.

Remote attacks​

This is the purchase of goods and services without the physical presentation of plastic. Most often, the carding scheme works like this: a fraudster purchases goods from an online store using a CVV code or read two-factor authentication data. Then it's a matter of technology: the goods are delivered to a safe address and sold to third parties.
There are also several other carding methods. Let's consider each one separately.

Carding methods​

Stuff carding
So, clothing carding is the purchase of goods without the consent of the cardholder. This method becomes quite complicated because most online stores work with trusted banks that use two-factor authentication. But it should be noted that clothing carding in Russia is not very widespread - most criminals hunt for foreigners' money, who use multiple protection systems - VBV or MCSC.

The carding scheme works like this: goods are paid for with someone else's credit card, and delivery is made to the address of the drop (figurehead). The procedure for entering data for making a payment is called "driving".

In the case of a successful transfer of funds from someone else's card, a confirmation with a track number for tracking the parcel is sent to the email address created by the fraudster specifically for these purposes.

The main difficulty lies in the fact that it is not easy to find an online store that is ready to deliver the package to the address indicated by the payer. Most companies prefer not to risk their reputation and arrange delivery to the buyer's registration address. However, there are those who work with the so-called "spikes" (from the English ship address - delivery address). In this case, the drop address is used.

Drops are of two types:

1. People are looking for easy money. Carders find them on the Internet on freelance exchanges or other job search resources and offer an easy task for a decent pay. The essence of the task is to receive the parcel and then transfer its contents to a third party. Whether a drop will be paid for this work depends on the honesty of the "employer".
2. People who are aware that they are carding. Such, as a rule, require prepayment.

Further, the goods are transferred to the buyer for subsequent sale. Carder's earnings are approximately 40-50% of the purchase price.

Payment systems​

Payment systems are electronic money settlement systems. The most famous are WebMoney, PayPal, QIWI, etc.

Carding, which is theft of funds from electronic wallets, is performed in two ways:

• hacking a real person's account;
• registration under a false name according to data taken from fullz.

The second way is cheaper. The fraudster drains money to a created account with the name of the owner of the stolen data. This account has full access, including a SIM card. Thus, it is possible to freely buy goods, services, cryptocurrencies and perform other transactions using electronic payments.

The only difficulty may arise with the withdrawal of funds or their cashing. But more often than not, such a need does not arise.

With the advent of cryptocurrencies, carders have expanded their options for withdrawing money - many crypto wallets remain completely anonymous.

Transfers on SIM cards​

Carding using sim cards works according to the following scheme:

1. Several SIM cards are purchased at a low price. You can buy them on popular websites selling goods from individuals.
2. Carder transfers money from a hacked account to one of these SIM cards through international replenishment services.

International top-up services are created for tourists who can top up the SIM card of the host country with money in any currency with subsequent conversion. Such services do not belong to payment systems, which means they are more vulnerable from a security point of view.

1. If successful, the funds are instantly withdrawn to QIWI or a crypto wallet.

Gift certificates​

This is one of the varieties of stuff carding. The cardholder may not notice for a long time that bonuses are disappearing from his account. Agree, not everyone follows the bonuses that are awarded for large purchases. Also, not everyone has the opportunity to use these bonuses in a limited time frame.

For example, a person purchased the latest iPhone and received a gift certificate from an Apple store valid for 3 months. The certificate usually implies compensation for some small part of the purchase. It is unlikely that in such a short period of time a person will again decide to buy something expensive. And many people simply forget about such gifts, which carders use successfully.

The fraudster receives information about the bonuses and gift certificates on the account from the fullz. You can spend money at your discretion. Gifts (from the English - a gift) - this is the name of the certificates in the slang of fraudsters in the field of carding - can be resold on the darknet for 20-30% of the face value.

Hotels, flights​

It uses a scheme similar to that used for gift certificates. Airlines earn bonus miles, and booking services reward regular customers by providing hotel rooms with good discounts.

Accounts with bonuses are found by carders by hacking the servers of various banks. As a rule, one or two accounts with bonuses are enough to pay for an air ticket or a hotel room, which are sold at a low price (20-30% of the real cost). Needless to say, such offers fly like hot cakes.

For the owner of the credit card, carding specializing in bonuses is the least evil. Basically, everyone is worried about the safety of money, and bonuses are not so important. In addition, they often simply burn out if they are not used in due time. Therefore, the likelihood that the fraud will be detected is quite low.

How is the process of stealing funds​

So, we already know that real carding falls into two categories:

• physical access;
• remote carding.

