A carding forum is usually accessible through the dark net. This is why the “underground” descriptor is usually affixed to the term. The dark net portion of the Internet is not indexed, and is therefore more difficult to access through Google and other mainstream search engines. In most cases, carding forums are so well hidden that they are impossible to access without traffic being routed through a TOR browser.
To read more about the dark net, check out the following links:
Black Web: A Definition
Discovering the Darknet: A Journey below the Web and Social Sphere
Carding Forum Profiles
Complete profiles are known as fullz. These profiles include everything a cybercriminal would need to assume the identity of the person who owns the credit card. It also ensures they won’t be personally implicated when making a fraudulent purchase. It is important to note that a credit card number by itself is useless, as most e-commerce companies implement some form of multifactor authentication process which separates the lower class of thieves from the highly-skilled ones.
The price of a profile, therefore, depends on how complete it is, usually ranging $20 to $50. The lower the price, the more likely the profile is the work of a script kiddie or con artist posing as a top notched hacker. As the old saying goes: “There is no honor among thieves.” This is especially true within the realms an underground carding forum.
Keeping Customer Information from Appearing on a Carding Forum
Unless you’re living under a rock, you are probably aware that modern credit card theft is rarely done in person. Information these days is siphoned through some form of electronic means. If a hacker can prevent a credit card from being reported as “lost” or “stolen,” and verify the financial status of its holder (meaning that any fraudulent transaction will not be denied due to insufficient funds), he will generally place the profile for sale on a carding forum.
There can be no carding forums without complete or somewhat useful profiles. A main hurdle in the profile creation process is the retrieval of card security codes (CSCs). This is the three (3) digit pin found on the back of most credit cards. In commercial platforms, these numbers are masked to prevent their interception and reuse. But this alone isn’t enough to protect them from keyloggers.
In cyber warfare, software is often countered with other software. On-screen keyboards (OSKs) are proven solutions to key logging and other snooping mechanisms, and many organizations have begun implementing these to protect the data of their customers. Techniques which further mask keystrokes is also used to helped prevent the likelihood of remote screen grabbing. A hacker’s arsenal is varied, which means that a system analyst must be just as skilled in order to stand a fighting chance.
Hacking Financial Institutions
If a hacker finds it impossible to obtain credit card information from the consumer’s side, it is not uncommon for them to go after the financial institutions. Joker’s Stash, one of the largest carding forums, for example, saw the dumping of 1.3 million Indian debit cards in October 2019. These profiles were being sold for as much as $100! And just eight (8) months prior, 2.15 million American cards went up for sale on the same site.
Statistics on whether or not this data has been used have yet to be released, but it is likely that a lot of the information was at least sold. The profiles are rarely used immediately, as those who acquire them are often patient and wait for the right opportunity. This could be when the true cardholders increase their card transaction limits, or when additional information can be collected to strengthen a fraudulent transaction.
An unfortunate statistic about credit card theft in America is that 90% of credit card holders’ information is circulating somewhere on the dark net. To make matters worse, the companies that claim to be able to remove your data from carding forums have very little effect. Once something is sold, there really is no going back (unless the buyer were to ask for a refund). But credit card security has undoubtedly come a long way. Chip and security pin protocols go a long way in blocking unauthorized card transactions. This, coupled with approval requests, is just about all you can do to protect yourself at this time.