Have you ever wondered how you can have perhaps the most flawless setup (high balance card, correct BIN, clean socks from the same city) imaginable in cyberspace and still not get hit hard when carding anything online? Have you ever wondered why Stripe keeps rejecting your "high balance" card even for a small amount? Or why even a cheap Shopify order gets cancelled due to "unforeseen circumstances"? 
The answer is quite simple: AI-powered fraud protection systems. And today we’ll be looking at this concept, which is foreign to newbies but very familiar to experienced carders. Understanding it essentially ensures that you receive a shipping notification via email, rather than a cancellation notification.
What are modern fraud protection systems?
Fraud protection systems are essentially the gates and hoops you need to jump through (besides your bank) to get your order processed successfully. The systems decide whether to make you go through 3DS or not. Companies that run them include, but are not limited to:
Who invented this crap?
While big sites like Amazon, Walmart, etc. are building their own, corporate idiots realized there was money to be made by preventing script kiddies from copying and pasting free CCs from Telegram and getting their iPhone 15 Pro Max the next day. Somehow, they came up with the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: you install our javascript on your site, and we monitor everyone who tries to order from your store, we decide whether the order is approved or not. We take a percentage commission on all orders we process. If we approve an order and it turns out to be fraudulent and the cardholder returns the money, we reimburse you 100% of your losses.
It's probably one of the most profitable businesses ever created, just below a casino. Think about it: not only are there statistically a tiny percentage of fraudulent orders compared to legitimate ones, the vast majority of carders committing fraud are – let’s face it – newbies and very easy to spot. If you’re one of them, then keep reading, because this is perfect for you.
But what sets them apart?
Two words: data and AI. Modern anti-fraud systems have become much more effective because they are equipped with more data – with hundreds/thousands of businesses using them, they effectively collect order data from thousands of shopping websites – and this in turn leads to much more sophisticated AI decision making. These systems assess your risk on a scoring system, where each hit or risky aspect of your purchase is added to your overall “risk score”. Their software is actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if there ever are, they are covered and compensated by the anti-fraud safeguards system.
At the core of all this is the tradeoff between true positives and false positives. An overly strict fraud protection system will block MOST fraudulent orders, while blocking a huge portion of false positives (legitimate purchases). This is bad for the store owner, as often the loss they suffer from blocked legitimate purchases is greater than the actual loss from fraudulent purchases; not to mention it hurts their reputation when a legitimate customer tries to make a purchase and is suddenly blocked without doing anything illegal. The job of fraud detection companies is to fine-tune their AI and balance true positives with false positives.
And they need to do it as smoothly as possible. A store owner these days wouldn’t have to worry about whether to ship a brand new PS5 to Brandon from Portland; The AI has already decided to decline the transaction because it has evidence that someone from the same shipping address recalled a dildo purchase six months ago. And if you're shipping to a freight forwarder, good luck, because that warehouse address has probably already had countless dildos fraudulently purchased.
Okay, I get it, I'm screwed, how can I not be screwed?
Before you start mowing down shopping sites with your 517805 and 518698, you first need to understand what data is collected during shopping, how it is processed, and how big a factor each piece of data plays in the AI decision-making process.
A common misconception about your IP address.
It used to be that you just had to choose a proxy in the same city/state as your card's billing address and you were good to go. Do a quick search on the forums for guides and that's pretty much what everyone tells you: same city or state as your card's billing IP and voila, your order is processed and ready to ship. These days, that couldn't be further from the truth. While the proximity of your IP is a factor in the system's decision-making, it is not the ONLY factor, nor is it the most important one.
The opposite is also true: if the same city/state as your cardholder's billing address is the most important deciding factor, why are your relatives who order online from anywhere else in the country still getting their orders? Why is your uncle who is vacationing thousands of miles away from his billing address still having trouble getting his legitimate orders?
IP quality > IP proximity. When deciding on your IP address, IP quality is a much more important factor than proximity. You can use an IP on the same street as your card payment details, but if it has already been checked over a thousand times by other cards, your order will simply not be accepted.
