The answer is quite simple: AI Anti-Fraud Systems. And today weāre tackling this concept that is foreign to noobs, but seasoned carders are all too familiar with. Understanding it essentially guarantees a shipment notification in your email, and not an order cancellation notice.
What are modern anti-fraud systems?Antifraud systems are essentially gates and hoops you have to bypass (besides the bank) in order for your order to get successfully processed. The systems decide whether to force you to go through 3DS, or not. The companies who run these include, but not limited to:
Stripe Radar
Signifyd
Riskified
Accertify
Forter
SEON
Who came up with this shit?While large websites like Amazon, Walmart, etc roll their own, corporate assholes figured out that thereās money to be made in stopping script kiddies from copy pasting free CCs from Telegram and getting their iPhone 15 Pro Maxes next day. Somehow they had the brilliant idea of offering fraud prevention as a service (SaaS). Their pitch to business owners was simple: You install our javascript on your website and we watch over everyone whoās trying to make an order from your store, we get to decide whether an order is approved or not. All orders we process we take a % cut. If we approve an order and it turns out to be fraudulent and the cardholder charges back, we compensate you 100% for your loss.
This is probably one of the most profitable venture ever created, just a little bit below a casino. Think about it: Not only are there statistically a minuscule percentage of fraudulent orders compared to legitimate ones, an overwhelming majority of carders doing fraud areālets admit itānoobs and are very easy to detect. If youāre one, then keep reading as this is perfect for you.
But what makes them different?Two words: data & AI. Modern antifraud systems became much more effective since they are equipped with more dataāsince hundreds/thousands of businesses use them, they are effectively collecting order data from thousands of shopping websitesāand this in turn results in far more superior AI decision making. These systems asses your risk in a point-system where each hit or risky aspect of your purchase adds to your overall ārisk scoreā. Their software are actually much easier to deploy, giving the business owner the peace of mind that there will be minimal chargebacks on their shopping site, and if ever there were, they are covered and compensated by the antifraudās guarantee system.
At the heart of this is the tradeoff between true positives and false positives. An antifraud system that is too strict will block MOST of the fraudulent orders while at the same time blocking a huge portion of false positives (legitimate purchases). This is bad for the shop-owner, as often times their loss from blocked legitimate purchases are higher than the actual possibility of loss from fraudulent purchases; not to mention it damages their reputation whenever a legitimate customer attempts to purchase and is suddenly blocked without doing anything wrong. The job of the fraud detection companies is to fine-tune their AI and balance true positives to false positives.And they need to make it as seamless as possible. A shopping owner nowadays wouldnāt have to hassle themselves in deciding if they should ship a shiny new PS5 to Brandon from Portland; the AI had already decided to reject the transaction because it has data that someone from the same delivery address charged-back a dildo purchase from six months ago. And if youāre shipping to a freight forwarder, good luck, because there are probably countless dildos already fraudulently purchased to that warehouseās address.
Ok I get it, Iām fucked, how can I be not fucked?Before you can start mowing down the shopping sites with your 517805s and 518698s you first need to understand what data during shopping is taken, how it is processed, and how huge of a factor each data plays in the AIās decisions making process.
Common misconception regarding your IP address.
Back in the days you just needed choose a proxy in the same city/state as the billing of the card and youāre good to go. Go make a quick search on the forums for guides, and thatās pretty much what everyone tells you: same IP city or state of the billing, and voila, your order goes from processing to preparing for shipment. That couldnāt bw further from truth nowadays. While proximity of your IP is a factor to the systemās decision making, it isnāt the ONLY factor, nor is it the most important one.
The opposite is also true: if same city/state to cardholderās billing is the most important deciding factor, why is it that your relatives, who orders online from anywhere else in the country still get their orders processed? Why is it that your Uncle, whoās taking a vacation thousands of miles away from his billing address is still having no troubles getting his legitimate orders through?
