crs408

Carding Novice
Joined
04.02.23
Messages
3
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Nice..thank you for the knowledge
 

wakawakashaka

Carding Novice
Joined
20.08.24
Messages
14
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
thanks g
 

trolka

Active Carder
Joined
30.09.24
Messages
31
Reaction score
2
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
nice.
 

bboy

Carding Novice
Joined
07.10.24
Messages
14
Reaction score
1
Points
3
This right here is going to be gold for me. I was literally checking this site out.. Tried and failed. Now I know why lol.
 

KoachKharter.1k

Active Carder
Joined
08.10.24
Messages
27
Reaction score
9
Points
3

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Thx
 

Jamiestemay98

Carding Novice
Joined
14.09.23
Messages
17
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
sensational
 

emmanuel365

Basic
Joined
11.11.21
Messages
13
Reaction score
1
Points
3

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Great share as always
 
Top Bottom