Carding is a popular method of cyber fraud involving the use of a client's bank data. First of all-payment data, password from online banking and all sorts of CVV/CVS codes
At the same time, the carder can be either a high-level technical specialist or an ordinary fraudster from the conditional "bank call center". In this article, we talked about the main methods of carding, their relevance and methods of dealing with them.
The main drawback of all these technical solutions is the need to physically visit the crime scene. The fact that most ATMs are equipped with cameras and installed in busy places creates additional difficulties for the attacker.
At the same time, tracking equipment must not only be installed unnoticed, but often also removed – to read data or reuse it. Direct fraud with ATMs and other payment terminals is quite rare, compared to other ways to find out card details.
For example, the story of hacker Sergey Pavlovich, the founder of the portal, is widely known Carding.pro. Together with Albert Gonzales and a number of others, he participated in the greatest theft of bank card data in history: over 170 million bank card numbers were sold. Theft of this level can be called a full-fledged operation.
Along with high-profile hacks and data leaks, there is also a less noticeable, but rather "advanced" method associated with the use of skimmers. To implement it, an attacker must gain access to the online store's infrastructure and install a skimmer-a tracking malware that captures and transmits payment information. The required level of competence here directly depends on the level of protection of the online store.
The client cannot "find" the skimmer on their own, so they will find out about the data leak after the fact-most often, at the time of an attempt to debit funds from their account. Therefore, it is especially important for owners and operators of online stores to conduct a security audit of their infrastructure.
You can give several examples of such fraud, for example:
OSINT technologies are especially relevant in cases where you need to get specific information about a potential victim, such as answers to security questions: maiden name, pet name, and so on.
Requirements for marketplaces and online stores that work with payment data, the situation is somewhat worse. The problem exists both from the point of view of infrastructure security and from the point of view of using such stores as a way to cash out funds.
If we consider fraud with crypto exchanges as a new field for carders and their activities, then the situation is most acute here, primarily due to the lack of any legal regulation. However, the audience of crypto exchanges is much narrower and, as a rule, has a higher level of financial and information literacy.
Compliance with these simple measures by the majority of society will significantly reduce the number of cases of "low-skilled" carding. This will significantly increase the threshold for entering the profession and generally reduce the interest of intruders in this activity.
At the same time, the carder can be either a high-level technical specialist or an ordinary fraudster from the conditional "bank call center". In this article, we talked about the main methods of carding, their relevance and methods of dealing with them.
Carding with "special tools"
This is carding using technical solutions that are used to steal confidential payment information. Most often, these are unobtrusive cameras, keyboard pads and a card reader that are installed directly on the ATM.The main drawback of all these technical solutions is the need to physically visit the crime scene. The fact that most ATMs are equipped with cameras and installed in busy places creates additional difficulties for the attacker.
At the same time, tracking equipment must not only be installed unnoticed, but often also removed – to read data or reuse it. Direct fraud with ATMs and other payment terminals is quite rare, compared to other ways to find out card details.
Advanced carding
This is the search for vulnerabilities and attacks on the banking infrastructure. We can say that this is the most "knowledge-intensive" type of carding, which requires a high level of competence and long-term training (similar to APT attacks), as well as intelligence and analysis of external sources. But the result may exceed all expectations.For example, the story of hacker Sergey Pavlovich, the founder of the portal, is widely known Carding.pro. Together with Albert Gonzales and a number of others, he participated in the greatest theft of bank card data in history: over 170 million bank card numbers were sold. Theft of this level can be called a full-fledged operation.
Along with high-profile hacks and data leaks, there is also a less noticeable, but rather "advanced" method associated with the use of skimmers. To implement it, an attacker must gain access to the online store's infrastructure and install a skimmer-a tracking malware that captures and transmits payment information. The required level of competence here directly depends on the level of protection of the online store.
The client cannot "find" the skimmer on their own, so they will find out about the data leak after the fact-most often, at the time of an attempt to debit funds from their account. Therefore, it is especially important for owners and operators of online stores to conduct a security audit of their infrastructure.
"Mass" carding
Mass – means publicly available and does not require a high level of technical knowledge, the ability to search for and exploit vulnerabilities in information systems. This type of carding is based on two pillars: phishing and social engineering.You can give several examples of such fraud, for example:
- Calls from the "economic police" or the bank's security service. Using already known information, attackers give the victim the impression that they really represent the named service, so they inspire confidence. And they find out the data that they "do not have enough" to steal money.
- Winning the lottery. In a talent contest, city raffle, or any other nonexistent event. "Leave your contact and payment details to receive your winnings."
- "Combined" phishing. When an attacker calls, "masquerading" as a well-known legitimate process. For example, on the Blablacar service, you may encounter a suggestion to "apply for pre-trip insurance" in a third-party, but mandatory service. After "registering" on such a site, uncontrolled debits of funds begin.
- "Pure" phishing. It differs from the previous one in that the attacker mimics not for the process, but for a specific site. A copy of the bank's page, marketplace, or other popular service.
OSINT technologies are especially relevant in cases where you need to get specific information about a potential victim, such as answers to security questions: maiden name, pet name, and so on.
Risks by sector
The financial sector can be considered one of the most advanced in terms of implementing security tools and conducting security audits of its infrastructure. Largely due to the high demands of the state.Requirements for marketplaces and online stores that work with payment data, the situation is somewhat worse. The problem exists both from the point of view of infrastructure security and from the point of view of using such stores as a way to cash out funds.
If we consider fraud with crypto exchanges as a new field for carders and their activities, then the situation is most acute here, primarily due to the lack of any legal regulation. However, the audience of crypto exchanges is much narrower and, as a rule, has a higher level of financial and information literacy.
Methods of protection against cardsharing
An ordinary client can multiply the risks of successful carding in relation to themselves by paying attention to just three points:- Attentiveness. To dubious calls and sites-first of all. You can always take a break for reflection and analysis. A ten-minute delay won't be critical in the vast majority of cases, but it will protect your money.
- Banking instruments. Do not neglect the methods of authentication and confirmation of actions, various passwords and notifications. This reduces convenience, but increases security.
- Differentiation. The ideal case is if you have a separate card for online purchases. For example, Ozon offers its own map for conducting operations on its site.
Compliance with these simple measures by the majority of society will significantly reduce the number of cases of "low-skilled" carding. This will significantly increase the threshold for entering the profession and generally reduce the interest of intruders in this activity.