IP quality > IP proximity. When deciding regarding your IP address, IP quality is a far more important factor than proximity. You could be using an IP on the same street as the billing details of your card, but if it was ran over a thousand times already by other cards your order will simply not push through.Some websites that offer IP health checks include:
Scamalytics https://scamalytics.com/ip
Seon (this is good if youāre trying to hit a site that uses SEON to block fraud, as you get a picture of how the service looks at your IP) https://seon.io/resources/ip-fraud-score/
IPscore.IO https://ipscore.io/
These help with assessing your IPās health, but it doesnāt paint the entire picture. Consider the recent IP address somebody used that scored extremely low on all these services. It passed through these tests with flying colors yet it failed Stripeās Radar for mere $45 purchase:
Why? Letās take a look at Stripeās AI decision-making:
Notice the āPrevious disputes from IPā, āAuthorization rateā, and āNumber of cards previously associated withā?
While the IP health services sees the IP as clean, itās obvious it has been ran over hundreds of times in the past hence the transaction failed.
But if I had no way of reliably knowing if the IP is clean or not, how can I pick which one?You can increase your chance tremendously by combining the data you have: first the cleanliness of the IP on these tools, and the source youāre getting the IPs from. Making sure your IPs are actually squeaky clean is also a multi-step process:
1. First thing you need to make sure is that youāre getting either residential IPs, or 4G LTE IPs.
Some ISPs offer IP blocks to companies who host proxies on their own servers, while these proxies are FAST, they are considered āRISKYā by fraud AIs as thereās really a low chance an actual consumer will be using an IP from a company server. Steer clear of them and just use residential IP proxies.
2. Make sure the Socks/Proxy provider doesnāt primarily cater to carders/fraud audience
One extra tip is to go through each provider & know who they are primarily catering to. A company that is primarily offering its proxies to fraudsters give you a lower chance of success as its pool is most likely tainted by its own customers.
For example: while combing through CardProās Proxy Section and picking a part each company offering their services, I can confidently say that ALL of them primarily cater to marketers, so their IPs pools are most likely CLEAN than random services online who source their IPs with malware-infected hosts.
3. The bigger the provider pool, the better
A proxy platform that offers a huge pool, sometimes upwards of millions, tend to increase your chances of success simply because any IP yo get will have a lower chance of having been used in the past by another fraudster. This effectively bypasses the pitfalls that happened to the Stripe transaction above.
Best Residential Proxy Right Now: https://www.922proxy.com/
MY EXTRA SECRET SAUCE REGARDING IPs FOR FREEIf you want the best of the best, cleanest IP address you can find, then get an Apple device and use their iCloud Private Relay VPN:
Not only does it help you with privacy, Antifraud checker systems are forced to give a low fraud rating to IPs in Appleās pool, simply because they are shared by all Apple users who uses Safari, and punishing any IP inside the pool will cause legitimate Apple device customers who uses the services to get hit too, causing legitimate purchases to get cancelled. Abuse this while Apple is forcing these privacy-breaking companiesā hands.
https://news.ycombinator.com/item?id=27760391
Now, shifting gears from picking the right IPs, let's talk about another crucial detail : your browser fingerprint. It's like your browser's unique ID card on the internet and it's as vital as choosing the right IP.Picture this: you've nailed the IP game, but forget about your browser fingerprint, and you might as well be wearing a neon āfraudsterā sign online.
Surprisingly, a lot of newcomers in the carding scene fumble on this step, and that's where things can go south real quick.
What is a browser fingerprint?Your browser fingerprint is like your browser's secret recipe ā a unique mix that makes it stand out online. When you visit a website, your browser spills the beans, sharing info like its version, type, operating system, screen resolution, plugins, fonts, time zone, language preferences ā the works. And thanks to JavaScript, websites can even unearth more details about your browser's capabilities and device features. So, as you move through the internet, your browser unwittingly reveals its detailsāeven your fucking battery percentage!ābasically broadcasting your digital identity to the websitesā servers and antifraud mechanisms.
Companies collect millions of these fingerprints, as left by their users. By piecing together these fingerprints, they create a coherent picture of visitors without them even realizing it. It's like assembling a puzzle of online habits, preferences, and activities to get to know users on a more detailed level. By analyzing patterns and details, these systems can effectively assess whether a person has engaged in fraud in the past, linking their current browser & sessions with previous order sessions. Inversely, they can piece together that your current session does not fall in line with the cardholderās sessions, ultimately resulting in declined/cancelled orders.
