Carding 🔥 A CrdPro Exclusive: Why the cards you bought never work, and what you can do about it. 💳

[Quell103]

I appreciate your explanation.

 

[lookmaze]

thanks for this mate

 

[ThatGuy42109]

A CrdPro Exclusive: Why the cards you bought never work, and what you can do about it.

Ever wondered why none of the cards you buy from online card shops seem to work? Even after reading through my AI systems thread, the card you bought for 30$ which the shop guarantees is first-hand somehow still fails to even get a transaction across?

Or if they do, why are they acting inconsistently? Some cards sometimes work for thousands, while most of the times a lot of them cannot even sign you up for a Netflix account!

In order to understand and optimize your workflow for success you need to understand the layers of approvals your order details need to go through in order for your purchase to even result in a success, let alone get it shipped, and why the cards you're buying probably get caught before even proceeding to next stages.

When assessing the risk of a transaction being fraudulent/unauthorized, banks and payment processors implement what is called in the cybersecurity industry as a 'Swiss Cheese Model'.

Swiss Cheese Model

What this means is that instead of the transaction being assessed a single time, it is rigorously put through multiple checks, and require multiple systems of approval, before it allows a charge to succeed. Through advancements in AI and Machine learning algorithms, these entire processes take milliseconds, and are virtually frictionless to the end legitimate consumer.

For this writeup's demonstration purposes, we'll steadily assume your card is fully valid. I'll walk you through each step, and reveal at the end why the cards you bought tend to fail. The first step of the process when you submit a transaction is essentially the site's own risk analysis. Seon, Radar, Riskified, Forter, the list goes on and on, and I've covered this in depth in my article at: How To Bypass Modern AI Anti-Fraud Systems" target="_blank">

In that article we've uncovered tricks and bypasses that you have control over, but I left out a giant piece of the puzzle: the card you're using.

You see, while you can have a brand-new laptop with an astounding fingerprint, the best residential proxy in the world, your card could've been run through a fuckton of checks within the fraud system and this increases the risk metrics for your transaction tremendously.

In order to understand what I mean, we need to have an in-depth understanding of the underground economy of card-selling:

(old photo of card shop from decades ago, haha)

Understanding how the CVV economy operates needs only four words, and is dead-simple: Sellers want maximum profit.

While shop operators and maintainers have reputation to establish and maintain, sellers on a lot of these platforms do not, they are often faceless entities that rotate identities regularly, and whatever route they can take to make them more money, they'll take. What this means is that card shops with rules that aren't stringent enough or quality checks that aren't rigid enough will inevitably get a sea of garbage/resold cards.

This also logically means that online shops that do not have enough traffic/sales to make the sellers the most profit are relegated to be low-priority when these sellers start selling cards. What this means is that, the most logical way to maximize profit for someone who resells cards is to post it first on the most popular card shop, give it a few days of selling, check the validity after a few days and remove dead cards, then proceed to reuploading it to the next profitable shop. By the third time the card has been resold they'll basically go free-for-all and post it to as many smaller shops as they can.

What happens is that your success becomes tied to how high up the food chain the shop you're buying from, or how stringent their quality checks are. The other side effect of this kind of economy is that big players/shops maintain their dominance and are able to extract more profit from each card sold since the quality of their cards is much better (since sellers post on them first) and they maintain a higher market share (since smart buyers will check with their site first).

Anatomy of a Resold Card

One thing people do not understand enough is that a card being resold to multiple stores isn't the biggest factor as to why you're failing the first risk check. A card could, in theory, be resold to five shops, remain unsold for weeks, and still hit big numbers. The larger problem is that the process of reselling cards to multiple stores necessitates a lot of the greedy sellers—since they also want to double-dip and profit on sold cards—to run checks on the cards before they reupload them.

How are cards checked?

With each re-upload to different stores, a seller can then use services like 4Check and Lux to check the bases and remove the dead cards. While this presents a whole host of different problems, which I'll tackle later, this simply isn't what a majority of sellers use since these merchant-based checkers tend to get expensive and unprofitable. Checking 1000 cards in 4Check costs 250$!

So what do they use? Dirt-cheap bind checkers.

The Boom of Bind Checkers

So what are Bind-based Checkers? Bind-based checkers are essentially checkers that attempt to bind the card to a service, or to create a payment using the card in an automated and fast way. A couple examples of this are FlashCheck and OMGCheck:

The payment system these bind-based checkers operate in is mostly Stripe or Braintree. Either they have a massive list of API keys that they rotate regularly, or they have a massive list of websites with unsecured forms (for donations/adding card/etc) where they submit the card details to and await response. Their scripts submit the card number, expiry, and CVV to the Stripe/Braintree endpoint, and depending on the API response, base their assessment if the card is Live or Dead.

