Carding 101

Posted on by admin_fBTr8D3ct
03
Jun
Join Cashoutgod On Telegram

Have you ever had a site in mind you think of carding ? Here are some of the steps you can take in order to find out what approach to take and if its worth carding …
This is by no means the best or only way to do things, neither is this a full method ..I hope you can find value in this post….

 

1. Go to target website
(I already have fp-mon extension that tells me what anti-fraud system the site is using , thats the first step..) / you can also use F12 Developer tools to figure out which anti-fraud system a site is using , look for stuff like js.stripe radar, beacon.riskified , cdn.forter , sift-science, Signifyd, perimeterX,iesnare.com/snare.js maxmind-deviceapi, fingerprintJS , etc

The first step is to identify what anti-fraud system the site is using , based on that I will decide to go further or not
Certain anti-fraud systems like LexisNexis-ThreatMetrix , Amazon Fraud Detector , Iovation , I immediately back out .. so if these systems are in place , I tuck tail 🙂 and move unto another website I have in mind..
No point in continuing any further

Note: Some sites dont run the integrated anti-fraud JS scripts on the front-end of the site , so keep that in mind
Some even go as far by utilizing CNAME cloaking via dns ..example :
– http://cdn.siftscience.com/s.js (blocking this script makes no sense, as they will then use CNAME cloaking methods )
– http://dtlilztwypawv.cloudfront.net/s.js (sift-science js been disguised via. cloudfront dns),

2.
Say I find a suitable site , I will go to their FAQ’s , read if they allow shipping to address other than billing address , payment methods accepted , warehouse locations , mail courier been used .

I will also look at the items been sold on the site, if they are easy to flip or convert into cash/crypto
Do they have a online chat or email system to communicate with customers
Do you offer BOPIS /curbside pickup etc ? BOPIS means “By Online Pickup In Store”
Do you need to verify email to place order , or can you use guest checkout
Do they have a mobile app version of the site
Do they offer e-gift cards and can that be added to the items cart along with other physical items? (This is important , I’ll teach you a trick later)

3. . I will also look at their privacy policies/ shipping policies , if they require signature on delivery and that stuff ..
Find out if they require ID verification of any kind or credit card scan to verify order
Find out if they have a call center , and if they actually make outbound-calls to verify orders , etc

4. . Say I found out some of the above and it looks promising
Here is what I would do , I would use a dummy card or prepaid card that I have control of to test the entire checkout process and find any flaws

At this point I would be using the same setup that I would be using if I was using a CC from auto-shop(real attempt)
So I test things out with anti-detect browser or mobile setup that I would use for my real attempt , enter my own prepaid or dummy card I have access to , enter the details and note the entire checkout process

Some sites will not accept prepaid cards and hence I will then use my dummy card I have access to , if the order was placed successfully , I will log unto my bank portal and check if the charge has been debited right away , sometimes it doesn’t happen right away , but after and hour or so , I’ll check again to see if the charge has been processed or pending , or reversed

Note: Always use a phone# when placing order that you have access to for 1st dummy test, so if they actually call for verbal confirmation , you know what they ask or what info they need
Write down anything they ask, if they do call .. all of this info you are preparing for the real attempt when you buy your card from shop/vendor

Now if the order gets cancelled at this point , this is very good as we can spend some time here to find out any flaws in their system.
Using an anti-detect and intended setup , you can figure out what went wrong . So at this point , they will either , send a email cancellation notice / request docs

Part 2

At this point, they will either tell you to try again or request you send them verification documents or sometimes they simply just need verbal confirmation

1. .. if they ask for verification documents ; you can find out what they need ; whether it be a CC photo scan , with ID + SELFIE or whatever
At this point , you must ask yourself is it worth the effort and time ?? , only you can decide that , if they are asking for a bunch of stuff for a $200 order , I am not gonna do it , not worth the headache in my book

what I would do at this point , is get a fake ID , a fake CC scan or whatever they require (ALL FAKE of course) , if after you send all this in and your order gets approved , you know that the documents you got from your vendor or website works 100% and in the future when you are using actual cards you bought will most likely work …
((What you are doing is finding out if your document service passes the target website verification system)))

2. Also you can always call them , I find that this approach is more effective , I mean you are the owner of the dummy card and you have no reason to be nervous , all your doing at this point , is getting info for your next real attempt.
Most times , they will tell you that their fraud detection system flagged your order, Some agents that you speak to will not go into detail , but they will sometime gives hint .. They are not there to investigate fraud and most of them aren’t getting paid to go the extra mile anyways..

For example ; what if they say that ” your order has been flagged by our fraud detection system based on your device been suspicious or deemed high risk” – you know for a fact that is your browser setup that is wack
maybe webrtc disabled , canvas noise , outdated browser, risky IP address , etc

or

they say that ” your order has been flagged by our fraud detection system based on mismatch on public records” – this could be phone number not matching CNAM or public records or email been used doesn’t match-up , etc

This is the hardest step in the process of carding a new site , and that’s why I suggest using a dummy card or prepaid card ,no sense in burning through cards
I know most persons are hesitant to call into websites , but if they have a chat feature , you can use this channel as well

— Now if the order gets approved and ships with your dummy card or prepaid card then you are golden , its safe to say that with the same browser setup and same type of proxy , your chances of success with an actual card from a auto-shop will be highest, and if any hiccups or verification requested , you know exactly what to expect , as you already know the type of service to use to verify the documents

Summary

So in summary , you now know what to expect and what to avoid :

If they called you when using dummy card , you know that there is a high possibility that they will call when you do your real attempt , so use number you have access to on real attempt

If they cancel the order and request documents , you know exactly what documents they require and what to use

If they cancel the orders, you have some insight to what maybe the problem with your setup , etc

This isn’t supposed to be a fault-proof way to approach a new website , but this is just one way I figure out if a site is worth carding or not

Leave a Reply

Your email address will not be published. Required fields are marked *