Some websites that offer IP health checks include:
These help assess the health of your IP, but they don’t paint the whole picture. Consider a recent IP address someone used that scored extremely low on all of these services. It passed these tests with flying colors, but failed Stripe Radar’s test for just $45:
Why? Let's look at Stripe's AI decision making:
Pay attention to the “Previous IP Disputes”, “Authorization Rate” and “Number of Cards Previously Associated With”?
While IP Health services consider the IP clean, it is clear that it has been checked hundreds of times in the past, so the transaction failed.
But if I have no way of knowing reliably whether an IP is clean or not, how can I choose which one?
You can greatly increase your chances by combining the data you have: first, the IP cleanliness in these tools and the source from which you are getting the IP. Making sure your IPs are actually crystal clear is also a multi-step process:
1. The first thing you need to make sure is that you are getting either residential IPs or 4G LTE IPs.
Some ISPs offer IP blocks to companies that host proxies on their own servers, although these proxies are FAST, they are considered “RISKY” by fraudulent AI, since it is really unlikely that a real consumer will use an IP from a company's server. Avoid them and only use residential IP proxies.
2. Make sure the Socks/Proxy provider does not primarily serve carders/scammers.
Another tip is to go through each provider and find out who they primarily target. A company that primarily offers their proxies to scammers will give you a lower chance of success, as their pool is likely tainted by their own customers.
For example: combing through the Carder.Market proxy section and picking apart a portion of each company offering their services, I can confidently say that ALL of them primarily serve marketers, so their IP pools are likely CLEAN than random online services that get their IPs from malware-infected hosts.
3. The larger the provider's pool, the better.
A proxy platform that offers a huge pool, sometimes in the millions, will generally increase your chances of success simply because any IP address you receive will be less likely to have been used in the past by another scammer. This effectively bypasses the pitfalls that came with the Stripe transaction described above.
MY EXTRA SECRET SAUCE ABOUT FREE IP ADDRESSES
If you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:
Not only does this help you with privacy, fraud checking systems are forced to give a low fraud score to IP addresses in Apple's pool simply because they are shared by all Apple users who use Safari, and penalizing any IP address within the pool will cause legitimate customers of Apple devices who use these services to suffer as well, resulting in legitimate purchases being cancelled. Abuse this while Apple cracks down on these privacy-violating companies.
https://news.ycombinator.com/item?id=27760391
Now, switching from choosing the right IP addresses, let's talk about another important detail: your browser fingerprint. This is like your browser's unique ID card on the web, and it is just as important as choosing the right IP address.
Imagine this: you succeeded in the IP game, but forgot about your browser fingerprint, and you might as well be wearing a neon sign saying "fraudster" on the web.
Surprisingly, this is where many carding newbies get it wrong, and this is where things can go awry very quickly.
What is a browser fingerprint?
Your browser fingerprint is like your browser’s secret recipe – a unique concoction that makes it stand out on the web. When you visit a website, your browser spills all its secrets, sharing information like its version, type, operating system, screen resolution, plugins, fonts, time zone, language settings – the whole shebang. And thanks to JavaScript, websites can even learn more details about your browser’s capabilities and device features. So as you navigate the web, your browser unwittingly spills its data – even your damn battery percentage! – essentially broadcasting your digital identity to website servers and anti-fraud mechanisms.
Companies collect millions of these fingerprints left by their users. By collecting these fingerprints, they create a coherent picture of visitors without even realizing it. It’s like assembling a puzzle of online habits, preferences, and actions to get to know users at a more granular level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past by linking their current browser and sessions to previous order sessions. Conversely, they can piece together that your current session does not match the cardholder’s sessions, ultimately leading to declined/cancelled orders.
