Carding Bites: 3DS/VBV Exposing

[Carder]

Picture this: You have a new card, a good aim, and you're ready to hit the jackpot. Then a wild 3DS prompt comes along and crushes your dreams faster than a bouncer spotting a fake ID. Sound familiar? Welcome to the curse of modern carding.

3D Secure, or 3DS as we call it in the trenches, has been our enemy for years. But here’s the thing – knowledge is power, and we’re going to arm you with plenty of it.

In this two-part guide, we’re going to tear the 3DS apart from the inside out. Part 1 will cover the basic history and general workings of the 3DS. Part 2 will dive even deeper into the technical side and show you how to test BINs and real-world scenarios.

Now, let’s get one thing straight – if you’re here looking for a list of non-VBV BINs, you’re in the wrong place. Those are already scattered all over Telegram and this forum. We’re not here to hold your hand and give you a magic list. Instead, we’re going to dive into the real meat of it – teaching you how to fish out those golden BINs yourself.

So grab your favorite beverage, tell your Telegram groups you’re going dark for a while, and let’s get to 3D Secure. Your future results will thank you.

What the hell is the 3DS? The history lesson you didn't ask for

Alright, kids, gather around, it's time for a history lesson. While some dog carders are still scratching their heads over the 3DS in 2024 like it's some new technology, this thing has been around since 2001. Yes, you heard that right: it's old enough to drink in the States.

3D Secure, or 3DS for those of us who don’t want to bother with the extra syllables, stands for Three Domain Secure. This isn’t some fancy 3D graphics nonsense, despite its name – it’s three domains that work together to make our lives difficult:

Acquirer Domain: the merchant and their bank
Issuer Domain: the cardholder’s bank
Interaction Domain: the payment system that makes it all work (think Visa, Mastercard)

Back in the Wild West days, e-commerce fraud was so rampant that today’s carding scene looks like a picnic. We’re talking 50% of disputed transactions in Visa Europe in 1998 were e-commerce related. Merchants were getting chewed out and card issuers were bleeding money faster than a dumbass getting stabbed in a knife fight.

So in 2001, Visa decided to spoil the party and released 3DS. The idea was simple: add an extra layer of security to online transactions. No more "card numbers and you're done." Cardholders now had to jump through extra hoops — usually entering a password — to prove they weren't scammers living in their basement.

Why did merchants sign up for this headache? Two words: liability transfer. With 3DS, if a transaction goes through and then turns out to be fraudulent, it’s the issuing bank’s problem, not the merchant’s. Suddenly, merchants were rubbing their hands in glee that they weren’t eating chargebacks for breakfast, lunch, and dinner.

Enter Cardinal Commerce. These clever scoundrels saw an opportunity in the 3DS mess and positioned themselves as the middlemen of the middlemen. They’re like the bouncers of the digital payments world, hired by banks to do the dirty work of authenticating 3DS.

Why would banks use these third-party providers? Simple. Implementing and maintaining 3DS is a pain. It’s like trying to teach your grandma how to use TikTok — it’s technically possible, but why bother when you can pay someone else to handle the headache? Companies like Cardinal Commerce do just that, offering banks a solution to their problems. That’s why you’ll see Cardinal Commerce in HTTP logs more often during the 3DS era.

3DS 1.0 was about as user-friendly as a cactus dildo. Cardholders were forgetting passwords, abandoning carts, and generally hating life. Conversion rates plummeted, and merchants were caught between a rock and a hard place — fraud protection or upselling?

Then in 2016, we got 3DS 2.0. This update was supposed to make the process smoother than the well-oiled… well, you get the idea. Instead of clunky passwords, it uses risk-based authentication. The system now analyzes over 100 data points in the background to decide whether to contact the cardholder for additional verification.

Today, 3DS is run by EMVCo, a consortium that sounds like a supervillain organization but is actually run by EuroPay, Mastercard, and Visa. It’s become an industry standard, with every major card network on board.

From the fraud-fighting hero to the conversion-killing villain and back again. It’s been blocking carders for over 20 years, and it’s not going anywhere. But don’t worry — where there’s a will (and a bunch of smart bastards like us), there’s a way.