We have already dealt with physical access. Distance carding can be divided into two types:

1. Receiving data directly from the owner (telephone fraud), when a criminal calls a person, intimidates him for suspicious card transactions and receives a password from SMS. With this, too, everything is more or less clear.
2. When it comes to retrieving data about account holders from the network, this usually happens using a bot that distributes malicious software that reads the personal data of account holders. In this case, the victim learns about the theft only when he receives a notification about the withdrawal of funds, if this setting is set on his mobile phone or e-mail.
3. There is also a scam (scam) in carding, which is not carding in the literal sense of the word. Scam is about deceiving beginners who want to try their hand at carding. In slang, they are called "hamsters". By registering on the carders forum, a newbie finds an advertisement for the sale of equipment at a price of 50% of the real value, credit cards or accounts in payment systems, etc. Most of these ads are "scam". Therefore, having come to carding, a beginner with a probability of more than 90% will run into a scammer. And the gadget, for which the money was paid, most likely, the "hamster" will never see. As well as money, of course.

Why carders avoid punishment​

In general, online fraud is an area in which it is rather difficult to prove anything. Firstly, a case is started only if a large sum is stolen (in the West - from $ 1000). In Russia, to open a criminal case, the amount must be at least 5,000 rubles. However, in practice, this is difficult to implement, and here's why.

Suppose law enforcement agencies went to the drop. What information will he give them? “I found an ad on the stock exchange, it was required to deliver the package. I took her, got my 500 rubles. I have not contacted the customer anymore. " And this is often true. Even if he gives the number and e-mail address, which contacted him, the number is most likely no longer used, and the mail is registered on the IP of another country. The money was deposited through the ATM as payment for the task. How to find the criminal in this case?

Even if the police go to the carder himself and come to his house, then the correspondence in messengers (which can be quickly destroyed) or the presence of malware on computers is used as evidence. But professionals use VPNs, use crypto-protected messengers, and follow other online security rules.

In addition, the carder may introduce himself as a drop, and in this case he is no longer the accused, but a witness.

Therefore, the best we can take is security measures.

How to protect yourself from carding​

1. When shopping online, use two-factor SMS authentication. Today this method is the safest.
2. Never, under any circumstances, give SMS codes, three-digit CVV codes and PIN codes from cards. If you need to get money from a stranger, all he needs to know is your last name and first name in Latin letters and your card number.
3. Do not store your card details on public computers.
4. Set up notifications about all card transactions that will be sent to your phone immediately after the funds are debited. Even if such a service is paid, it is inexpensive.
5. If you are saving up bonuses or cashback, keep track of the status of your bonus account. Request statements of bonuses - when and on what they were spent.
6. If a "bank employee" calls you and you are really interested in his offer (for example, you are offered a credit card and you really need it), ask his last name and first name. Let us know what you need to think about and ask to call back another time. Call the bank and find out if this number belongs to the bank and if there is such an employee. There are known cases when the purpose of such calls is to obtain your personal data or debit card data.
7. Use only official banking apps downloaded from the Apple Store or Google Play.
8. Use and keep your antivirus software up to date.
9. In case you become a victim of a scammer, the first thing to do is to block the card. Next, you should inform the bank and the police. The likelihood that a fraudster will be caught is low, but your appeal will be a reason to think about improving security systems.
10. Use multiple cards. For example, one is for everyday purchases, and the other is for savings.

Example of carding​

Experienced carders tend to hunt for accounts of Europeans and Americans. But we will give examples of carding in Russian realities so that no questions arise - when and how funds from credit cards disappear.

Alexander posted an advertisement for the sale of the sofa on Avito. The sofa is new, not cheap, but, unfortunately, it did not fit into the new living room. Therefore, the owner decided to sell it at a price 10% cheaper than the purchase price.

The announcement did not generate much interest for a week. Finally, late in the evening, Alexander received a call from a person who wants to buy a sofa right now, and even send an advance payment. Judging by the voice, the potential buyer was delighted with the sofa and was eager to become its owner.

Only now the time is already late and he cannot come now, but he is ready to pay the entire amount to a bank card. To do this, you need Alexander's card number.

It is not dangerous to give a credit card number, and Alexander dictated it to his interlocutor. Then he said that the transfer was sent with a security code, which will now come to the seller's phone. Without stopping the conversation, the fraudster asks Alexander to dictate a four-digit code to him. After the message of the code, the connection is "broken". It's good if Alexander has no money on the card, or the amount is very small.

Another example. Elena bought a credit card and decided to pay for her mobile phone. Elena planned to pay through a free application downloaded to her tablet.

But the antivirus was not installed on Elena's tablet, and therefore the login and password entry window was replaced by a malicious program. Thus, before Elena could make the necessary payment, the money was written off by the scammers.

Conclusion​

In the article, we have analyzed what carding is and its main directions. In conclusion, I would like to add that craving for easy money is a phenomenon that cannot be eradicated. Therefore, carding is constantly being improved and acquires new directions.

But technical progress does not stand still. Every day, hundreds of specialists work to make cashless payments safer.

If you purchased a card, it means that scammers are already hunting your money. Therefore, do not neglect the safety measures given in the article and do not fall for tempting offers for super profitable purchases.

(c) https://retireearly.ru/financial-literacy/carding