So here's the thing about browser fingerprinting: Some people think they're supposed to be like the James Bond of the internet - all unique and untraceable. But here's the catch - that's the wrong way to go about fingerprinting. Unlike IP addresses, where you're looking for the squeaky clean ones, with browser fingerprinting you're targeting the dirtiest, most common fingerprints possible, because that allows you to blend in with the crowd, just like any normal person would!
AntiDetect Browsers
Enter antidetect browsers – these are like your secret weapon. These are special browsers designed to help you blend in even more with the crowd and get rid of pesky JavaScript trackers from anti-fraud systems. They let you customize things like your user agent, disable browser plugins, and tinker with cookie settings. The goal? To make your online fingerprint so generic that you’ll be hard to pick out from the crowd. They also help prevent trackers from linking your different online sessions on the same device. Here are a few to consider:
These browsers are mostly used by online marketers and bots who catch the next Nike release, and for a monthly fee, they pretty much do all the hard work to make sure each session is distinct from the next, while still maintaining the “universality” that allows you to blend in perfectly.
Each browser has its own strengths and weaknesses, so try as many as you can and decide which one fits your workflow perfectly. Just make sure you remember what I said: your goal with these browsers is to be as “non-unique” as possible!
MY EXTRA SECRET SAUCE ON ANTI-DETECT/BROWSER FINGERPRINTING
Here’s another free sauce that’s sure to help your workflow. Did you know that most Safari browsers on iOS have similar fingerprints? And here’s the kicker – even iOS apps can’t track your device’s “hardware identifier” between resets.
So reset your iPhone, install the Surge app from the App Store, connect to a proxy server, and change your time zone: bam! you have the most advanced anti-detection software around. There’s a reason expert carders who brag about submitting their orders take screenshots from their iPhones – it’s simply the best tool for the job.
Browse Patterns
Another huge part of your order flow that raises a red flag and increases your “risk rating” in the eyes of AI systems is the browse pattern. Think about it: What kind of animal, a human, goes to a shopping site, selects an expensive item within a couple of seconds, checks out by inserting their credit card information, and refreshes the order status page every couple of minutes? That’s right, CARDER.
Humans are creatures of habit, and these fraud-fighting companies know it: that’s why their systems are designed to statistically compare patterns of legitimate buyers with fraudsters, and use the recognized pattern to make decisions about whether to approve orders or not. This is all done through the magic of modern Javascript, where every single one of your mouse movements, clicks, scrolls, keystrokes, pastes, etc. is recorded down to the last detail. Seriously, check the console to see how much data is sent to Stripe when you load a page:
This data (117 requests) was collected within seconds of the page loading. One click creates a request to the Stripe Radar servers, telling them you clicked here and there. Now imagine that stuff embedded into ALL the pages on a shopping site. Yeah, clicking on the first expensive thing you see and going through the checkout page like a crazy person with a bunch of cards is probably going to ruin your session.
So how do I get around that? Pretend to be an 80 year old lady from Arkansas?
Maybe you could, most anti-fraud pattern matching systems – except Amazon, because Amazon is backwards – in my experience give the buyer enough leeway to act even if the patterns don’t actually match. Spend a few minutes here and there, pretend to have doubts about your purchase, be picky, scroll and check out other products, just wander around a bit before you strike.
Again, always think about the scheme I showed you earlier: these systems want to be strict and catch newbie carders, BUT THEY DON'T WANT TO BE TOO STRICT and block legitimate purchases and hurt their customers.
MY EXTRA SECRET SAUCE ON SHOPPING SCHEMES
(Don't worry, you don't need Apple devices for this anymore)
One super-spicy method we've been using all these years to get around fraud checks, and it's especially effective for digital goods, is broken down into three steps:
1. Make sure the website accepts registration/checkout from ANY email address without any form of email verification. If you're buying a gift card, make sure the gift card is sent to the email address you provide or is saved on an order history page that is fully accessible to you without sending an OTP to the person who placed the order.
2. Place the order using the cardholder's own email address. Weird, right? Well, when you use a cardholder email that the cardholder likely has a positive history of legitimate orders with, you are virtually guaranteed that the order will be delivered!