So, here's the deal with browser fingerprints: some folks think they should be like the James Bond of the internet ā all unique and untraceable. But here's the twist ā that's not the right move with fingerprints. Unlike IP addresses where you're after the squeakiest clean, with browser fingerprints, you're aiming for the dirtiest, most common fingerprint possible, as this allows you to blend in the crowd like any normal person would!
Antidetect Browsers
Enter antidetect browsers ā these are like your secret weapon. They're special browsers designed to make you blend in even more and throw off those pesky JavaScript trackers by antifraud systems. They let you tweak things like your user agent, disable browser plugins, and mess with cookie settings. The goal? To make your online fingerprint look so generic that it's hard to pick you out from the crowd. Plus, they help prevent trackers from linking your different online sessions on the same device. Some of these include:
CheBrowser
Linken Sphere
Multilogin
Kameleo
GoLogin
Incogniton
These browsers are primarily used by internet marketers and botters who snag the next Nike release, and for a monthly price they pretty much do all the heavy lifting in making sure each session is different from the other, while at the same time maintaining a āgenericnessā to it that makes you mix perfectly with the crowd.
Each browsers have their strengths and weaknesses, so try as many as you can and decide which works perfectly for your workflow. Just make sure you remember what I said: your goal with these browsers is to be as ānon-uniqueā as possible!
MY EXTRA SECRET SAUCE REGARDING Anti-detect/Browser FingerprintsHereās another free sauce that will surely help your workflow. Did you know most Safari browsers on iOS have similar fingerprints? And here's the kicker ā even iOS apps can't track your device 'hardware id' between resets.
So reset your iPhone, install the Surge App on the App Store, connect to your proxy and change your timezone: bam! you have the most perfect piece of anti detect software there is. Thereās a reason why expert carders showing off their orders being shipped all take screenshots with their iPhones: it is simply the best tool to get the job done.
Browsing PatternsAnother huge part of the order flow that raises a red flag and increases your ārisk scoreā to the eyes of AI systems is your browsing pattern. Think about it: what kind of animal of a person would go to a shopping site, pick an expensive item within a span of a couple of seconds, checkout by pasting their credit card info, and keep refreshing the order status page every couple of minutes? Thatās right, a CARDER.
Humans are creatures of habit, and these antifraud companies know this: thatās why their systems are geared towards statistically comparing patterns of legitimate buyers to fraudsters, and using the recognized pattern to make decisions whether to approve orders or not. This is all done through the magic of modern Javascript, where all your cursor movements, clicks, scrolls, keystrokes, pastes, etc are recorded to perfection. Seriously check out the console for how many data goes to Stripe upon loading the page:
These data (117 requests) were gathered within a couple of seconds of loading the page. A single click creates a request to Stripeās Radar servers letting them know that you clicked here and there. Now imagine this sort of thing being embedded in ALL of the pages in the shopping website. Yes, clicking the first expensive thing you see and going through the checkout page like a madman with a bunch of cards will surely get your session fucked.
So how do I bypass this? Pretend like an 80-year old lady from Arkansas?Perhaps you could, most antifraud pattern matching systemsāexcept Amazon, because Amazon is retardedāin my experience gives enough leeway for a purchaser even if the activity patterns donāt really match. Spend a couple of minutes here and there, pretend youāre having second-thoughts about your purchase, be finicky, scroll and check other products, just wander around a bit before going for the kill.
Again, always think about the diagram I showed you earlier: these systems want to be strict and catch noob carders, but they DONT WANT TO BE TOO STRICT and block legitimate purchases and hurt their clientās bottomline.
MY EXTRA SECRET SAUCE REGARDING Shopping Patterns(Donāt worry, this doesnāt require Apple devices anymore.)
One extra-spicy method that weāve been using all these years in order to bypass fraud checks, and this is especially effective for digital items is split in three steps:
1. Make sure the website accepts signup/checkout with ANY email without any form of email verification. If youāre purchasing a gift card, make sure that the gift card gets sent to an email of your choosing, or stored in the order history page that is completely accessible to you without OTP being sent to the person who ordered.
2. Checkout using the cardholderās own email. Weird right? Well when you use the cardholderās email, which the cardholder has most likely have a positive history of legitimate orders from, youāre pretty much guaranteeing the order will go through!
