Advanced Search


lafrappe666

Carding Novice
Joined
13.01.25
Messages
15
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
i did thanks
 

kakabiell

Carding Novice
Joined
17.01.25
Messages
5
Reaction score
4
Points
3

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
great
 

allan0717

Active Carder
Joined
25.11.24
Messages
41
Reaction score
0
Points
6

🚗梳理指南:CARiD 🚗



做好准备。如果你一直在吹捧那些高价的消声器和花哨的轮圈,但实际上你并没有拥有它们,那么现在是时候把你的刷卡技能付诸实践,点击CarID 了

View attachment 46383

CarID.com拥有大量的汽车零部件,但其安全性却如水一样薄弱。从廉价的空气清新剂到定制车身套件,他们应有尽有 - 我们正准备提供帮助。

这不仅仅是为了得到一个免费的消声器。我们要把CarID变成我们自己的零件供应商。他们的库存很大,价格很高而且他们的保护很差。对我们来说很完美。
不过,不要太自大。这仍然需要一些技巧。我们需要驾驭他们的系统,利用他们的弱点,在不触发任何警报的情况下偷走货物。

所以准备好您的卡并启动您的代理。我们即将向CarID展示当您打开仓库门时会发生什么。让我们进去看看我们如何将他们的库存转化为我们的利润。


为什么选择CarID

CarID是高价值汽车零部件的佼佼者,但安全性却非常低劣。他们的库存非常丰富,从廉价的空气清新剂到价值数千美元的定制车身套件。这种多样性让我们能够混合我们的热门产品,并确保其合法性。


真正的钱是他们的高价商品。性能部件、定制车轮、高端音响系统——一次好价钱就能让你赚好几个星期。而且这些东西卖得很快。汽车爱好者总是在寻找便宜货,这意味着快速翻转和更少的退款机会。

CarID与数百个品牌合作,因此我们可以传播我们的活动并避免模式。他们的全球运输开辟了国际卡和投递的可能性。而且他们习惯于礼品订单,因此不同的帐单和送货地址不会引起任何警觉。

简而言之,CarID是完美的目标——商品价值高、库存多样、安全性较弱。当其他人在争夺电子产品和时装时,他们正在突袭一家汽车零部件工厂。



侦察

打开Burp Suite,我们可以看到CarID 的安全性就像穴居人俱乐部一样基础。看不到第三方欺诈系统,只有一些无用的分析垃圾,无法阻止我们。

View attachment 46385

现在事情变得有趣了。CarID使用Cyber Source进行支付,该支付实现了3DS 2.0。您可能认为这是个坏消息,但请稍安勿躁 - 如果您知道如何正确使用,这实际上是一份礼物。

View attachment 46386

在你发送付款详细信息之前,你的设备指纹就会被发送到3DS处理器Cardinal Commerce。代码如下所示:

JSON:
{
  “Cookies”:{
    “遗产”:是的,
    “本地存储”:true,
    “会话存储”:true
  },
  "DeviceChannel": "移动",
  “扩展”:{
    “浏览器”:{
      “Adblock”:是的,
      "可用的JsFonts": [
        “Comic Sans MS”,
        “乔治亚州”,
        “纸莎草纸”
        “Arial 黑色”,
        “投石机 MS”
      ],
      “DoNotTrack”:“已禁用”,
      “JavaEnabled”:true
    },
    “设备”: {
      “颜色深度”:24,
      “CPU”:“ARM”,
      “平台”:“Linux”,
      “触摸支持”:{
        “MaxTouchPoints”:5,
        “OnTouchStartAvailable”:真实,
        “TouchEventCreationSuccessful”:真
      }
    }
  },
  “指纹”:“d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2”,
  “指纹识别时间”:42,
  “指纹详细信息”:{
    “版本”:“2.1.0”
  },
  “语言”:“en-GB”,
  “纬度”:null,
  “经度”:空,
  “组织单位编号”:“61ddefdbcac40279f9950adf”,
  “起源”:“猎鹰”,
  "插件":[
    "QuickTime::视频格式::video/quicktime~mov",
    “Flash 播放器::Flash 内容::application/x-shockwave-flash”
    “HTML5 音频::音频格式::audio/mpeg”
  ],
  “参考编号”:“e1f23456-g7h8-90ij-klmn-opqrstuvwxyz”,
  “推荐人”:“https://carid.com”,
  “屏幕”: {
    “FakedResolution”:false,
    “比率”:1.777,
    “分辨率”:“2560x1440”,
    “可用分辨率”:“2560x1300”,
    “CCAScreenSize”:“01”
  },
  “CallSignEnabled”:空,
  “ThreatMetrixEnabled”:false,
  "ThreatMetrixEventType": "登录",
  “ThreatMetrixAlias”:“UserAlias456”,
  “时间偏移”:-300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, 如 Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "用户代理详细信息": {
    “FakedOS”:错误,
    “FakedBrowser”:false
  },
  “BinSessionId”:“a1b2c3d4-e5f6-7890-abcd-ef1234567890”
}
[/代码]