3. Use email spam services and send out a spam email immediately after the purchase is made. This ensures that the email from the shopping site is not read by the account holder, or the gift cards/digital items you purchased do not reach them. There are many email spam services out there.
Another hot sauce is using ad blockers like uBlock Origin
Remember the concept of blending in with the crowd? This also applies to shopping patterns: ad blockers block scripts that track users’ movements on a site, effectively blinding the AI to any actions you take; while you might think that this would make the AI suspicious and immediately block you, that’s not going to happen, of course, because millions of people use ad blockers, and by using one, you’re effectively blending in with millions of people whose shopping activity the AI can’t track. This works so well on one site that I used to actually charge people to help me order things using it. And now I’m giving it to you for free.
Address
Now let’s talk about the last step of our journey, the shipping address. Honestly, this is the most important part of the entire order, and it can either make or break it. Some major shopping sites like Amazon and Walmart may give you some slack when it comes to the shipping address, but others like Forter, Signifyd, Riskified play hardball and close transactions to addresses with a history of fraudulent orders.
Now, you can try these household services that are floating around on forums and Telegram, but they are a bit like playing roulette - unpredictable and often risky. They may even give you away, and in the worst case, your stuff may get stolen. Another option is to use services like Reship, Shipito, etc., but let's be realistic - these addresses have been raped and harassed by carders since time immemorial, not to mention they tend to suddenly demand complex KYC processes once they smell carded goods. So how do we deal with this reliably? Enter my free sauce for you scumbags:
Free Sauce, Address Jigging
Address jigging, mostly used by sneakerheads, is in my experience an effective way to bypass AI system address checks. Remember, we are bypassing AI systems, they may be smart but they are not infallible and one of the notable weaknesses of these AI systems is that they have no imagination and that is the part we use to deliver our orders.
Address jigging involves intentionally changing your shipping address just enough to be different, but not too much that your items will not be delivered.
1. 4-letter jigging: Add four random letters in front of your address. The AI may see it differently, but your UPS driver won't notice. Profit.
2. The abbreviation game: Change the street or road to abbreviations. This may not fool strict sites, but it works from time to time.
3. Apartment/Floor: If you’re not in an apartment, add “APT” to signal a change in the fraud protection system. The courier doesn’t care. Gold.
4. On/On the Jig: Attach “on” or “on” to your street number. Interferes with the AI systems and you’re done.
Understand Your Enemy
Congratulations, you’ve made it this far, I wish you could take everything I’ve laid out here to heart, but there’s an important missing piece of the puzzle you need to understand that should underpin all of your carding sessions: you need to understand your enemy. Every website is different, they have different checkout flows, different fraud control systems, and different rigors in how they use their fraud control. It’s not just about success; it’s about consistent success – and knowing your enemy absolutely ensures that.
One way to do this is to check the HTTP console and look for clues as to what anti-fraud system the website is using:
For example, Farfetch uses Riskified:
Riskified's Fraud Score calculation guide can be found here:
https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-
You can also sign up for these services and have your fingerprint verified. A good example of this is SEON, which allows you to sign up without going through the KYC process, although this is only effective if the site you are trying to influence uses SEON:
https://seon.io/try-for-free/
Another service is Stripe, where you can sign up and use their Radar service, place a couple of orders through it, and see how they rate your sessions:
Once you sign up for these sites, you can use your API keys to approve 3DS-verified “fictitious orders” to make sure the system trusts you enough that when you go in for the carding, you can get away with it without a problem.
Got it. I’ve raised my fraud IQ, but why are you giving them away for free?
I think we should all work together to improve the industry as a whole and not look at each other as competitors in this space. The more we share knowledge with each other, the better we all become, the more money can be made for each of us. This is a three-part series exclusive to Carder.Market, and I’ll be posting the next installment (payout) probably next week. See you there!
