Performance Objective

At the conclusion of the course the student will be able to:

  1. Describe why carders use proxies, browsing history cleaners, and mac address changers.

  2. Describe what a drop site is.

  3. Describe how a carder conducts an operation in general terms.


Credit card fraud or carding is the act of using stolen information in order to conduct fraud. This is often conducted over the internet. While credit card fraud can also be conducted in person using simple and widely available cloning tools, that form of attack is outside the scope of this basic introduction to carding.

Getting Card Numbers

Acquisition of credit card numbers is trivial. Some methods includes -

  1. Stealing the cards. This can be as simple as taking an unattended wallet at a gas station or the gym.

  2. Steal bank statements from mailboxes.

  3. Identity Theft.

  4. Skimming Device or data reader.

  5. Compromise an ATM and replace a terminal with it.

  6. Buy cards in bulk from online market places.

  7. Data breaches. Attacking a website that handles credit cards can provide huge numbers of cards for cheap.

Making Purchases

Using stolen credit card information is normally conducted in two ways. The first is the physical method and the second is through online retailers.


Physical fraud requires equipment. Two important items include an embosser and a writer. This allows the criminal to create duplicates of credit cards that can then be used at most terminals.

Even secure chip-and-PIN credit cards can be defeated with a little work. arsTechnica reports that hackers were able to build the tools necessary to defeat chip-and-PIN using basic research tools.

Even when chip-and-PIN stops an attacker, some criminals are adept at getting the vendor to run their card in a more traditional manner and to by-pass the security of chip-and-PIN in order to stream line the sale and to assist the ‘customer’ when their card isn’t working. This demonstrates that physical fraud can also require confidence work and social engineering.


An online attack can be as every bit as sophisticated as a physical one and is conducted through a rough outline of the following steps.

  1. Create an identity. This often includes creating a gmail account using some form of the card holders name. An example might be ‘’ and could require the use of a burner phone to activate the email account. This is sometimes circumvented by hiring people to create or otherwise manage email address for the criminal through sites like Craigslist.

  2. Acquire a VPN or gain illicit access to a computer in the general area of the card holders billing address. This allows the criminal to bypass some location based defenses deployed by online vendors. An example would be an attacker using a computer in Belarus attempting to make a purchase with a card from Dallas, Texas. Location doesn’t add up and it will flag the purchase.

  3. Some criminals swear by MAC spoofing. This is useful if they are operating out of a cyber cafe or public wifi and wish to prevent evidence of their computer operating on that network from being easily found. TailsOS provides an excellent explanation of how MAC address spoofing works and why one may be interested in doing so. The reasoning is more inline with lan tracking and forensics than attempting to bypass security on sites. Also view the ArchWiki on mac spoofing.

  4. TAILS OS is an alternative to using your regular PC. I have also seen people use Puppy OS. The main issue is that you do not want any cookies, browser history, fingerprints, or identifiers that could identify your original system or any accounts connected to it. Some criminals advocate ccleaner for this need.

  5. Use a proxy for connecting to the site. Most advocate a SOCKS5 proxy. This allows you to make it appear that you are operating in a specific area and protects against being identified by anti fraud measures.

Delivery, Drops, and Mules

A mule is a derogatory term used to describe an individual who is operating as a ‘beast of burden’ either knowingly or not for a criminal element. Mules could be transporting drugs, money, or stolen goods but this is not a limiting factor. Criminals look for individuals who are over-eager and desperate for work and the internet gives them the ability to cast a wide net. While some individuals will actively seek this type of employment, it is not unheard of for an individual to be coerced or otherwise tricked into functioning as a mule for a criminal enterprise.

After a criminal has made a purchase or otherwise gained access to goods or money illicitly, they are still not free. Often times the goods need to be smuggled out of one location and to sent to another or are otherwise still a potential liability. A criminal will use websites like Craigslist, Indeed, and other job advertisement sites to find individuals who are not familiar with their trade and attempt to convince them to assist them in their endeavor. Smart criminals will appear legitimate, often times they will request copies of ID, social security numbers, or even provide fake tax documentation so that when they are done with their target they can then victimize the individual by manner of identity theft.

After locating a victim, the criminal will begin the process of laundering their goods. An example may look like -

  1. Victim receives job offer and agrees to what appears to be a ‘legitimate’ career as a package wrapper for holidays and birthdays.

  2. Criminal ships five brand new video game systems to the victim with instructions to wrap them, add a personalized card or message, and then forward those packages on to buyers or the thief themselves.

  3. If cash is involved, the victim may receive deposits in their bank account with instructions to wire the proceeds to the criminal or buyers.

  4. When law enforcement investigates the shipments they will find the victim who may be in possession of stolen money or goods. This is then seized and they could be potentially charged.

  5. The criminal then vanishes and uses the victims identity to commit fraud or otherwise stage further attacks.

Some red flags that an online job is a front for being a mule include -

  • The transferring of money or goods.
  • Job duties not described or vague.
  • All interactions conducted online with no phone or video contact.
  • No education or experience requirements.
  • Significant earnings or free goods included in salary for little effort.
  • Interactions are awkward or in broken English.
  • The offerer uses free email services.