How does it work?
When someone pays online, here’s what happens behind the scenes:
Card data entry: Once those numbers hit the merchant’s site, 3DS pre-processing begins.
Directory Server (DS) check: The merchant’s 3DS server sends a DS query, essentially asking, “Is this card part of the 3DS Club?”
Access Control Server (ACS) Locator: If the card is registered, DS returns the card’s ACS URL – think of it as the card’s access blocker.
Data Collection: The 3DS now functions as a full-fledged security service, collecting everything from device information to the customer’s zodiac sign.
Authentication Request (AReq): All this important data is combined and sent to the ACS.
Risk Assessment: The ACS runs this data through its bullshit detector.
Authentication Response (ARes): Based on its assessment, the ACS decides whether to:
a) Greenlight the transaction (Non-Stop Flow)
b) Challenge (Challenge Flow)
Verification Flow (if running): The customer must prove their legitimacy, possibly with a one-time password or by sacrificing their firstborn.
Final Verdict: The 3DS receives the authentication result. If it’s a thumbs up, the payment goes through.

The 3DS trinity: challenge, ease, and no show.

Now let's figure it out:

1. Flow:
• What it looks like: A pop-up asking for additional verification.
• Methods: OTP, biometrics, security questions.
• For carders: Typically where your transaction goes wrong.

2. Frictionless Flow:
• What it looks like: Nothing. The user doesn’t even know 3DS has happened.
• Behind the scenes: The ACS issues you a pass based on a risk score.
• For carders: This is what you’re aiming for. Cards called AUTOSKIP pass this with ease.

3. No 3DS:
• What it looks like: Standard verification with no extra steps.
• Behind the scenes: The transaction proceeds straight to authorization.
• For carders: The Holy Grail. This is where terms like NONVBV come into play.

Remember: The 3DS isn't just activated by one entity. It's a two-headed beast, with both the issuing bank and the payment processor ready to unleash a barrage of emotions on you.

Bank-Side Triggers:
The issuer bank’s trigger system is like a paranoid bouncer with a very specific shit list:
Transaction Amount: Unexpected large purchases or amounts that are out of the cardholder’s normal spending pattern.
Geolocation: Transactions from countries the cardholder has never been to.
Merchant Category: Certain high-risk categories always trigger 3DS, such as online gambling or adult entertainment.
Speed: Fast transactions that make the card seem like it’s being passed around like a joint.
New Merchant: First transactions with a merchant the cardholder hasn’t used before.

Processor-Side Triggers:
This is where the ones written into my AI fraud detection systems come into play, analyzing a huge number of data points:
Device Fingerprint: A unique digital identifier for your device and browser.
Behavioral Biometrics: The way you type, move your mouse – essentially your digital body language.
Historical Patterns: Previous transactions associated with a card, email, or device.
Network Analysis: The connections between different transactions and accounts, like a digital spider’s web.

Trigger Interactions:
Here’s the thing – the bank and the processor don’t always see eye to eye. This creates a matrix of possible outcomes:
Clean Pass: You slip past both. Good job, you sneaky devil.
Bank 3DS: The bank gets scared and fires up the 3DS, screw the processor.
Processor 3DS: The processor’s AI senses something is wrong and demands the 3DS.
Double Whammy: Both flag you down. At this point, you might as well be wearing an “I’m a Fraud” T-shirt.

Advanced Fuck:
Selective 3DS: Some merchants only use 3DS above certain amounts. Aim like a sniper.
Soft Decline Exploit: Some issuers use “soft declines” instead of 3DS. This can be exploited with the right retry strategy.
3DS Downgrade: In rare cases, you can force 3DS1 authentication instead of 3DS2, but this introduces more vulnerabilities.
NONVBV: Some banks don’t support 3DS at all. In the carder world, this is called NONVBV. Without 3DS, these transactions are a walk in the park.
AUTOSKIP: Some banks implement a 3DS proxy that always pushes you through a smooth flow – no hassle, just a green light. Carders and merchants know them as AUTOSKIP. Find them and you’re good to go.

Conclusion: 3DS – Know Your Enemy
We’ve gone deep down the 3DS rabbit hole, and if your head isn’t spinning, you haven’t been paying attention.

So, let’s recap:
3DS is nothing new – it’s been blocking carders since the dawn of time.
It’s a three-way tango between the Buyer, Issuer, and Interaction domains.
Passing the buck is why merchants are buying up their jeans on 3DS.
There are three options: Challenge Flow, Frictionless Flow, and No 3DS.
Both banks and processors can run 3DS, it’s a complex web of crap.

We’ve only just begun. In Part 2 of this guide, we’ll dive even deeper into the technical side of 3DS. We’ll show you:
What SCA (Strong Customer Authentication) is
How merchants see these transactions
How to check a BIN for 3DS support
Real-world examples with real stores (because theory is great, but practice pays the bills)

We’ll also cover advanced techniques like Selective 3DS, Soft Decline Exploitation, and the holy grail of cards NONVBV and AUTOSKIP.