USEFUL LINKS:
The answer is quite simple: AI-powered fraud protection systems. And today we’ll be looking at this concept, which is foreign to newbies but very familiar to experienced carders. Understanding it essentially ensures that you receive a shipping notification via email, rather than a cancellation notification. What are modern fraud protection systems?Fraud protection systems are essentially the gates and hoops you need to jump through (besides your bank) to get your order processed successfully. The systems decide whether to make you go through 3DS or not. Companies that run them include, but are not limited to:
- Stripe Radar
- Signifyd
- Riskified
- Accertify
- Forter
- SEON
Who invented this crap?While big sites like Amazon, Walmart, etc. are building their own, corporate idiots realized there was money to be made by preventing script kiddies from copying and pasting free CCs from Telegram and getting their iPhone 15 Pro Max the next day. Somehow, they came up with the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: you install our javascript on your site, and we monitor everyone who tries to order from your store, we decide whether the order is approved or not. We take a percentage commission on all orders we process. If we approve an order and it turns out to be fraudulent and the cardholder returns the money, we reimburse you 100% of your losses.
It's probably one of the most profitable businesses ever created, just below a casino. Think about it: not only are there statistically a tiny percentage of fraudulent orders compared to legitimate ones, the vast majority of carders committing fraud are – let’s face it – newbies and very easy to spot. If you’re one of them, then keep reading, because this is perfect for you.
But what sets them apart?Two words: data and AI. Modern anti-fraud systems have become much more effective because they are equipped with more data – with hundreds/thousands of businesses using them, they effectively collect order data from thousands of shopping websites – and this in turn leads to much more sophisticated AI decision making. These systems assess your risk on a scoring system, where each hit or risky aspect of your purchase is added to your overall “risk score”. Their software is actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if there ever are, they are covered and compensated by the anti-fraud safeguards system.
At the core of all this is the tradeoff between true positives and false positives. An overly strict fraud protection system will block MOST fraudulent orders, while blocking a huge portion of false positives (legitimate purchases). This is bad for the store owner, as often the loss they suffer from blocked legitimate purchases is greater than the actual loss from fraudulent purchases; not to mention it hurts their reputation when a legitimate customer tries to make a purchase and is suddenly blocked without doing anything illegal. The job of fraud detection companies is to fine-tune their AI and balance true positives with false positives.And they need to do it as smoothly as possible. A store owner these days wouldn’t have to worry about whether to ship a brand new PS5 to Brandon from Portland; The AI has already decided to decline the transaction because it has evidence that someone from the same shipping address recalled a dildo purchase six months ago. And if you're shipping to a freight forwarder, good luck, because that warehouse address has probably already had countless dildos fraudulently purchased.
Okay, I get it, I'm screwed, how can I not be screwed?Before you start mowing down shopping sites with your 517805 and 518698, you first need to understand what data is collected during shopping, how it is processed, and how big a factor each piece of data plays in the AI decision-making process.
A common misconception about your IP address.
It used to be that you just had to choose a proxy in the same city/state as your card's billing address and you were good to go. Do a quick search on the forums for guides and that's pretty much what everyone tells you: same city or state as your card's billing IP and voila, your order is processed and ready to ship. These days, that couldn't be further from the truth. While the proximity of your IP is a factor in the system's decision-making, it is not the ONLY factor, nor is it the most important one.
The opposite is also true: if the same city/state as your cardholder's billing address is the most important deciding factor, why are your relatives who order online from anywhere else in the country still getting their orders? Why is your uncle who is vacationing thousands of miles away from his billing address still having trouble getting his legitimate orders?
