Don't send anyone a code from a text message or What is carding?

[Father]

Carding is a type of fraud involving the use of someone else's credit or debit card information. Such criminal activities can lead to huge financial losses both for the victim, whose funds were stolen, and for financial institutions facing losses and reputational damage.

In this article, we will look at the main methods of carding, the precautions that can be taken to avoid becoming a victim, as well as the consequences for criminals who commit such crimes.

What is carding and why does it still attract cybercriminals​

Carding flourished in the 90s of the last century. It was then that bank cards, the Internet, ATMs appeared in the country, and computer technologies were actively developing. But then the volume of theft through access to bank cards significantly decreased.

Fyodor Muzalevsky
Director of the Technical Department of RTM Group

The main volume of theft using bank card data ended immediately, as soon as the so-called 3D Secure was introduced everywhere. This is an analog of two-factor authentication for familiar services, such as Government Services. At the same time, payment confirmation uses the same technologies as for logging in to a conditional online bank-SMS or PUSH notification.

After the introduction of the 3D Secure protection system, fraudsters lost the main attack vector-the use of map parameters (the most" secret " was the CVV code). But they were left with a variety of phishing schemes:

• primitive — a person pays for someone else's purchase on the marketplace under the guise of their own;
• критичные — жертве «подсовывают» данные для перевода денег напрямую мошенникам.

And if in the first case there are possible ways to "slow down" the sale, then in the second, as a rule, there are dropper chains and the probability of a return tends to zero.

Unfortunately, even 20 years later, carding is still a fairly common crime. This type of fraud attracts criminals for a number of reasons:

1. Easy access to tools. There are many sources where you can buy or rent software and databases for carding, which makes this type of fraud relatively affordable for anyone.
2. No borders. The Internet allows carders to operate internationally, bypassing geographical restrictions and laws of various countries.
3. Inability to prevent all cases of fraud. Banks and law enforcement agencies take measures to prevent carding, but they cannot always stop all cases, especially given the constant development of fraud technologies and methods.
4. High potential returns. A successful carder can earn a lot of money in a short period of time, which attracts carders who are looking for quick and easy ways to earn money.

Thus, despite the efforts of law enforcement agencies and social campaigns to combat carding, this type of fraud still remains attractive to cybercriminals due to its relative availability, scale, and potential profit.

Legislation and penalties for carding​

In many countries, participation in carding or clothing carding using stolen cards, account numbers, and other personal data is regulated by cybercrime laws. And many carders are identified, detained and brought to criminal responsibility.

Penalties for participating in carding may vary depending on the country, legislation, and severity of the crime. This can be a fine, an arrest, or even a prison sentence. In addition, the owners of stolen data can bring civil claims against the criminal.

In Russia, carding is criminalized as fraud involving the use of electronic means of payment (Article 153.3 of the Criminal Code of the Russian Federation). The least that threatens for carding is a penalty in the form of a fine of up to 120 thousand rubles. You can also be imprisoned for up to 3 years, and if carders worked as part of a group and took an impressive amount, they will be fined 300-500 thousand rubles. or imprisonment for a term of up to 5 or up to 8 years.

In general, participating in carding is a serious offense. Therefore, it is important to comply with the laws and use the Internet and financial services in accordance with the law.

How to protect yourself from carding​

It would seem that it is not difficult to protect yourself from carding, and everyone knows the basic rules — do not transfer a bank card or its data to strangers and do not use questionable online payment services. But modern carding is evolving, and the methods of protection must change accordingly.

Dmitry Khomutov
Director of Ideco

There are several effective methods to prevent bank card data theft:

• Multi-factor authentication — verification of your identity using a password, SMS code, fingerprint or face recognition. About 46% of thefts of consumer financial data and internal company information by hackers occur due to the choice of a simple password.
• Transaction Monitoring-Companies can use analytics and machine learning algorithms to track suspicious transactions and transactions that may be related to carding. If suspicious activity is detected, the system can automatically block the operation or request confirmation from the user. For better protection against financial fraud in relation to companies, we recommend installing additional layers of protection such as new-generation firewalls NGFW and anti-hacking systems (IPS). These tools can monitor traffic and detect suspicious activity on the organization's network by blocking malicious assets.
• The security of data stored in the system, such as credit card numbers, receipts, and personal information, is a key aspect in preventing carding. Companies should use encryption, tokenization, and other data protection methods to prevent data leakage or theft. The use of such tools will increase the cybersecurity of confidential data by 90%.

If organizations do not focus on the use of combined methods to protect confidential information, then by 2026, global losses from fraud with payment cards can reach $ 43 billion.

It is worth noting that not only ordinary citizens and companies should think about protecting their banking data, but also online services that carry out transfers or engage in electronic commerce.

Marina Probets
Internet analyst at Gazinformservis

With the development of technology and the Internet, carders began to use more sophisticated and sophisticated methods to steal data from bank cards. For example, in their work, they often use skimmers-devices that are installed on ATMs or payment terminals and are able to read data from the magnetic stripe of the card. Carders can also use computer viruses and malware for data theft, phishing attacks, and social engineering. In addition, carders have begun to actively use online resources and markets to sell stolen data from bank cards, which makes the process of theft and use of stolen data more complex and accessible.

Some online payment systems "click" carders like nuts, while others do not register such problems. There are a number of reasons why some payment systems are more vulnerable to carding than others. For example, the level of data protection and the level of technical protection and updates: some payment systems have weaker data protection measures, which makes them more vulnerable to hacker attacks and carding. Insufficient security measures can make it easier for carders to access sensitive information.

Moreover, the reputational risks that unprotected online services carry are often more noticeable than the financial losses themselves from carding.

Conclusion​

Unfortunately, carding, as a type of cyber fraud, has not disappeared from the lives of Russians and will only increase in the coming years. After all, for criminals, this is a fairly easy way to take money from the population, especially from those who neglect digital hygiene.

But commonplace methods of protection, as well as healthy vigilance, will help citizens keep their finances safe. As for companies and online services, security measures include regular security updates, the use of secure connections, multi-factor authentication to verify the identity of users, as well as monitoring transactions and suspicious activity.