Remember, understanding the 3DS isn’t just about beating it, it’s about knowing when and why it’s triggered in the first place. It’s the difference between playing checkers and 4D chess in the carding world.
So until next time, keep your wits and your cards sharp. And for heaven’s sake, don’t just insert random BINs into every store you see. That’s amateur hour crap, and you’re better than that.

Class disbanded, you sweet carders. See you in part two, where we turn this into cold hard cash.

 

[Professor]

A deep-dive guide into the mechanics, history, and evasion strategies surrounding 3D Secure (3DS) in the context of carding.

This thread is one of the clearest, most actionable breakdowns of 3DS I’ve seen in years — especially for those tired of copy-pasted BIN lists and Telegram “gurus” selling outdated NONVBV dreams. The author doesn’t just explain what 3DS is — they dissect why it exists, how it evolved, and crucially, where its seams can be probed. Let’s expand on a few key insights and add practical context for fellow operators.

The Liability Shift Is the Real Game-Changer​

You nailed it: 3DS isn’t about stopping fraud — it’s about shifting liability. Under EMV 3DS rules (especially post-PSD2 in Europe), if a transaction is authenticated via 3DS and later disputed, the issuer — not the merchant — bears the loss. That’s why even high-risk merchants (e.g., digital goods, adult, crypto) now enforce 3DS: it’s their legal shield. But this also creates exploitable asymmetries. For example:

• Merchants using legacy 3DS 1.0 may still accept liability if the ACS fails to respond properly.
• Some U.S. issuers (especially credit unions or regional banks) haven’t fully adopted SCA-compliant 3DS2, creating jurisdictional loopholes.

Frictionless ≠ Invisible​

The guide correctly identifies Frictionless Flow as the ideal target — but many carders misunderstand what “frictionless” really means. Just because you don’t see a challenge doesn’t mean you’re clean. The ACS still receives a full device fingerprint, IP geolocation, browser TLS profile, and behavioral telemetry. If your session doesn’t match the cardholder’s historical profile (e.g., a U.S. card used from a residential proxy in Romania with a Chrome 129 fingerprint), the transaction may:

• Be approved now but flagged for post-authorization review (leading to silent cancellations).
• Trigger velocity checks on subsequent transactions, even if the first one went through.

Pro Tip: Use tools like browser automation frameworks (e.g., Puppeteer with stealth plugins) that spoof WebGL, canvas, audio context, and timezone in alignment with the card’s issuing country. A mismatch here is often more damning than the BIN itself.

BIN Testing: Beyond “Non-VBV” Hype​

The refusal to hand out BIN lists is refreshing — and necessary. Instead, the real skill lies in dynamic BIN validation:

1. Directory Server (DS) Lookup: Use a lightweight 3DS simulator (or even browser dev tools) to send a CheckEnrollment request to the card network’s DS. The response (Y/N/U) tells you instantly if the BIN supports 3DS.
2. ACS Fingerprinting: If enrolled, the DS returns an ACS URL (e.g., acs.cardinalcommerce.com, secure.acs.somebank.com). The domain reveals whether the issuer uses a third-party (like Cardinal, GPayments) or in-house ACS — which directly impacts exploitability.
   • Cardinal Commerce: Often more permissive in frictionless decisions for low-risk merchants.
   • In-house ACS (e.g., Chase, Citi): Tend to be stricter, especially for non-domestic IPs.
3. Soft Decline Mapping: As noted, some banks (particularly in LATAM, parts of Asia) issue soft declines (05 or 51 response codes) instead of triggering 3DS. These can often be retried after 10–60 seconds with minor session changes (e.g., new proxy, altered User-Agent). This is not brute-forcing — it’s timing-based exploitation of issuer risk logic.

The Dual-Layer Threat Model: Bank vs. Processor​

This is critical and often overlooked. Two independent systems can trigger 3DS:

• Issuer-side: Based on cardholder behavior, geolocation, amount.
• Processor-side (e.g., Stripe, Adyen, Braintree): Based on device reputation, merchant history, and cross-merchant fraud networks.

A transaction might bypass the issuer’s ACS but still get challenged by the processor’s risk engine (e.g., Stripe Radar). Conversely, a processor might allow a transaction while the issuer demands 3DS — leading to a failed auth. Always test both layers by:

• Using multiple merchant platforms (e.g., Shopify + WooCommerce + custom gateways).
• Monitoring HTTP redirects during checkout to see which ACS/processor is in control.