IP quality > IP proximity. When deciding on your IP address, IP quality is a much more important factor than proximity. You can use an IP on the same street as your card payment details, but if it has already been checked over a thousand times by other cards, your order will simply not be accepted.Some websites that offer IP health checks include:
- Scamalytics https://scamalytics.com/ip
- Seon (this is good if you are trying to get to a site that uses SEON to block fraud, as you get a picture of how the service looks at your IP) https://seon.io/resources/ip-fraud-score/
- IPscore.IO https://ipscore.io/
These help assess the health of your IP, but they don’t paint the whole picture. Consider a recent IP address someone used that scored extremely low on all of these services. It passed these tests with flying colors, but failed Stripe Radar’s test for just $45:
Why? Let's look at Stripe's AI decision making:
Pay attention to the “Previous IP Disputes”, “Authorization Rate” and “Number of Cards Previously Associated With”?
While IP Health services consider the IP clean, it is clear that it has been checked hundreds of times in the past, so the transaction failed.
But if I have no way of knowing reliably whether an IP is clean or not, how can I choose which one?You can greatly increase your chances by combining the data you have: first, the IP cleanliness in these tools and the source from which you are getting the IP. Making sure your IPs are actually crystal clear is also a multi-step process:
1. The first thing you need to make sure is that you are getting either residential IPs or 4G LTE IPs.
Some ISPs offer IP blocks to companies that host proxies on their own servers, although these proxies are FAST, they are considered “RISKY” by fraudulent AI, since it is really unlikely that a real consumer will use an IP from a company's server. Avoid them and only use residential IP proxies.
2. Make sure the Socks/Proxy provider does not primarily serve carders/scammers.
Another tip is to go through each provider and find out who they primarily target. A company that primarily offers their proxies to scammers will give you a lower chance of success, as their pool is likely tainted by their own customers.
For example: combing through the Carder.Market proxy section and picking apart a portion of each company offering their services, I can confidently say that ALL of them primarily serve marketers, so their IP pools are likely CLEAN than random online services that get their IPs from malware-infected hosts.
3. The larger the provider's pool, the better.
A proxy platform that offers a huge pool, sometimes in the millions, will generally increase your chances of success simply because any IP address you receive will be less likely to have been used in the past by another scammer. This effectively bypasses the pitfalls that came with the Stripe transaction described above.
MY EXTRA SECRET SAUCE ABOUT FREE IP ADDRESSES If you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:
Not only does this help you with privacy, fraud checking systems are forced to give a low fraud score to IP addresses in Apple's pool simply because they are shared by all Apple users who use Safari, and penalizing any IP address within the pool will cause legitimate customers of Apple devices who use these services to suffer as well, resulting in legitimate purchases being cancelled. Abuse this while Apple cracks down on these privacy-violating companies.
https://news.ycombinator.com/item?id=27760391
Now, switching from choosing the right IP addresses, let's talk about another important detail: your browser fingerprint. This is like your browser's unique ID card on the web, and it is just as important as choosing the right IP address.Imagine this: you succeeded in the IP game, but forgot about your browser fingerprint, and you might as well be wearing a neon sign saying "fraudster" on the web.
Surprisingly, this is where many carding newbies get it wrong, and this is where things can go awry very quickly.
What is a browser fingerprint?Your browser fingerprint is like your browser’s secret recipe – a unique concoction that makes it stand out on the web. When you visit a website, your browser spills all its secrets, sharing information like its version, type, operating system, screen resolution, plugins, fonts, time zone, language settings – the whole shebang. And thanks to JavaScript, websites can even learn more details about your browser’s capabilities and device features. So as you navigate the web, your browser unwittingly spills its data – even your damn battery percentage! – essentially broadcasting your digital identity to website servers and anti-fraud mechanisms.
Companies collect millions of these fingerprints left by their users. By collecting these fingerprints, they create a coherent picture of visitors without even realizing it. It’s like assembling a puzzle of online habits, preferences, and actions to get to know users at a more granular level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past by linking their current browser and sessions to previous order sessions. Conversely, they can piece together that your current session does not match the cardholder’s sessions, ultimately leading to declined/cancelled orders.
So here's the thing about browser fingerprinting: Some people think they're supposed to be like the James Bond of the internet - all unique and untraceable. But here's the catch - that's the wrong way to go about fingerprinting. Unlike IP addresses, where you're looking for the squeaky clean ones, with browser fingerprinting you're targeting the dirtiest, most common fingerprints possible, because that allows you to blend in with the crowd, just like any normal person would!