3. Use email spam services and spam the email right after the purchase was done. This guarantees the email from the shopping website doesnāt get read by the account holder, or the gift cards/digital goodies you purchased gets to him. There are plenty of email spam services out there.
Another Spicy Sauce is using Ad Blockers like uBlock OriginRemember the concept of blending in the crowd? This also applies to shopping patterns: AdBlockers block scripts that track a users movement in the site, effectively making the AI blind to any of your actions; while you may think this will make the AI suspicious and outright block you it will surely wonāt because millions of people use ad-blocks, and by using one youāre effectively blending in with millions of people whoās activity inside the shop the AI cannot track. This works so good on some site I used to actually charge people to help them order stuff while using this. And now Iām giving it to you for free.
AddressNow, let's talk about the last leg of our journey ā the delivery address. Honestly, it's a critical part of the whole order thing and can either make it or break it. Some big-shot shopping sites like Amazon and Walmart might cut you some slack when it comes to the delivery address, but others, like Forter, Signifyd, Riskified, play hardball and shut down transactions to addresses with a history of fraudulent orders.
Now, you could try these residential drop services floating around the forums and Telegram, but they're a bit like playing roulette ā unpredictable and often risky. They might even rat you out, and worst-case scenario, your stuff could get swiped. Another option is hopping on services like Reship, Shipito, etc., but let's be real ā those addresses have been raped by molested by carders since time immemorial, not to mention they tend to suddenly require complicated KYC processes once they catch a whiff of carded items. So how do we reliably deal with this? Enter my free sauce for you miscreants:
Free Sauce, Address JiggingAddress jigging, primarily used by sneaker botters, is in my experience, an effective way of bypassing address checks by AI system. Remember weāre bypassing AI systems, they might be smart but theyāre not infallible, and one prominent weakness of these AI systems is they have no imagination, and this is the part we exploit to get our orders through.
Address jigging involves intentionally changing your delivery address just enough for it to be different, but not too much for your items to not get delivered.
1. 4 Letter Jig: Add four random letters in front of your address. The AI might see it differently, but your UPS driver won't notice. Profit.
2. Abbreviation Game: Swap street or road with abbreviations. It may not fool strict sites, but it works from time to time.
3. Apartment/Floor Twist: If you're not in an apartment, throw in "APT" to signal a change to the antifraud system. The courier won't care. Gold.
4. On/At Jig: Stick "on" or "at" to your street number. Messes with the AI systems, and you're good to go.
Understand your enemyCongratulations, youāve gotten this far, I wish youāve taken all Iāve laid out here to heart, but thereās a crucial missing piece of the puzzle you must understand that should premise all your carding sessions: you must understand your enemy. Each website is different, they have different checkout flows, different antifraud systems, and different rigidity in how they employ their antifraud. Itās not just about success; itās about consistent successāand knowing your enemy fully-well guarantees this.
One way you can go about this is by checking the HTTP console and looking for clues as to what fraud system the website employs:For example, Farfetch uses Riskified:
You can find the guide on how fraud score is calculated by Riskified here:https://www.riskified.com/learning/fraud/guide-fraud-score-scoring-models/
https://support.riskified.com/hc/en-us/articles/360012160393-API-Integration-Guide-
You can also sign-up to these services, and test your fingerprint, one good example of this is SEON which allows non-KYC sign ups, though this is only effective if the site youāre trying to hit uses SEON:https://seon.io/try-for-free/
Another one is Stripe, which you can sign up and use their Radar service, get a couple orders through and look at how they assess your sessions:
Once youāve signed up for these sites you can use your API keys to approve āpretend ordersā as 3DS validated making sure the system trusts you enough so that when you go for the kill you get away with it flawlessly.
Understood. Iāve increased my fraud IQ, but why are you giving these away for free?I think we should all work together for the improvement of the industry as a whole and not look at each other as competitors in the space. The more we share knowledge with each other, the better we all get, the better money there is to be made for each of us. This is a three part series exclusive to CrdPro, and I will be posting the next installation (cashing out) perhaps next week. See you then!
USEFUL LINKS:
Best Residential Proxy Right Now: https://www.922proxy.com/
Best Checker That Doesn't Kill Cards (4Check):
https://shorturl.at/FG456
Seon Fraud Score Check:
https://seon.io/fraud-detection-services/ip-lookup-service-api/