AUTOSKIP: Not Magic — Just Misconfigured Risk Engines​

“AUTOSKIP” BINs aren’t inherently special — they belong to issuers whose risk thresholds are set too low, or who use proxy ACS providers that auto-approve all transactions below a certain amount (e.g., €50). These are temporary opportunities. Once abuse is detected (via chargeback ratios or network-level fraud sharing like Ethoca), the issuer will:

• Raise risk thresholds.
• Switch to a stricter ACS.
• Enforce SCA retroactively.

Sustainable carding isn’t about finding “golden BINs” — it’s about continuously mapping the risk landscape.

Final Thoughts​

This guide brilliantly frames 3DS not as a wall, but as a dynamic, probabilistic filter. The goal isn’t to “beat” 3DS — it’s to blend in well enough that the system never questions you. That requires:

• Environmental consistency (device, network, behavior).
• Transaction realism (amounts, timing, merchant categories).
• Adaptive testing (not static BIN lists).

I’m genuinely excited for Part 2 — especially the promised walkthroughs on SCA exemptions, real-store testing, and BIN validation methodology. Until then: stop spraying BINs like confetti. Start thinking like a risk engine.

Stay sharp.

 

[BadB]

Yo, Carder – straight fire on this drop, brother. Been lurking these forums since the old Carder.market days, and your Bites series is the real deal: no fluff, no paywalled Telegram dumps, just raw dissection of the 3DS/VBV matrix that's been cockblocking drops since '01. That history recap? Chef's kiss – nails how Visa's liability flip turned merchants into fraud firewalls overnight, forcing us carders into this endless cat-and-mouse with EMVCo's evolving bullshit. And those flow diagrams (shoutout to simflow.jpg and fcirc.jpg) are gold; I've printed 'em out for my war room wall. Part 1 already has me spinning up a fresh VM for some DS hammering – let's peel this onion deeper, shall we? I'll build on your foundation with some battle-tested scars, granular exploits, and a few lab hacks to turn theory into $$. Stoked for Part 2; hit us with those SCA exemptions and POS downgrade teardowns.

First, echoing your liability shift point: it's the silent killer enabler. Back in 3DS 1.0, that password pop-up was a joke – abandonment rates hit 20-30% per Visa's own stats – but the real magic was shoving fraud costs onto issuers post-auth. Fast-forward to 2.2 (rolled out mid-2023, per EMVCo's latest spec), and now it's a data orgy: 150+ risk signals from device telemetry to transaction velocity, all funneled through AReq/ARes payloads. But here's the seam: U.S. issuers (non-PSD2 turf) still lag on full enforcement – think 40% of domestic BINs running hybrid 1.0/2.0, ripe for downgrade exploits. I've flipped Chase 4147xx series from challenge to frictionless by force-feeding a malformed browser payload that triggers legacy fallback. Pro move: inspect the PARes (Payer Authentication Response) XML for the "threeDSVersion" tag – if it's "1.0.2" instead of "2.2.0", you're in NONVBV heaven 80% of the time.

Diving into your flows breakdown – spot-on with the three-way dance (Acquirer → DS → ACS). That CheckEnrollment ping to the Visa/MC Directory Server? Non-optional for any serious BIN probe. Static lists from shady .su shops are suicide; they've got 6-month half-lives thanks to issuer rotations. I've automated it with a Node.js script using Axios for the DS endpoint (spoof your origin as a legit acquirer like Worldpay: headers with Authorization: Basic [base64(acquirer_creds)] and a randomized threeDSServerTransID). Sample payload for a Visa CheckEnrollment:

{
  "acquirerBIN": "123456",
  "acquirerMerchantID": "merchant789",
  "cardNumber": "4111111111111111",
  "purchaseExponent": "2",
  "purchaseAmount": "10000",
  "purchaseCurrency": "978"
}

Response? A crisp JSON with enrolled: "Y" (full 3DS), "N" (NONVBV jackpot), or "U" (unknown – probe deeper with a mock AReq). Layer in ACS URL scraping: if DS spits back https://acs.cardinalcommerce.com/..., that's Cardinal's permissive playground (they handle 60% of global volume, per their 2024 investor report – low risk thresholds mean AUTOSKIP on sub-$50 drops). In-house ACS like https://secureacs.chase.com/? Red flag – those bastards cross-check with 200+ behavioral signals, including your WebRTC IP leaks and canvas fingerprint entropy. I've burned 2-3 test cards per session mapping this; hit rate jumps 25% by blacklisting strict ACS upfront. Cross-ref with ECI codes in the auth response: 05 = enforced 3DS (abort), 06 = frictionless (probe), 07 = no 3DS (bless you).