If you've read through my AI system guide you'd understand why this approach kills the card (without actually killing it): When you run your card through these checkers, the Stripe/Braintree/Adyen AI model having mitigations for card-checking, will essentially flag your card as 'stolen' and block it from any payment process done on their payments network indefinitely.

The only choice you then have for this card, with it being blocked from most major payment networks, is to use it with an obscure low-security card processor that has no connection whatsoever with Stripe/Braintree/Adyen. With the big three blocking your card, you've essentially limited yourself out of using the card you have on about 90% of all online stores, at least in the US.

The boom of the bind-checkers only helps greedy card resellers and scriptkiddies on telegram who generate credit card numbers to buy Spotify subscriptions, but it has been an overall net negative for the industry as a whole. It singlehandedly destroyed the success rate of carders far larger than anything else before it. I even joked to a friend of mine that Stripe/Braintree/etc might've been really allowing these bind-checkers to operate since it makes it very easy for them to know which cards to block. Your only solution in this case is be strict about which shops you plan on sourcing your cards.

Risk-Assessment Providers

If your card successfully passes the initial checks by AI models, the next step involves scrutiny by risk-assessment providers. These external companies specialize in evaluating the risk associated with a transaction, providing an additional layer of security beyond what Stripe offers. Unlike Stripe, which primarily considers machine-generated signals such as IP addresses and browser fingerprints, risk-assessment providers take a more comprehensive approach. They delve into the entire metadata of the transaction, examining various factors to ensure its overall legitimacy and safety. This thorough evaluation helps in detecting any potential fraud that might have been missed by the initial AI checks.

• Risk-profile of the cardholder (including amount)
• Risk-profile of the merchant
• Nature of the transaction

A practical example of this process is repeatedly entering the wrong CVV code. While Stripe's systems might not immediately block you, various banks using different risk-assessment providers could. This discrepancy could result in receiving a 'generic_decline' code from Stripe. It's important to note that Stripe's Radar system does not give customers detailed explanations if a decline is triggered by an external risk provider, even if your transaction is deemed safe by Stripe itself. Thus, the external risk-assessment can impact the outcome, despite a positive assessment from Stripe. If you've used Stripe Radar to assess your own cards, you've likely come across this: all the fraud metrics are low, but the fraud score is still high:

If risk-assessment providers flag your transaction, it often results in a 'card block.' These blocks are usually temporary and are automatically lifted within approximately 72 hours. Alternatively, you can expedite the process by contacting your bank directly to have the block removed.

This situation is what CC shops and checkers refer to as 'risk-control' or code 59 Suspected Fraud. If you come across this, it's best to let your card take a short breather for a couple of days—think of it as a mini-vacation. During this cooling-off period, if the card owner hasn’t set up alerts and remains blissfully unaware of your transaction attempt, you can try again. Just remember, success relies on factors mostly out of your control, aside from the purchase amount. Repeatedly checking the card through merchant-based checkers is like repeatedly nudging someone who's trying to nap—you're bound to get a 'card block.' So, give it some space and let things cool down a bit.

Bank Checks

Congrats! Your transaction passed the payment processor and risk provider. Now for the final step: the bank. Bank checks are basic; they focus on transaction amount and how it fits the cardholder’s usual spending habits.

Say the cardholder only uses his Costco card to hide his $10 OnlyFans subscription from his wife. Suddenly, it tries to buy an $8,000 Alienware laptop? The bank will likely block it. Big deviations from normal spending raise flags.

Here’s a trick: use the cardholder’s ZIP code with this tool to find the neighborhood’s median income. Use this to set a reasonable transaction limit. Note that for higher chances of approval, transactions should be within a reasonable range of the median income.

Card tier and BINs matter, but not overly so. Platinum cards may allow higher limits, but sudden large purchases can still be blocked. The inverse is also true: Standard/Classic cards can hit big if the cardholder loves to splurge on expensive things to feel adequate and look rich. Some BINS work better for some stores, and there's a multitude of those already on the forum. Also, consider the card's transaction history. Frequent small purchases leading up to a big one might help normalize the larger amount in the bank's eyes. Logically, large purchases by the holder lend trust to large purchases by you, so what I tend to do is use Visa Purchase Alerts, wait for the holder to make huge purchases like this, and follow it up with my own big purchase; it works every damn time!

Now the most magical part of this is that the entire check process from platform to bank takes less than two seconds. And these two seconds decide the fate of your transaction, so try to optimize for what you can control (the amount of the purchase, the shop you're buying from, choosing zip, choosing BIN) and do not waste too much time over things you can't.

Remember, as the financial systems improve over time, so should your strategies in circumventing them. And the only way you can do that is to gain proper knowledge through experience.

Thank you very much. Your

 

[ThatGuy42109]

This was very informative. I really liked the search zip code for per capita income. I would have never thought of that. I'm going to do it every time now. Thank you.

