This article will probably shed light on one of the biggest cyber threats out there that have been happening for decades. Cyber Fraud using stolen credit card data is nothing unique and in simple terms, they call it carding. What’s unique is the methods of fraud with credit card data that keep happening with time. It has evolved a lot since the time people started doing it.
How does it start?
In India, it starts with teenagers on the internet in gaming circles or those who are a bit of tech enthusiasts or those interested in cyber security. Kids or adults, People in India get excited at the name of getting expensive things at cheap prices. That’s where these frauds/carders come in.
Modus Operandi of carders in India
Now in the age of social media when people like to share every little thing over Facebook, Twitter, Instagram, and a lot of other social media platforms in different groups or forums online, these so-called carders find it as an opportunity to market their carding services in moments of weakness.
Most often they’re not even real carders, they’re called rippers in carding world. They’ll promise you high-value items, mostly electronics, they’ll tell you they get credit card data from something known as the dark web, and then they’ll order this item or card it for you for a really low price. Sometimes they’ll offer you to card flight tickets or book hotels for you at real cheap prices.
These rippers will simply take your money and block you. They often use fake social accounts, stolen identities, fake sim cards, fake digital wallets, fake bank accounts, and so on. So these regular people after getting scammed in the name of carding start feeling a sense of loss or defeat but knowing that they gave money to someone for the purpose of doing something illegal they can’t actually go to the police and tell them the entire story.
With the Indian justice system, people are well aware that even if they’ll file a police case it’ll just be another cyber security case and it’ll be swiped under the load of other major cases the Indian justice system is dealing with. Hence many of these cases go unreported and these scammers or rippers keep doing it. Now those victims who have been scammed start looking for a way to get back their money and start reading on the subject.
After some proper research, they will come across some secret social media groups or forums and learn about how it’s done and actual carders. It takes a certain obsession to get to the depths of this entire carding world and there it begins. These people eventually either get into carding or start dealing with carders. As the word itself suggests carding involves cards. Debit Cards, Credit Cards, Prepaid Cards or any digital form of payment based on a card and its confidential data can be used in this process to make unauthorized purchases on eCommerce websites supporting digital payments through cards.
How do they get the credit card data?
A usual term regular people hear is they buy these card details on the dark web. Most of this is not correct.
Dark Web is a cover for the online regular marketplaces where this kind of data is sold. Whenever carders are arrested and interrogated about the source of stolen card data, they simply tell the police they got it on dark web and those who know about dark web a little bit decide to believe it because dark web or onion web has marketplaces that actually sell everything illegal from drugs to data, from malwares to weapons, from organs to illegal services and so much more.
That’s a trick used by these people to throw police off the scent and it’s done. Actually, they get their data through spamming targets’(victims) emails with phishing emails, sniffing networks, hacking databases of ecommerce sites which store customer’s data and have bad security.
Sometimes dishonest employees of payment gateway providers sell all that credit card data their company stores to make it easier and faster for customers to go through the payment process to the credit card marketplace owners for prices as low as 1-2 USD per card details. Not just that, it could be in form of malware you probably downloaded by accidentally clicking on ads popping up on shady porn sites when you were secretly trying to satisfy your dark sexual urges.
These ads could contain links of malwares stored on some private servers. These malwares could be trojans, ransomwares, backdoors stealing cookies from your browsing sessions. They basically try to tap into human greed to steal your data. The numbers of such exposed card details could be ranging from thousands to millions.
One of the good old ways is through cold calls pretending to be bank official and putting the fear of money loss in the victim in order to obtain credit card details as well as OTP (One Time Password) from them. People who are simple minded or not very much aware of the ongoing frauds become victims through such calls.
How it’s done?
After they learn about marketplaces where they can get their hands on the stolen credit card data, these marketplaces always take payments in form of cryptocurrencies. In early days some 10-15yrs ago, it was done very easily. Just type the credit card details on the payment page and if the card is active payment will be processed.
With improvement in technology, and governments as well as banks started getting serious about credit card frauds, these criminals started getting caught after their IP was exposed and linked to them upon investigation. Then they started using VPNs to cover their tracks.
They fooled anti-fraud systems in eCommerce websites and payment gateway providers which also tried to use IP geolocation of the person trying to make the payment and match it with billing data provided by the actual card owners to the banks using VPN services throughout the world. Then these websites started blacklisting VPNs and the IPs associated with VPNs. The idea was payment would not go through if the data wasn’t matched and credit card fraud could be stopped. Even this didn’t stop carding.
Carders started looking for other services similar to VPNs and came across Proxies. These proxies weren’t as widespread and abused as VPNs so they weren’t being blacklisted and then these proxies helped frauds to disguise themselves to eCommerce websites as well as payment gateway providers besides banks as the genuine card owner and continue their carding activities. Pressure was increased on banks and eCommerce websites by their customers and government to deal with the situation which in turn pressured payment gateway websites to improve security.
As a result of this payment gateway providers and eCommerce websites started trying to screen the fraud cases properly and noticed that there were certain BINs of credit cards or debit cards that were being used more to commit fraud on their websites. So they started blacklisting BINs and flagging payments made through such cards. This meant either orders being cancelled directly by the sites which weren’t ready to handle such frauds or being severely scrutinized.
This made carding even harder and harder. This scrutiny could be through manual verification by making call to card owner by the banks using the phone number they have on their file or demanding for a credit card scan and a state ID to match and verify identities. Then carders started using editing softwares to edit blank card scans or ID scans to fill in the data of the victim and try to convince the websites demanding the details.
Can police not catch them using the address carders use to get carded products delivered?
Actually this is what police tries first then they hit the roadblocks. These roadblocks are in form of fake addresses of empty houses, some local stores, some landmarks or reshipping companies. Reshipping companies provide them with virtual addresses based on actual addresses with a unique number associated with customer that signed up for the service. Most of them are free and don’t demand identity verification.
The product is first delivered there and then these companies repackage them and ship wherever the customer (carder in this situation) asks them for a certain shipping and repackaging fees. They also use Drops in case they are based overseas. For Example, A Carder sitting in India is trying to card certain product from a certain website. That website doesn’t ship internationally.
They’ll get it delivered to drop address and ask the drop to ship it to them. This whole process is so much time consuming and exhausting for police to go on wild goose chase only to hit a dead end.
Who are drops?
Drops are people who receive products in-lieu of carders. They are often contacted through social media sites or dating apps. They are not necessarily aware of the fraud activity being carried out through them. Most often they’re manipulated into believing that they’re helping them out in their legit business or work. They’re also paid some money from time to time in order to keep them doing their dirty work.
Who are the victims of this dirty work?
People with weak passwords, those who visit shady sites looking for freeware or porn, simpletons, careless people or old people are often victims of such frauds. Besides that, eCommerce websites with weak security as well as payment gateway providers with bugs could often be targeted by hackers in order to obtain confidential financial data. People unknowingly acting as drops can also be counted as victims of this fraud.
What about credit card passwords or 2FA or OTP?
This can help sometimes for sure but in Tier-1 countries most eCommerce websites have 2D form of payment system which means your payment will immediately go through as soon as order is placed without the need for password or OTP. In this case if the item hasn’t been shipped yet, the amount can be reversed almost immediately as the money is held by payment gateway provider.
Sometimes they take the order but don’t charge your card until item is shipped. You can find yourself to be the victim of carding sometimes where your money has been deducted. You tried contacting the merchant and they told you that they have already shipped the ordered product. In such cases eCommerce sites can take weeks to refund your money back to your card as they have already shipped the item so they need to verify the source of payments, shipping address, billing address, investigate with payment gateway provider and so on.
Most of the sites are demanding an extra password, OTP or some form of verification while making payment these days and it is a very effective way to prevent such frauds.
Someone made an unauthorized payment from my card, what shall I do?
If you are victim of credit card fraud or if you found out someone just charged your card somewhere and you didn’t authorize it here are the steps:
- Don’t Panic.
- Call your credit card company/bank in case of other cards and block the card immediately. These days credit card companies or banks also have mobile apps where you can block or unblock your card as per your need.
- Apply for a new card.
- Go to local police station and file a complaint about this.
- Take copy of police complaint to your bank or credit card company, maybe their website and file a chargeback with them.
- If you can identify the merchant on your credit/debit card statement you can call their customer support and also let them know about this. There is a thin chance they might be able to help you directly unless your bank or credit card company approaches them through official channels.
After you have performed above steps, you can call your card issuing company and keep asking for updates on the case time to time till you have got your money back.
How to prevent credit card frauds from happening with you?
Here are some ways you can prevent credit card frauds from happening with you or any of your family members:
- Stop visiting shady websites looking for freeware.
- Whenever you receive an email from any website you have your financial details added to, DO Check the email source for when where it came from. If it looks suspicious, confirm with several of your friends / colleagues / relatives who use that website as well.
- Don’t just punch in your credit card details anywhere. Verify the URL twice before proceeding with the payment to make sure it’s authentic.
- Bank officials will never ask for CVV/OTP of your credit or debit card in general so never ever share these confidential details with any stranger over the call or text.
- Most importantly, Turn off your credit/debit card E-com transactions from the banking application in general. Don’t turn it on unless you need to conduct a transaction yourself.
If you follow all of the suggestions made above, there’s a 95-98% chances you’ll never be a victim of credit card fraud in your life.