AntiDetect Browsers
Enter antidetect browsers – these are like your secret weapon. These are special browsers designed to help you blend in even more with the crowd and get rid of pesky JavaScript trackers from anti-fraud systems. They let you customize things like your user agent, disable browser plugins, and tinker with cookie settings. The goal? To make your online fingerprint so generic that you’ll be hard to pick out from the crowd. They also help prevent trackers from linking your different online sessions on the same device. Here are a few to consider:
- CheBrowser
- Linken Sphere
- Multilogin
- Kameleo
- GoLogin
- Incogniton
These browsers are mostly used by online marketers and bots who catch the next Nike release, and for a monthly fee, they pretty much do all the hard work to make sure each session is distinct from the next, while still maintaining the “universality” that allows you to blend in perfectly.
Each browser has its own strengths and weaknesses, so try as many as you can and decide which one fits your workflow perfectly. Just make sure you remember what I said: your goal with these browsers is to be as “non-unique” as possible!
MY EXTRA SECRET SAUCE ON ANTI-DETECT/BROWSER FINGERPRINTING Here’s another free sauce that’s sure to help your workflow. Did you know that most Safari browsers on iOS have similar fingerprints? And here’s the kicker – even iOS apps can’t track your device’s “hardware identifier” between resets.
So reset your iPhone, install the Surge app from the App Store, connect to a proxy server, and change your time zone: bam! you have the most advanced anti-detection software around. There’s a reason expert carders who brag about submitting their orders take screenshots from their iPhones – it’s simply the best tool for the job.
Browse PatternsAnother huge part of your order flow that raises a red flag and increases your “risk rating” in the eyes of AI systems is the browse pattern. Think about it: What kind of animal, a human, goes to a shopping site, selects an expensive item within a couple of seconds, checks out by inserting their credit card information, and refreshes the order status page every couple of minutes? That’s right, CARDER.
Humans are creatures of habit, and these fraud-fighting companies know it: that’s why their systems are designed to statistically compare patterns of legitimate buyers with fraudsters, and use the recognized pattern to make decisions about whether to approve orders or not. This is all done through the magic of modern Javascript, where every single one of your mouse movements, clicks, scrolls, keystrokes, pastes, etc. is recorded down to the last detail. Seriously, check the console to see how much data is sent to Stripe when you load a page:
This data (117 requests) was collected within seconds of the page loading. One click creates a request to the Stripe Radar servers, telling them you clicked here and there. Now imagine that stuff embedded into ALL the pages on a shopping site. Yeah, clicking on the first expensive thing you see and going through the checkout page like a crazy person with a bunch of cards is probably going to ruin your session.
So how do I get around that? Pretend to be an 80 year old lady from Arkansas?Maybe you could, most anti-fraud pattern matching systems – except Amazon, because Amazon is backwards – in my experience give the buyer enough leeway to act even if the patterns don’t actually match. Spend a few minutes here and there, pretend to have doubts about your purchase, be picky, scroll and check out other products, just wander around a bit before you strike.
Again, always think about the scheme I showed you earlier: these systems want to be strict and catch newbie carders, BUT THEY DON'T WANT TO BE TOO STRICT and block legitimate purchases and hurt their customers.
MY EXTRA SECRET SAUCE ON SHOPPING SCHEMES (Don't worry, you don't need Apple devices for this anymore)
One super-spicy method we've been using all these years to get around fraud checks, and it's especially effective for digital goods, is broken down into three steps:
1. Make sure the website accepts registration/checkout from ANY email address without any form of email verification. If you're buying a gift card, make sure the gift card is sent to the email address you provide or is saved on an order history page that is fully accessible to you without sending an OTP to the person who placed the order.
2. Place the order using the cardholder's own email address. Weird, right? Well, when you use a cardholder email that the cardholder likely has a positive history of legitimate orders with, you are virtually guaranteed that the order will be delivered!
