Carding Carding Guide: CARiD

[brooks365]

Thanks

 

[qaz999]

? カードガイド: CARiD ?

---

準備はいいかい？高価なマフラーや派手なホイールに目移りしながら、実際には持っていないなら、今こそその実力を発揮してCarIDにアクセスする時だ。

View attachment 46383

CarID.comには自動車部品が山ほどあるのに、セキュリティは水のように脆弱だ。安価な芳香剤からカスタムボディキットまで、あらゆるものが揃っていて、私たちもそれを手に入れようとしていた。

これはただマフラーが無料で手に入るだけの話ではありません。CarIDを自社の部品サプライヤーにするつもりです。在庫は膨大で、価格は高く、保護性能はひどい。まさに我々にぴったりです。
でも、あまり自信過剰にならないでください。これはやはりある程度のスキルが必要です。彼らのシステムを巧みに操作し、弱点を突いて、警報を鳴らさずに商品を持ち去る必要があります。

さあ、カードを用意してプロキシを起動しましょう。倉庫のドアを開けたままにしておくとどうなるか、 CarIDに見せてみます。さあ、倉庫に入り、彼らの在庫をどうやって利益に変えるか見てみましょう。

---

CarIDを選ぶ理由​

CarIDは、セキュリティがめちゃくちゃ弱い高価な自動車部品を扱うなら最高です。安価な芳香剤から数千ドルもするカスタムボディキットまで、豊富な在庫があります。おかげで、様々な商品を混ぜて、合法的に購入できるんです。

View attachment 46384​

彼らの本当の売りは高額商品にあります。高性能パーツ、カスタムホイール、高級ステレオシステムなど、良いものが1つあれば数週間は持ちこたえられます。しかも、これらの商品はすぐに売れてしまいます。車好きは常に掘り出し物を探しているので、すぐに転売でき、チャージバックの可能性も低いのです。

CarIDは数百のブランドと提携しているため、活動を分散させ、パターン化を避けることができます。グローバル配送により、国際的なカード決済やドロップシッピングの可能性が広がります。また、ギフト注文にも慣れているため、請求先住所と配送先住所が異なっていても問題ありません。

つまり、CarIDは高価値商品、多様な在庫、そして脆弱なセキュリティという、まさに理想的な標的なのです。他社が電子機器やファッションをめぐって争っている一方で、CarIDは自動車部品工場を襲撃していました。

---

偵察​

Burp Suiteを開くと、CarIDのセキュリティは原始人の棍棒のように基本的なものだと分かります。サードパーティの不正防止システムは一切見当たらず、私たちを阻止するのに何の役にも立たない、役に立たない分析機能があるだけです。

View attachment 46385

さて、ここからが面白いところです。CarIDは決済に3DS 2.0を実装したCyberSourceを利用しています。これは悪いニュースだと思うかもしれませんが、ちょっと待ってください。正しく使いこなせば、実は大きなメリットになるのです。

View attachment 46386

お支払い情報を送信する前に、デバイスのフィンガープリントが3DSプロセッサであるCardinal Commerceに送信されます。コードは以下のようになります。

[コード=json]{
「クッキー」：{
「レガシー」：true、
"LocalStorage": true,
"セッションストレージ": true
},
"デバイスチャネル": "モバイル",
「拡張」: {
「ブラウザ」: {
「アドブロック」：true、
「利用可能なJsフォント」: [
「Comic Sans MS」、
「ジョージア」
"パピルス"、
「アリアルブラック」
「トレビュシェットMS」
],
"DoNotTrack": "無効",
"JavaEnabled": true
},
"デバイス"： {
「カラー深度」: 24,
「CPU」：「ARM」、
「プラットフォーム」：「Linux」、
「タッチサポート」: {
「最大タッチポイント数」: 5,
"OnTouchStartAvailable": true,
「タッチイベント作成成功」: true
}
}
},
「指紋」: 「d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2」
「指紋採取時間」: 42,
「指紋の詳細」: {
「バージョン」: 「2.1.0」
},
「言語」：「en-GB」、
「緯度」：null、
「経度」：null、
「組織ユニットID」: 「61ddefdbcac40279f9950adf」
「オリジン」：「ファルコン」
「プラグイン」: [
「QuickTime::ビデオフォーマット::video/quicktime~mov」
「Flash Player::Flashコンテンツ::application/x-shockwave-flash」、
「HTML5 オーディオ::オーディオフォーマット::audio/mpeg」
],
「参照ID」: 「e1f23456-g7h8-90ij-klmn-opqrstuvwxyz」、
「リファラー」: 「https://carid.com」
「画面」: {
「偽の解像度」: 偽,
「比率」: 1.777,
「解像度」: 「2560x1440」
"使用可能な解像度": "2560x1300",
"CCAScreenSize": "01"
},
"CallSignEnabled": null,
"ThreatMetrixEnabled": 偽,
"ThreatMetrixEventType": "ログイン",
"ThreatMetrixAlias": "UserAlias456",
「タイムオフセット」: -300,
"UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML、Gecko など) Chrome/87.0.4280.88 Mobile Safari/537.36",
「ユーザーエージェントの詳細」: {
「偽OS」：偽、
「偽ブラウザ」: 偽
},
「ビンセッションID」: 「a1b2c3d4-e5f6-7890-abcd-ef1234567890」
}
[/コード]

では、これは私たちにとって何を意味するのでしょうか？それは、指紋認証の設定が鍵となるということです。指紋が怪しいと感じたら、カード情報を入力する前からもうダメです。しかし、正しく設定すれば、お金を引き出す道は確実に開けます。

でも、まだ先走りすぎないでください。CarIDのカード認証を簡単にする裏技を仕込んでいます。さあ、その裏技をすぐに始めましょう。

---

支払い処理​

CarIDは決済に3DS 2.0を搭載したCyberSourceを使用しています。これは問題のように思えるかもしれませんが、実は私たちにとっては朗報です。

View attachment 46389​

3DS 2.0は以前のバージョンよりも柔軟性が高くなっています。開発元は、厳格なセキュリティが売上を阻害していることに気づき、動的セキュリティを採用しました。これは私たちにとって有利に働きます。

3DS 2.0では、3DSプロンプトを表示するかどうかをリアルタイムで判断します。カードの状態に基づいて単純に「はい」か「いいえ」で判断するのではなく、状況に応じて判断する余地が生まれます。

通常3DSを発動するカードでも、リスクスコアを十分に下げれば3DSを回避できます。すべては、3DS処理業者であるCardinal Commerceが私たちの取引をどのように認識するかにかかっています（間にAI不正検知システムが介在していないことを前提としています）。

選択肢は 2 つあります。

• 非 VBV カード: 入手可能であれば、依然として最も簡単です。
• リスク スコアの操作: デバイスのフィンガープリントを微調整することで、3DS を必要とするカードで3DSをバイパスできる可能性があります。

3DS 2.0のセキュリティとユーザーエクスペリエンスのバランスを取ろうとする試みは、私たちにチャンスを与えてくれました。私たちはそれを活用するつもりです。

---

3DS 2.0のリスクスコアを最小限に抑える​

さあ、肝心な部分に入りましょう。あの手のAI詐欺システムとは異なり、3DS 2.0はプライバシーポリシーとデータ取り扱いに関する法律に準拠しています。つまり、IPアドレスとブラウザのフィンガープリントのみという限定されたデータセットで動作します。

いくつかの詳細については間違っているかもしれませんが、私にとってうまくいった方法は次のとおりです。
*** 隠しテキスト: 引用できません。***

覚えておいてください、これは絶対確実ではありません。しかし、 3DS 2.0のリスクスコアを下げ、あの厄介な3DSのプロンプトを回避できる可能性を高める、シンプルで効果的な方法です。この画面は表示されたくないですよね？

View attachment 46387​

---

要件とフロー
​

要件：

• VBV 以外のカード、または上記のトリックを使用してください。
• クリーンな住宅プロキシマッチングカード国
• 強力なアンチ検出ブラウザ設定
• ドロップアドレス

流れ：

• VBVカードを使用する場合は、上記のトリックを使用してください
• 商品をカートに追加します。
• チェックアウトに進みます。可能であればゲストチェックアウトをご利用ください。
• 発送先情報を慎重に記入してください。コピー＆ペーストは禁止です。
• 注文を送信して、息を止めてください。
• 成功した場合は、すぐにCarIDを再度押さないでください。間隔をあけて試してください。

私の経験では、 CarIDから取引のキャンセルや商品の返品を求められたことは一度もありません。ただし、合計5回以上（すべて発送済み）問い合わせをしたわけではないので、結果は異なる可能性があります。キャンセルや返品には常に備えておきましょう。