 

[d0ctrine]

This was very informative. I really liked the search zip code for per capita income. I would have never thought of that. I'm going to do it every time now. Thank you.

Yep. I'll write more about tricks like these in the future. There are bunch of them.

 

[dinamita009]

Thanks for your contribution, would you be so kind as to share a little of your time with me? I have a concern bro

 

[Hasan_1337]

A CrdPro Exclusive: Why the cards you bought never work, and what you can do about it.

Ever wondered why none of the cards you buy from online card shops seem to work? Even after reading through my AI systems thread, the card you bought for 30$ which the shop guarantees is first-hand somehow still fails to even get a transaction across?

Or if they do, why are they acting inconsistently? Some cards sometimes work for thousands, while most of the times a lot of them cannot even sign you up for a Netflix account!

In order to understand and optimize your workflow for success you need to understand the layers of approvals your order details need to go through in order for your purchase to even result in a success, let alone get it shipped, and why the cards you're buying probably get caught before even proceeding to next stages.

When assessing the risk of a transaction being fraudulent/unauthorized, banks and payment processors implement what is called in the cybersecurity industry as a 'Swiss Cheese Model'.

Swiss Cheese Model

What this means is that instead of the transaction being assessed a single time, it is rigorously put through multiple checks, and require multiple systems of approval, before it allows a charge to succeed. Through advancements in AI and Machine learning algorithms, these entire processes take milliseconds, and are virtually frictionless to the end legitimate consumer.

For this writeup's demonstration purposes, we'll steadily assume your card is fully valid. I'll walk you through each step, and reveal at the end why the cards you bought tend to fail. The first step of the process when you submit a transaction is essentially the site's own risk analysis. Seon, Radar, Riskified, Forter, the list goes on and on, and I've covered this in depth in my article at: How To Bypass Modern AI Anti-Fraud Systems" target="_blank">

In that article we've uncovered tricks and bypasses that you have control over, but I left out a giant piece of the puzzle: the card you're using.

You see, while you can have a brand-new laptop with an astounding fingerprint, the best residential proxy in the world, your card could've been run through a fuckton of checks within the fraud system and this increases the risk metrics for your transaction tremendously.

In order to understand what I mean, we need to have an in-depth understanding of the underground economy of card-selling:

(old photo of card shop from decades ago, haha)

Understanding how the CVV economy operates needs only four words, and is dead-simple: Sellers want maximum profit.

While shop operators and maintainers have reputation to establish and maintain, sellers on a lot of these platforms do not, they are often faceless entities that rotate identities regularly, and whatever route they can take to make them more money, they'll take. What this means is that card shops with rules that aren't stringent enough or quality checks that aren't rigid enough will inevitably get a sea of garbage/resold cards.

This also logically means that online shops that do not have enough traffic/sales to make the sellers the most profit are relegated to be low-priority when these sellers start selling cards. What this means is that, the most logical way to maximize profit for someone who resells cards is to post it first on the most popular card shop, give it a few days of selling, check the validity after a few days and remove dead cards, then proceed to reuploading it to the next profitable shop. By the third time the card has been resold they'll basically go free-for-all and post it to as many smaller shops as they can.

What happens is that your success becomes tied to how high up the food chain the shop you're buying from, or how stringent their quality checks are. The other side effect of this kind of economy is that big players/shops maintain their dominance and are able to extract more profit from each card sold since the quality of their cards is much better (since sellers post on them first) and they maintain a higher market share (since smart buyers will check with their site first).

Anatomy of a Resold Card

One thing people do not understand enough is that a card being resold to multiple stores isn't the biggest factor as to why you're failing the first risk check. A card could, in theory, be resold to five shops, remain unsold for weeks, and still hit big numbers. The larger problem is that the process of reselling cards to multiple stores necessitates a lot of the greedy sellers—since they also want to double-dip and profit on sold cards—to run checks on the cards before they reupload them.

How are cards checked?

With each re-upload to different stores, a seller can then use services like 4Check and Lux to check the bases and remove the dead cards. While this presents a whole host of different problems, which I'll tackle later, this simply isn't what a majority of sellers use since these merchant-based checkers tend to get expensive and unprofitable. Checking 1000 cards in 4Check costs 250$!

So what do they use? Dirt-cheap bind checkers.

The Boom of Bind Checkers

So what are Bind-based Checkers? Bind-based checkers are essentially checkers that attempt to bind the card to a service, or to create a payment using the card in an automated and fast way. A couple examples of this are FlashCheck and OMGCheck:

The payment system these bind-based checkers operate in is mostly Stripe or Braintree. Either they have a massive list of API keys that they rotate regularly, or they have a massive list of websites with unsecured forms (for donations/adding card/etc) where they submit the card details to and await response. Their scripts submit the card number, expiry, and CVV to the Stripe/Braintree endpoint, and depending on the API response, base their assessment if the card is Live or Dead.