3. Use email spam services and send out a spam email immediately after the purchase is made. This ensures that the email from the shopping site is not read by the account holder, or the gift cards/digital items you purchased do not reach them. There are many email spam services out there.
Another hot sauce is using ad blockers like uBlock Origin Remember the concept of blending in with the crowd? This also applies to shopping patterns: ad blockers block scripts that track users’ movements on a site, effectively blinding the AI to any actions you take; while you might think that this would make the AI suspicious and immediately block you, that’s not going to happen, of course, because millions of people use ad blockers, and by using one, you’re effectively blending in with millions of people whose shopping activity the AI can’t track. This works so well on one site that I used to actually charge people to help me order things using it. And now I’m giving it to you for free.
AddressNow let’s talk about the last step of our journey, the shipping address. Honestly, this is the most important part of the entire order, and it can either make or break it. Some major shopping sites like Amazon and Walmart may give you some slack when it comes to the shipping address, but others like Forter, Signifyd, Riskified play hardball and close transactions to addresses with a history of fraudulent orders.
Now, you can try these household services that are floating around on forums and Telegram, but they are a bit like playing roulette - unpredictable and often risky. They may even give you away, and in the worst case, your stuff may get stolen. Another option is to use services like Reship, Shipito, etc., but let's be realistic - these addresses have been raped and harassed by carders since time immemorial, not to mention they tend to suddenly demand complex KYC processes once they smell carded goods. So how do we deal with this reliably? Enter my free sauce for you scumbags:
Free Sauce, Address Jigging Address jigging, mostly used by sneakerheads, is in my experience an effective way to bypass AI system address checks. Remember, we are bypassing AI systems, they may be smart but they are not infallible and one of the notable weaknesses of these AI systems is that they have no imagination and that is the part we use to deliver our orders.
Address jigging involves intentionally changing your shipping address just enough to be different, but not too much that your items will not be delivered.
1. 4-letter jigging: Add four random letters in front of your address. The AI may see it differently, but your UPS driver won't notice. Profit.
2. The abbreviation game: Change the street or road to abbreviations. This may not fool strict sites, but it works from time to time.
3. Apartment/Floor: If you’re not in an apartment, add “APT” to signal a change in the fraud protection system. The courier doesn’t care. Gold.
4. On/On the Jig: Attach “on” or “on” to your street number. Interferes with the AI systems and you’re done.
Understand Your EnemyCongratulations, you’ve made it this far, I wish you could take everything I’ve laid out here to heart, but there’s an important missing piece of the puzzle you need to understand that should underpin all of your carding sessions: you need to understand your enemy. Every website is different, they have different checkout flows, different fraud control systems, and different rigors in how they use their fraud control. It’s not just about success; it’s about consistent success – and knowing your enemy absolutely ensures that.
One way to do this is to check the HTTP console and look for clues as to what anti-fraud system the website is using:For example, Farfetch uses Riskified:
Riskified's Fraud Score calculation guide can be found here:https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-
You can also sign up for these services and have your fingerprint verified. A good example of this is SEON, which allows you to sign up without going through the KYC process, although this is only effective if the site you are trying to influence uses SEON:https://seon.io/try-for-free/
Another service is Stripe, where you can sign up and use their Radar service, place a couple of orders through it, and see how they rate your sessions:
Once you sign up for these sites, you can use your API keys to approve 3DS-verified “fictitious orders” to make sure the system trusts you enough that when you go in for the carding, you can get away with it without a problem.
Got it. I’ve raised my fraud IQ, but why are you giving them away for free?I think we should all work together to improve the industry as a whole and not look at each other as competitors in this space. The more we share knowledge with each other, the better we all become, the more money can be made for each of us. This is a three-part series exclusive to Carder.Market, and I’ll be posting the next installment (payout) probably next week. See you there!
USEFUL LINKS:
Last edited by a moderator: