In fact, there are several carding schemes. The first, well-known to many, is that fraudsters purchase a database of user data. Such databases are sold on the darknet. The data is usually “leaked” by employees – current or former – of the companies where clients provide their personal data. In addition, the databases are subject to hacker attacks, and people's personal data becomes available to carders. Then the fraudster acts according to the following scheme:
1. A call to a potential victim (of course, most often it is not the carder himself who calls, but his “subordinate”, who introduces himself as an employee of the bank's security service).
2. A message about a “suspicious” transaction for a large amount, awaiting confirmation from the cardholder (the holder of the plastic). The worried person, of course, will answer that he has not made or planned any such transactions.
3. Then the fraudster reports that the “client” has been attacked by fraudsters (in this case, this is the absolute truth). And, to protect the funds, asks to dictate a four-digit code that will be received by SMS. That's it, the money is written off.
The code is generated by the payment aggregator used by the online store. Here we come to the second popular carding scheme on the Internet.
I think you have come across advertisements on the Internet about the sale of goods from the USA and Europe at fairly low prices. Using popular Internet services for posting advertisements for the sale of goods, criminals sell things bought with the money of cardholders in foreign online stores.
There are several types of the scheme here. The first, already known to you, is described above. Another scheme assumes the absence of two-factor authentication (i.e. an SMS message with a one-time code required to write off funds). In such cases, to make a payment, it is enough to know the card details, including the three-digit code on the back.
This code can be obtained in several ways:
1. directly from the owner of the plastic by misleading;
2. as a result of hacking the user's computer or smartphone;
3. Unfortunately, there are also known cases when the code was read from the servers of payment aggregators or bona fide stores that were attacked by hackers.
Credit cards:
In this case, we mean any plastic cards - not necessarily credit cards. The term "credit card" came from the West, where credit card payments have existed for several decades. With the advent of cashless payments in Russia, debit cards began to be issued, and the term "credit card" remained.
For some online stores and payment systems, this data is enough. Finding a store that accepts payments by CVV code is not an easy task, but such stores exist. Searching for them on the Internet is one of the main activities of the carder.
I would also recommend adhering to the following rule. If the seller asks to transfer money through some little-known payment service, the name of which does not mean anything to you - refrain from buying. In most cases, two-factor authentication and other protection methods are used.
Two-factor authentication, VBV, MCSC
So, two-factor authentication is the same SMS message with an automatically generated numeric code that comes to your phone to confirm a payment. Theoretically, the code should be known only to you. Unfortunately, in order for a fraudster to find out the code, it is not always necessary to tell him personally. The information can be read by malware embedded in your device, or by replacing cookie files.
Cookies are files sent to your device when you visit a particular site. Surely you have seen a pop-up message with something like this: “This site uses cookies, please confirm access for your security, etc.” This message often interferes with viewing content, and in most cases we simply click “Accept” to make the annoying banner disappear. What are these files, and what information about you do they collect?
In most cases, cookies are absolutely safe. Their main function is to identify you as a unique user. It is known that many websites make money on advertising. In this case, the income of the website owner depends on the number of views.
In addition, when registering on a website, for example, an online store, you create an account. Often, card details are also linked to the user account so that you don’t have to re-enter them each time you make a payment.
How can they be dangerous? The most harmless thing is that your data can be used for intrusive advertising. Sometimes website owners sell cookie files to advertisers along with information about you. In addition, there is also contextual advertising, when the history of your requests is tracked using cookies. The methods for obtaining data in these cases are not always legal, but this is a separate topic.
It also happens that cookie files are intercepted by a hacker in order to create a copy of them and act on your behalf, including carding using your account.
VBV and MCSC are two-factor authentication features without using a phone number. In this case, the cardholder independently creates a password for making payments and installs it on the card via an ATM or the bank's website. In Russia and the CIS countries, these methods are not very popular, but they are widely used in the West. These codes are more vulnerable than SMS authentication, since they are used multiple times.
Sometimes the carder himself can install such a code on the credit card of an unsuspecting person and make purchases online on his behalf.
Carding methods
Clothing carding:
So, clothing carding is the purchase of goods without the consent of the cardholder. This method becomes quite complicated, since most online stores work with trusted banks that use two-factor authentication. But it should be noted that clothing carding is not very widespread in Russia - most criminals hunt for money from foreigners who use multiple security systems - VBV or MCSC.
The carding scheme works like this: the goods are paid for from someone else's credit card, and the delivery is arranged to the address of the drop (front man). The procedure for entering data to make a payment is called "carding".
In case of successful crediting of funds from someone else's card to the email address created by the fraudster specifically for these purposes, a confirmation with a tracking number for tracking the parcel comes.
The main difficulty is that it is not easy to find an online store that is ready to deliver the parcel to the address specified by the payer. Most companies prefer not to risk their reputation and arrange delivery to the buyer's registration address. However, there are those who work with so-called "ship addresses" (from the English ship address - delivery address). In this case, the drop address is used.
Gift certificates:
This is one of the types of item carding. The card owner may not notice for a long time that bonuses are disappearing from his account. Agree, not everyone monitors the bonuses that are awarded for large purchases. Also, not everyone has the opportunity to use these bonuses within a limited time.
For example, a person bought the latest model iPhone and received a gift certificate from the Apple store valid for 3 months. The certificate usually implies compensation for a small part of the purchase. It is unlikely that in such a short period of time a person will again decide to buy something expensive. And many simply forget about such gifts, which carders successfully take advantage of.
The fraudster receives information about the bonuses and gift certificates available on the account from the full account. You can spend the funds at your own discretion. Gifts (from the English gift - a gift) - this is what certificates are called in the slang of fraudsters in the field of carding - can be resold on the darknet for 20-30% of the face value.
How the process of stealing funds occurs:
1. Obtaining data directly from the owner (telephone fraud), when the criminal calls a person, intimidates him about suspicious transactions with the card and receives the password from an SMS. With this, everything is more or less clear.
2. As for obtaining data about account owners from the network, this usually happens with the help of a bot that distributes malicious software that reads the personal data of account owners. In this case, the victim will find out about the theft only upon receiving a notification about the write-off of funds, if such a setting is set on a mobile phone or email.
3. There is also a scam (from the English scam - a scam) in carding, which is not carding in the literal sense of the word. The scam consists of deceiving newcomers who want to try themselves in carding. In slang, they are called "hamsters". Having registered on the carders' forum, the newcomer finds an ad for the sale of equipment at a price of 50% of the real cost, credit cards or accounts in payment systems, etc. Most of these ads are a "scam". Therefore, having come to carding, the newcomer with a probability of more than 90% will run into a scammer. And the gadget for which money was paid, most likely, the "hamster" will never see. As well as money, of course.
Why carders avoid punishment:
In general, online fraud is an area in which it is quite difficult to prove anything. Firstly, a case is opened only if a large sum is stolen (in the West - from $ 1,000). In Russia, to open a criminal case, the amount must be at least 5,000 rubles. However, in practice, this is difficult to implement, and here's why.
Let's say law enforcement agencies have found a drop. What information will he give them? "I found an ad on the exchange, a parcel needed to be delivered. I delivered it, got my 500 rubles. I didn't contact the customer anymore." And this is often true. Even if he gives the number and email address he was contacted by, the number is most likely no longer in use, and the email is registered to an IP in another country. The money as payment for the task was deposited through an ATM. How can they find the criminal in this case?
Even if the police find the carder himself and come to his home, they will use correspondence in instant messengers (which can be quickly destroyed) or the presence of malware on computers as evidence. But professionals work through a VPN, use messengers with cryptographic protection and follow other online security rules.
In addition, the carder can introduce himself as a drop, and in this case he is no longer an accused, but a witness.
So the best thing we can do is take safety measures.
1. A call to a potential victim (of course, most often it is not the carder himself who calls, but his “subordinate”, who introduces himself as an employee of the bank's security service).
2. A message about a “suspicious” transaction for a large amount, awaiting confirmation from the cardholder (the holder of the plastic). The worried person, of course, will answer that he has not made or planned any such transactions.
3. Then the fraudster reports that the “client” has been attacked by fraudsters (in this case, this is the absolute truth). And, to protect the funds, asks to dictate a four-digit code that will be received by SMS. That's it, the money is written off.
The code is generated by the payment aggregator used by the online store. Here we come to the second popular carding scheme on the Internet.
I think you have come across advertisements on the Internet about the sale of goods from the USA and Europe at fairly low prices. Using popular Internet services for posting advertisements for the sale of goods, criminals sell things bought with the money of cardholders in foreign online stores.
There are several types of the scheme here. The first, already known to you, is described above. Another scheme assumes the absence of two-factor authentication (i.e. an SMS message with a one-time code required to write off funds). In such cases, to make a payment, it is enough to know the card details, including the three-digit code on the back.
This code can be obtained in several ways:
1. directly from the owner of the plastic by misleading;
2. as a result of hacking the user's computer or smartphone;
3. Unfortunately, there are also known cases when the code was read from the servers of payment aggregators or bona fide stores that were attacked by hackers.
Credit cards:
In this case, we mean any plastic cards - not necessarily credit cards. The term "credit card" came from the West, where credit card payments have existed for several decades. With the advent of cashless payments in Russia, debit cards began to be issued, and the term "credit card" remained.
For some online stores and payment systems, this data is enough. Finding a store that accepts payments by CVV code is not an easy task, but such stores exist. Searching for them on the Internet is one of the main activities of the carder.
I would also recommend adhering to the following rule. If the seller asks to transfer money through some little-known payment service, the name of which does not mean anything to you - refrain from buying. In most cases, two-factor authentication and other protection methods are used.
Two-factor authentication, VBV, MCSC
So, two-factor authentication is the same SMS message with an automatically generated numeric code that comes to your phone to confirm a payment. Theoretically, the code should be known only to you. Unfortunately, in order for a fraudster to find out the code, it is not always necessary to tell him personally. The information can be read by malware embedded in your device, or by replacing cookie files.
Cookies are files sent to your device when you visit a particular site. Surely you have seen a pop-up message with something like this: “This site uses cookies, please confirm access for your security, etc.” This message often interferes with viewing content, and in most cases we simply click “Accept” to make the annoying banner disappear. What are these files, and what information about you do they collect?
In most cases, cookies are absolutely safe. Their main function is to identify you as a unique user. It is known that many websites make money on advertising. In this case, the income of the website owner depends on the number of views.
In addition, when registering on a website, for example, an online store, you create an account. Often, card details are also linked to the user account so that you don’t have to re-enter them each time you make a payment.
How can they be dangerous? The most harmless thing is that your data can be used for intrusive advertising. Sometimes website owners sell cookie files to advertisers along with information about you. In addition, there is also contextual advertising, when the history of your requests is tracked using cookies. The methods for obtaining data in these cases are not always legal, but this is a separate topic.
It also happens that cookie files are intercepted by a hacker in order to create a copy of them and act on your behalf, including carding using your account.
VBV and MCSC are two-factor authentication features without using a phone number. In this case, the cardholder independently creates a password for making payments and installs it on the card via an ATM or the bank's website. In Russia and the CIS countries, these methods are not very popular, but they are widely used in the West. These codes are more vulnerable than SMS authentication, since they are used multiple times.
Sometimes the carder himself can install such a code on the credit card of an unsuspecting person and make purchases online on his behalf.
Carding methods
Clothing carding:
So, clothing carding is the purchase of goods without the consent of the cardholder. This method becomes quite complicated, since most online stores work with trusted banks that use two-factor authentication. But it should be noted that clothing carding is not very widespread in Russia - most criminals hunt for money from foreigners who use multiple security systems - VBV or MCSC.
The carding scheme works like this: the goods are paid for from someone else's credit card, and the delivery is arranged to the address of the drop (front man). The procedure for entering data to make a payment is called "carding".
In case of successful crediting of funds from someone else's card to the email address created by the fraudster specifically for these purposes, a confirmation with a tracking number for tracking the parcel comes.
The main difficulty is that it is not easy to find an online store that is ready to deliver the parcel to the address specified by the payer. Most companies prefer not to risk their reputation and arrange delivery to the buyer's registration address. However, there are those who work with so-called "ship addresses" (from the English ship address - delivery address). In this case, the drop address is used.
Gift certificates:
This is one of the types of item carding. The card owner may not notice for a long time that bonuses are disappearing from his account. Agree, not everyone monitors the bonuses that are awarded for large purchases. Also, not everyone has the opportunity to use these bonuses within a limited time.
For example, a person bought the latest model iPhone and received a gift certificate from the Apple store valid for 3 months. The certificate usually implies compensation for a small part of the purchase. It is unlikely that in such a short period of time a person will again decide to buy something expensive. And many simply forget about such gifts, which carders successfully take advantage of.
The fraudster receives information about the bonuses and gift certificates available on the account from the full account. You can spend the funds at your own discretion. Gifts (from the English gift - a gift) - this is what certificates are called in the slang of fraudsters in the field of carding - can be resold on the darknet for 20-30% of the face value.
How the process of stealing funds occurs:
1. Obtaining data directly from the owner (telephone fraud), when the criminal calls a person, intimidates him about suspicious transactions with the card and receives the password from an SMS. With this, everything is more or less clear.
2. As for obtaining data about account owners from the network, this usually happens with the help of a bot that distributes malicious software that reads the personal data of account owners. In this case, the victim will find out about the theft only upon receiving a notification about the write-off of funds, if such a setting is set on a mobile phone or email.
3. There is also a scam (from the English scam - a scam) in carding, which is not carding in the literal sense of the word. The scam consists of deceiving newcomers who want to try themselves in carding. In slang, they are called "hamsters". Having registered on the carders' forum, the newcomer finds an ad for the sale of equipment at a price of 50% of the real cost, credit cards or accounts in payment systems, etc. Most of these ads are a "scam". Therefore, having come to carding, the newcomer with a probability of more than 90% will run into a scammer. And the gadget for which money was paid, most likely, the "hamster" will never see. As well as money, of course.
Why carders avoid punishment:
In general, online fraud is an area in which it is quite difficult to prove anything. Firstly, a case is opened only if a large sum is stolen (in the West - from $ 1,000). In Russia, to open a criminal case, the amount must be at least 5,000 rubles. However, in practice, this is difficult to implement, and here's why.
Let's say law enforcement agencies have found a drop. What information will he give them? "I found an ad on the exchange, a parcel needed to be delivered. I delivered it, got my 500 rubles. I didn't contact the customer anymore." And this is often true. Even if he gives the number and email address he was contacted by, the number is most likely no longer in use, and the email is registered to an IP in another country. The money as payment for the task was deposited through an ATM. How can they find the criminal in this case?
Even if the police find the carder himself and come to his home, they will use correspondence in instant messengers (which can be quickly destroyed) or the presence of malware on computers as evidence. But professionals work through a VPN, use messengers with cryptographic protection and follow other online security rules.
In addition, the carder can introduce himself as a drop, and in this case he is no longer an accused, but a witness.
So the best thing we can do is take safety measures.