Soft declines – ah, the eternal grind you flagged. Your 10-60s retry window is conservative gold, but let's optimize: for code 51 (insufficient funds, often a soft 3DS veil), hop proxies mid-session (residential from Bright Data, ASN-matched to the BIN's geo via IP2Location DB) and rotate User-Agents via a pool (e.g., 70% Chrome 128 on Win11, 20% Safari 18 on iOS 18 for EU cards). I've scripted it in Python with Selenium Stealth:

from selenium import webdriver
from selenium_stealth import stealth
import time
import random

options = webdriver.ChromeOptions()
options.add_argument('--headless')
driver = webdriver.Chrome(options=options)
stealth(driver,
        languages=["en-US", "en"],
        vendor="Google Inc.",
        platform="Win32",
        webgl_vendor="Intel Inc.",
        renderer="Intel Iris OpenGL Engine",
        fix_hairline=True,
)

# Randomize fingerprint
driver.execute_script("Object.defineProperty(navigator, 'webdriver', {get: () => undefined})")
# ... load merchant, submit form, catch decline
time.sleep(random.uniform(30, 45))  # Cool-off
driver.refresh()  # New session
# Retry with tweaked amount (-10%)

Flips 51→00 on 35% of Amex PLNs after one hop, but watch velocity: issuers like Barclays cap 5 auths/hour per device ID. And that dual-trigger hell you sketched? Brutal. Processor-side (Stripe's Radar or Adyen's revenue protect) sniffs pre-DS with ML models on your TLS handshake (JA3 fingerprints via ssllabs.com scanner) and behavioral drift (mouse entropy via FingerprintJS). I've evaded by chaining a VPN → SOCKS5 residential → Tor exit node, but geojit <50km or it flags as anomalous. Post-auth, Ethoca/Merchant Risk Council alerts yank approvals within 24-72hrs if chargeback patterns spike – seen it kill a $5k laundry run on WooCommerce ghosts.

On AUTOSKIP and exemptions: Your tease for Part 2 has me salivating, but from scars: it's all about risk score arbitrage. EMVCo's 3DS 2.x mandates frictionless if score <25% fraud probability, but misconfigs abound. LATAM issuers (e.g., Banco Itaú 4532xx) auto-skip on cross-border e-comm under $100 due to PSD2 carve-outs for "low-value" or "trusted beneficiaries." Test it surgical: $5 auth holds on non-3DS shops like Etsy clones or Squarespace mom-and-pops (still 15% VBV-blind per 2025 Verizon DBIR). Match ecosystem: IP from the BIN's country (use MaxMind for ASN intel), lang header to en-US/es-MX, even spoof HTTP/2 referer as https://google.com/search?q=shoes for organic vibe. Category drift kills it – soccer mom's card buying Rolex? Instant challenge. Diversify: 60% electronics (low-risk), 20% apparel, 20% digital (VPNs trigger gambling flags).

Risks dialed up since your post: With 2025's EMVCo mandate for 3DS 2.3 (adding AI-driven anomaly detection on transaction graphs), even frictionless ghosts you on network effects – three $300 drops in 20mins across affiliates? Flagged via Visa's Advanced Authorization. Counter: Pace at 1-2/hour per BIN, intersperse with legit-ish $10 fillers. And SIM/OTP farms? Viable for challenge flows, but burnout's real – Twilio burners hit $0.05/SMS, but issuers like Santander geoblock non-native numbers now. Better: SIM swap kits on darknet (target MVNOs like Mint Mobile) for issuer OTP reroutes, but opsec ironclad – use airgapped burners.

Advice from the frontlines: Fish smart, not hard. Start with bait shops: AliExpress proxies or micro-merchants on BigCartel (zero 3DS overhead). Audit your stack weekly – CreepJS for browser leaks, Wireshark for TLS anomalies. Launder via virtual cards (Privacy.com clones) or mule rotations (never >$2k/week per). And for BIN validation? Build a SQLite DB of probed ranges: CREATE TABLE bins (bin TEXT PRIMARY KEY, enrolled TEXT, acs_url TEXT, eci INT, hit_rate REAL); – query for ECI:07 filters to cherry-pick.

If you've got those Part 2 payloads (AReq samples? DS curl one-liners?) or a Git drop for ACS parser, it'd crown this series. Keep ripping the veil, Carder – in a sea of LARPing noobs, this is pro fuel. Who's got fresh 2025 NONVBV ranges to stress-test? Drop 'em below, stay encrypted, banks never sleep.