If you've read through my AI system guide you'd understand why this approach kills the card (without actually killing it): When you run your card through these checkers, the Stripe/Braintree/Adyen AI model having mitigations for card-checking, will essentially flag your card as 'stolen' and block it from any payment process done on their payments network indefinitely.

The only choice you then have for this card, with it being blocked from most major payment networks, is to use it with an obscure low-security card processor that has no connection whatsoever with Stripe/Braintree/Adyen. With the big three blocking your card, you've essentially limited yourself out of using the card you have on about 90% of all online stores, at least in the US.

The boom of the bind-checkers only helps greedy card resellers and scriptkiddies on telegram who generate credit card numbers to buy Spotify subscriptions, but it has been an overall net negative for the industry as a whole. It singlehandedly destroyed the success rate of carders far larger than anything else before it. I even joked to a friend of mine that Stripe/Braintree/etc might've been really allowing these bind-checkers to operate since it makes it very easy for them to know which cards to block. Your only solution in this case is be strict about which shops you plan on sourcing your cards.

Risk-Assessment Providers

If your card successfully passes the initial checks by AI models, the next step involves scrutiny by risk-assessment providers. These external companies specialize in evaluating the risk associated with a transaction, providing an additional layer of security beyond what Stripe offers. Unlike Stripe, which primarily considers machine-generated signals such as IP addresses and browser fingerprints, risk-assessment providers take a more comprehensive approach. They delve into the entire metadata of the transaction, examining various factors to ensure its overall legitimacy and safety. This thorough evaluation helps in detecting any potential fraud that might have been missed by the initial AI checks.

• Risk-profile of the cardholder (including amount)
• Risk-profile of the merchant
• Nature of the transaction

A practical example of this process is repeatedly entering the wrong CVV code. While Stripe's systems might not immediately block you, various banks using different risk-assessment providers could. This discrepancy could result in receiving a 'generic_decline' code from Stripe. It's important to note that Stripe's Radar system does not give customers detailed explanations if a decline is triggered by an external risk provider, even if your transaction is deemed safe by Stripe itself. Thus, the external risk-assessment can impact the outcome, despite a positive assessment from Stripe. If you've used Stripe Radar to assess your own cards, you've likely come across this: all the fraud metrics are low, but the fraud score is still high:

If risk-assessment providers flag your transaction, it often results in a 'card block.' These blocks are usually temporary and are automatically lifted within approximately 72 hours. Alternatively, you can expedite the process by contacting your bank directly to have the block removed.

This situation is what CC shops and checkers refer to as 'risk-control' or code 59 Suspected Fraud. If you come across this, it's best to let your card take a short breather for a couple of days—think of it as a mini-vacation. During this cooling-off period, if the card owner hasn’t set up alerts and remains blissfully unaware of your transaction attempt, you can try again. Just remember, success relies on factors mostly out of your control, aside from the purchase amount. Repeatedly checking the card through merchant-based checkers is like repeatedly nudging someone who's trying to nap—you're bound to get a 'card block.' So, give it some space and let things cool down a bit.

Bank Checks

Congrats! Your transaction passed the payment processor and risk provider. Now for the final step: the bank. Bank checks are basic; they focus on transaction amount and how it fits the cardholder’s usual spending habits.

Say the cardholder only uses his Costco card to hide his $10 OnlyFans subscription from his wife. Suddenly, it tries to buy an $8,000 Alienware laptop? The bank will likely block it. Big deviations from normal spending raise flags.

Here’s a trick: use the cardholder’s ZIP code with this tool to find the neighborhood’s median income. Use this to set a reasonable transaction limit. Note that for higher chances of approval, transactions should be within a reasonable range of the median income.

Card tier and BINs matter, but not overly so. Platinum cards may allow higher limits, but sudden large purchases can still be blocked. The inverse is also true: Standard/Classic cards can hit big if the cardholder loves to splurge on expensive things to feel adequate and look rich. Some BINS work better for some stores, and there's a multitude of those already on the forum. Also, consider the card's transaction history. Frequent small purchases leading up to a big one might help normalize the larger amount in the bank's eyes. Logically, large purchases by the holder lend trust to large purchases by you, so what I tend to do is use Visa Purchase Alerts, wait for the holder to make huge purchases like this, and follow it up with my own big purchase; it works every damn time!

Now the most magical part of this is that the entire check process from platform to bank takes less than two seconds. And these two seconds decide the fate of your transaction, so try to optimize for what you can control (the amount of the purchase, the shop you're buying from, choosing zip, choosing BIN) and do not waste too much time over things you can't.

Remember, as the financial systems improve over time, so should your strategies in circumventing them. And the only way you can do that is to gain proper knowledge through experience.

Thanks for guidance
Can you tell us the bins and store