Sometimes the fraudsters will just use local addresses such as abandoned or otherwise unwatched buildings or will employ children to wait for packages and to grab them off of porches. This is sometimes seen with narcotics deliveries. A child or teen will be hired to wait near a house and a package will be sent to the home during a time when no presence is expected. The child will then interdict the package before it is seen by the home owner. This allows a delivery to be made to a location with no connection between the sender and receiver. It also allows the child to potentially claim they were stealing packages instead of knowingly receiving narcotics in the hopes of a reduced sentence.

Acquisition Of Stolen Credentials

Stolen credit card data, banking details, and financial statements can come from a wide array of places. Insider threats, poor operational security, and theft are all potential avenues for credentials. Vendors within the United States must meet PCI Standards. PCI Standards are relatively simple but will often force vendors to protect themselves by pushing their handling of credit card and financial data to third parties for their own safety. An example third party would be PayPal.

The PCI Data Security Standards consist of 12 PCI DSS Requirements that are mandated for any vendor to comply with.

PCI Standards -

  1. Maintain a firewall with proper configuration to protect cardholder data.

  2. Do not use vendor-supplied defaults for passwords or security parameters.

  3. Protect stored cardholder data.

  4. Encrypt the transmission of cardholder data across open and public networks.

  5. Use anti-virus software and programs.

  6. Develop and maintain secure systems and applications.

  7. Restrict access to cardholder data to a need-to-known basis.

  8. Assign a unique ID to each person with access to computers involved.

  9. Restrict physical access to cardholder data.

  10. Track all network resources and monitor all data.

  11. Regularly test the security systems.

  12. Maintain policy for all information security for employees and contractors.

Non compliance with any of the above 12 standards at a merchant who experiences a data breach could make that merchant subject to fines. Fines could be $5000 to $100,000 per month until the issues with compliance are addressed. If compliance is not met satisfactorily, this could lead to revocation of the right to process cards at the merchant.

These fines are not government enforced. The way this fine structure functions is that the card brands penalize a merchants bank and the bank then passes those losses on to the non-compliant merchant by assessing a fire. This allows the banks to have flexibility in their PCI enforcement policies and they make some of the ultimate decisions in how compliance is met.

PCI compliance is vague and is a best effort expectation game. You cannot be certain you are within compliance but your best bet is to attempt to be to the best of your abilities and hope that when you are a victim that you are not penalized or your penalties are reduced by your demonstration of effort.

With this knowledge, criminals look for vulnerable databases, trash, and even attempt to intercept the transportation of data on the clearnet in order to harvest data. Even a company as large as amazon can implement code with vulnerabilities such as XSS and find their accounts vulnerable to attack. No one is guaranteed safety.


  1. Carders must use proxies, vpns, and other tools to mask who they are to prevent themselves from leaving an evidence trail or otherwise identifying themselves with fraud. They must also avoid anti fraud measures.

  2. A drop site is a location where a fraudster will send goods for pickup.

  3. A carder will acquire stolen credit card numbers, mask their identity, make a purchase, and then use either a drop site or mule to assist them in laundering their stolen goods or cash.


Carding is a major problem. Some estimates state that the United States is loosing as much as $190 billion dollars per year due to online fraud. Customers are loosing $4.8 billion of those dollars per year. This is a massive drain on the American economy and much of the money is being moved to foreign nations through mules and others who may or may not be aware of their participation in these schemes.

Some readers may question where cryptocurrency fits into this. Bitcoin and other cryptocurrency are outside the scope of this article but further discussion will be made on where cryptocurrency fits at a later date.

There is no method to guarantee you will not become the victim of identity theft or financial fraud. Education and preparation are the best medicine because it is impossible to stay ahead of every attack.

So what can we do if we are victims?

  1. If you notice you have been the victim of financial fraud, the first thing you should do is contact the account issuer for your instrument. If you have charges you do not recognize on your Visa card, contact Visa. Explain that you are a victim of fraud and need your account frozen and card canceled as soon as possible. They will do so immediately.

  2. Gather your financial documents and contact law enforcement. This is a good faith gesture that demonstrates to Visa that you are willing to swear the charges are not true and will get you a police report number. This will be important if you need to further contest charges. File the police report with your local law enforcement.

  3. Monitor for activity. You can contact your credit reporting companies. Federal law mandates free credit reports for victims of fraud and you can initiate fraud claims with the companies. Instructions are available through the FTC. Your police report will help you with all contacts with these companies, they will request the report number regularly during this process.

  4. Continue to update the police report as appropriate and reach out to vendors and others as necessary. Continuous monitoring may be required for years after a breach of your security. This can be costly in both time, effort, and money on your part but will be necessary.

Final Recommendations

  1. Use financial intermediaries to protect your data from exposure.
  2. Do not use debit cards but use credit cards with buy protection.
  3. Monitor your credit report and your statements.
  4. Research who you do business with.
  5. Use Linux.
  6. Read Trust among Cybercriminals? Carding Forums, Uncertainty and Implications for Policing(PDF).