The act of carding involves the use of credit/debit cards that have been illegally obtained from various avenues for the sole purpose of siphoning funds from a person’s bank account.
Money transfer platforms such as PayPal, Payoneer, Neteller, Skrill (MoneyBookers), Wave and WorldRemit allow users to store and send money by linking their credit/debit card to their account.
It is this option that is used as a gateway for carders to launder money and siphon funds from a person’s bank account.
Provided that a user understands the core concepts used for carding, then by following a well-planned procedure it is possible for any given person to engage in the vice.
Avenues used in the practice of carding to obtain credit cards include purchasing them from vendors operating on dark web markets, among many others. These vendors employ hacking methods to obtain the credit card information.
Since the essential details used in carding are the card number, expiration date and the Card Verification Value (CVV), it becomes easy to obtain the information.
However, some cases require an individual to have “Fullz,” a term used in carding that represents the complete, detailed information about the victim.
Apart from the cards number, CVV and expiration date, other details that are part of Fullz include the name of the person, their country, phone number, address, city, state, email address, Social Security Number (SSN), security Q&A responses and their mother’s maiden name (MMN).
Based on the operation being carried out and the platform used, then the Fullz will be important since there are those individuals who have taken additional steps to safeguard their account.
So, carders will use the Fullz to create accounts on a given platform using the same details to avoid the platform from detecting any sort of fraud.
What’s more, they employ the use of Virtual Private Networks (VPNs) and Sock 5 Proxy systems to disguise their location as that of the cardholder. By doing so, they can cheat the system into believing that the transaction is being carried out by the legitimate account owner.
Based on the level of security a given card has, then the above information may be useful, or sometimes it won’t. The level of experience a person has in the field is what determines their level of success in each scenario.
The primary option of funding an account in a money transfer platform is by use of credit/debit cards. Even though the mode may be slightly different depending on the platform, the concept is still the same.
The only difference is the limits for uploading funds in each case, and thus the reason why some platforms are more preferred than others to carders.
The first step carders often follow is to create an account with a given money transfer platform and verify the email address. Afterwards, they can then add the card which they dubiously obtained and which they intend to drain the funds.
If the card is stolen, then it is impossible to verify the card since the four-digit code is always sent to the bank after which the carder has to enter the code on the platform to confirm that they are indeed the card owner.
So, this means that there will be limits to the amount of funds you can withdraw from a specific card over a period.
Since these cards are illegally obtained and being used without the consent of the owner, then the carders tend to siphon as much funds as they can at a go because in some cases, the bona fide owners have subscribed to notifications which enables them to know when a transaction has been initiated on their account.
So, let’s say once a transaction has been initiated and a notification has been sent to the real card owner, they will file a dispute with the financial institution that issued the credit/debit card to have the card blocked before any further un-authorized transaction is initiated.
When this happens, the card is rendered useless, and no deal can be carried out using the details.
Now, once a card has been added, some platforms (like Skrill) have the direct option of uploading funds from the card while others do not have that choice.
With PayPal, for example, one cannot upload money directly to the account but they can send the money to another registered account with the card being the funding source.
If the account does have funds, then one will choose the funding source as either the available balance or the credit card.
For the new card entered, the carder will then follow the steps to upload the cash. This does work at times, and it doesn’t work in other instances. Again, it all boils down to the experience that the carder possesses.
Factors considered by carders before undertaking a given operation include the Bank Identification Number (BIN), the card type and the status of the account on the platform in use.
Verified accounts are preferred because of their ability to facilitate more transactions of higher magnitudes. It is for this reason that carders tend to purchase accounts from those who have the existing and verified accounts to undertake their operations.
Now upon acquisition, they resort to the dark web to sell the account. On darknet markets, the customer has to make a payment in the form of Bitcoins for the transaction to be processed.
This practice is a process that requires skill depending on the darknet market that one uses. But the use of escrow is always recommended to avoid falling victim to scammers.
When a person makes an order with PayPal, for instance, they need to ensure that the drop (receiving account) has a good transaction history and it can hold the funds sent.
The reason is that the funds may experience a chargeback if they are not cashed out with immediate effect since they are from questionable sources.
Due to such reasons, these platforms have put measures to ensure the avenues they have provided are not used for cyber crime purposes.
For instance, the measures taken by PayPal include putting the money on hold for a specific time frame to ascertain the legitimacy of the funds.
If indeed the source of money is questionable, then it will be refunded to the origin because a dispute might be raised within that time. However, there are instances where a case against the transaction is not opened.
There are also cases wherein a transfer is immediately successful. And this happens when the funds reflect on the account, and then the carder withdraws as fast as they can.
Then, whenever a case is filed and the transaction is opened and a chargeback occurs, then the account will be negated with the amount received. It is at this point that individuals cease from using the account because it is no longer useful.
When the funds are now in the account, the carder may send it to another account on the same platform, withdraw it to a bank account, send it to their mobile wallet and finally purchase a commodity or pay for a service online.
When a company finds out of suspicious transactions on their platform, they suspend or terminate the account.
This is not always the best solution because one can quickly acquire another account from someone who has been using it or open an account using different names and verify it. Once this happens, they can use the account to carry out their normal activities.
After some time, the account will be terminated, and they acquire a new one, and the cycle continues.
All these carding tips are arrived at after vigorous attempts of trial and error by hackers. What’s more, if an individual performs an individual transaction with a card and it is successful, there are those who will employ research methods to see if they can manipulate the systems to illegally gain from it.
Also, the disturbing bit is that the relevant tutorials for these operations are readily available on the dark web. These tutorials have the effect of fueling cybercrime to a greater extent since any newbie can easily obtain them at a very small fee.
In carding, those who are more exposed tend to be on the upper hand since they have access to the newest fraud techniques with regard to credit hacking and theft.
And, as it is, one can conclude that the opportunities to make money via fraud is unlimited—it just depends on the channels used and the mode of operation.
Latest posts by Bruno (see all)
- Michigan-Based Ferris State University Receives NSA Grant for Darknet Analysis Curriculum - February 14, 2019
- Mega Breach Leads to Circulation of 2.2 Billion Records in Hacking Forums - February 14, 2019
- Georgia Man Sentenced to 10 Years for Trafficking Opioid U-47700 from the Dark Web - February 13, 2019