---

結論
View attachment 46388​

CarIDの秘密を手に入れたので、在庫を自分のパーツショップに変える計画ができました。3DS 2.0の弱点から簡単なトリックまで、大金を稼ぐためのツールが揃っています。

さあ、カードに印刷したパーツを 1 つずつ使って、夢の車を作りましょう。

捕まって失敗したとしても、あなたは私から何も学んでいないということを覚えておいてください。教義は消え去ります。

TThank

 

[anoxyty]

let see

 

[GodpaidJwett01]

Thanks

 

[briansleeze]

thanks !

 

[jona54]

thanks

 

[Extinus]

Whats that

 

[tutu12]

谢谢

 

[james052125]

I wanna see

 

[protonman616]

Solid info brotha

 

[trx225]

? Carding Guide: CARiD ?

---

Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.

---

Why CarID?​

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.

View attachment 46384​

The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.

---

Recon​

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.

---

Payment Processing​

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.

View attachment 46389​

3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:

• Non-VBV cards: Still the easiest if available.
• Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.

3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.

---

Minimizing your 3DS 2.0 Risk Score​

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***

Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387​

---

Requirements and Flow
​

Requirements:

• Non-VBV card OR use our trick above.
• Clean residential proxies matching cards country
• Solid antidetect browser setup
• Drop address

Flow:

• Use our trick above if youre using VBV cards
• Add items to cart.
• Go to checkout. Use guest checkout if possible.
• Fill in shipping details carefully. No copy pasting.
• Submit order and hold your breath.
• If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.

---

Conclusion
View attachment 46388​

We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.

wow

 

[mdmnx22]

? Carding Guide: CARiD ?

---

Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.

---

Why CarID?​

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.

View attachment 46384​

The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.

---

Recon​

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.

---

Payment Processing​

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.

View attachment 46389​

3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:

• Non-VBV cards: Still the easiest if available.
• Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.

3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.

---

Minimizing your 3DS 2.0 Risk Score​

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***

Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387​

---

Requirements and Flow
​

Requirements:

• Non-VBV card OR use our trick above.
• Clean residential proxies matching cards country
• Solid antidetect browser setup
• Drop address

Flow:

• Use our trick above if youre using VBV cards
• Add items to cart.
• Go to checkout. Use guest checkout if possible.
• Fill in shipping details carefully. No copy pasting.
• Submit order and hold your breath.
• If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.

---

Conclusion
View attachment 46388​

We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.

thxxxxxxxx

 

[Janeda1337]

? Carding Guide: CARiD ?

---

Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.

---

Why CarID?​

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.

View attachment 46384​

The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.

---

Recon​

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.

---

Payment Processing​

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.

View attachment 46389​

3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:

• Non-VBV cards: Still the easiest if available.
• Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.

3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.

---

Minimizing your 3DS 2.0 Risk Score​

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***

Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387​

---

Requirements and Flow
​

Requirements:

• Non-VBV card OR use our trick above.
• Clean residential proxies matching cards country
• Solid antidetect browser setup
• Drop address

Flow:

• Use our trick above if youre using VBV cards
• Add items to cart.
• Go to checkout. Use guest checkout if possible.
• Fill in shipping details carefully. No copy pasting.
• Submit order and hold your breath.
• If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.

---

Conclusion
View attachment 46388​

We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.

Good

 

[umarassimm2800]

thanks

 

[mozixi888]

wow

 

[moneymaker187]

THX

? Carding Guide: CARiD ?

---

Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.

---

Why CarID?​

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.

View attachment 46384​

The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.

---

Recon​

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.

---

Payment Processing​

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.

View attachment 46389​

3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:

• Non-VBV cards: Still the easiest if available.
• Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.

3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.

---

Minimizing your 3DS 2.0 Risk Score​

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***

Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387​

---

Requirements and Flow
​

Requirements:

• Non-VBV card OR use our trick above.
• Clean residential proxies matching cards country
• Solid antidetect browser setup
• Drop address

Flow:

• Use our trick above if youre using VBV cards
• Add items to cart.
• Go to checkout. Use guest checkout if possible.
• Fill in shipping details carefully. No copy pasting.
• Submit order and hold your breath.
• If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.

---

Conclusion
View attachment 46388​

We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.