那么这对我们意味着什么?这意味着你的反检测设置是关键。如果你的指纹看起来可疑,你甚至在输入你的卡详细信息之前就被搞砸了。但如果做对了,你就能顺利拿到钱。

但不要急于求成。我有一个妙招,可以让[COLOR=rgb(0, 191, 255)]CarID[/COLOR]刷卡更加容易。我们很快就会开始讲这个好东西。

[HR][/HR]

[CENTER][SIZE=5][B]付款处理[/B][/SIZE][/CENTER]

[COLOR=rgb(0, 191, 255)]CarID[/COLOR]使用[COLOR=rgb(0, 191, 255)]CyberSource[/COLOR]和[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]进行支付。这看似是个问题,但实际上对我们来说是个好消息。

[CENTER][ATTACH type="full" width="1090px" alt="1727190921536.png"]46389[/ATTACH][/CENTER]

[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]比前一代更加灵活。开发该版本的公司意识到严格的安全措施会损害销量,因此他们将其变成了动态版本。这对我们有利。

事情是这样的:[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]实时决定是否显示[COLOR=rgb(0, 191, 255)]3DS[/COLOR]提示。它不再是基于卡的简单“是/否”选择。这给了我们空间。

[COLOR=rgb(0, 191, 255)]如果我们降低风险评分,即使是通常触发3DS 的[/COLOR]卡也可以绕过它。这完全取决于[COLOR=rgb(0, 191, 255)]3DS[/COLOR]处理器[COLOR=rgb(0, 191, 255)]Cardinal Commerce[/COLOR]如何看待我们的交易(前提是中间没有 AI 欺诈系统)。

我们有两个选择:
[LIST]
[*][COLOR=rgb(0, 255, 0)]非 VBV 卡[/COLOR]:如果可用的话仍然是最简单的。
[*][COLOR=rgb(0, 255, 0)]风险评分操纵[/COLOR]:通过调整设备指纹,我们可以绕过需要它的卡上的[COLOR=rgb(0, 191, 255)]3DS 。[/COLOR]
[/LIST]
[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]尝试平衡安全性和用户体验,这给了我们一个机会。我们将利用它。

[HR][/HR]

[CENTER][SIZE=5][B]最大限度地降低[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]风险评分[/B][/SIZE][/CENTER]

让我们来看看精彩内容。与那些花哨的 AI 欺诈系统不同,[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]受隐私政策和数据处理法律的约束。这意味着它只能使用有限的数据集 - 仅使用您的 IP 和浏览器指纹。

现在我可能在某些细节上是错误的,但这对我来说是有效的:
*** 隐藏文字:无法引用。***


[CENTER]请记住,这不是万无一失的。但它是一种简单有效的方法,可以降低您的[COLOR=rgb(0, 191, 255)]3DS 2.0[/COLOR]风险评分并增加您绕过那些烦人的[COLOR=rgb(0, 191, 255)]3DS[/COLOR]提示的机会。您不会想看到这个屏幕:

[ATTACH type="full" alt="cybersource3dfailed.png"]46387[/ATTACH][/CENTER]

[HR][/HR]

[CENTER][SIZE=5][B]要求和流程[/B][/SIZE]
[/CENTER]
要求:
[LIST]
[*][COLOR=rgb(0, 255, 0)]非 VBV 卡[/COLOR]或者使用上面的技巧。
[*][COLOR=rgb(0, 255, 0)]清洁住宅代理[/COLOR]匹配卡国家
[*][COLOR=rgb(0, 255, 0)]可靠的反检测浏览器设置[/COLOR]
[*][COLOR=rgb(0, 255, 0)]投放地址[/COLOR]
[/LIST]

流动:
[LIST]
[*][COLOR=rgb(0, 255, 0)]如果你使用VBV 卡,[/COLOR]请使用上面的技巧
[*][COLOR=rgb(0, 255, 0)]将商品添加到购物车[/COLOR]。
[*][COLOR=rgb(0, 255, 0)]去结账[/COLOR]。如果可能,请使用访客结账。
[*][COLOR=rgb(0, 255, 0)]仔细填写运输详情[/COLOR]。请勿复制粘贴。
[*][COLOR=rgb(0, 255, 0)]提交订单并屏住呼吸[/COLOR]。
[*]如果成功,不要立即再次点击[COLOR=rgb(0, 191, 255)]CarID[/COLOR]。请间隔一段时间再尝试。
[/LIST]

[COLOR=rgb(0, 191, 255)]根据我的经验, CarID[/COLOR]从未取消过交易或要求退货。但我总共没有遇到过超过五次(全部发货),所以您的结果可能会有所不同。始终做好取消或退货的准备。

[HR][/HR]

[CENTER][SIZE=5][B]结论[/B][/SIZE]
[ATTACH type="full" alt="1727190718464.png"]46388[/ATTACH][/CENTER]


我们掌握了[COLOR=rgb(0, 191, 255)]CarID 的[/COLOR]秘密,现在您可以计划将其库存转变为自己的零件商店。从[COLOR=rgb(0, 191, 255)]3DS 2.0 的[/COLOR]弱点到简单的技巧,您拥有赚大钱的工具。

现在就去打造那辆梦想中的汽车吧——每次打造一个零件。

[COLOR=rgb(255, 140, 0)]只要记住,如果你被抓住并且搞砸了,你就没有从我这里学到任何东西。d0ctrine out。[/COLOR]
[/QUOTE]
 

vazsan

Active Carder
Joined
09.01.25
Messages
62
Reaction score
2
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Még a 3DS-t általában kiváltó kártyák is megkerülhetik, ha kellőképpen csökkentjük a kockázati pontszámunkat. Minden attól függ, hogy a Cardinal Commerce , a 3DS processzor hogyan látja a tranzakciónkat (feltéve, hogy közben nincs mesterséges intelligencia csaló rendszer).

Két lehetőségünk van:
  • Nem VBV kártyák : Még mindig a legegyszerűbb, ha rendelkezésre állnak.
  • Kockázati pontszám manipulálása : Az eszköz ujjlenyomatának módosításával potenciálisan megkerülhetjük a 3DS-t azokon a kártyákon, amelyek ezt igénylik.
A 3DS 2.0s kísérlet a biztonság és a felhasználói élmény egyensúlyára lehetőséget adott számunkra. Ki akarták használni.



A 3DS 2.0 kockázati pontszámának minimalizálása

Térjünk bele a jó dolgokba. A divatos mesterséges intelligencia-csalási rendszerekkel ellentétben a 3DS 2.0-t az adatvédelmi irányelvek és az adatkezelési törvények kötik. Ez azt jelenti, hogy korlátozott adatkészlettel működik – csak az Ön IP-címe és a böngésző ujjlenyomata.

Most lehet, hogy tévedek néhány részletben, de nekem ez vált be:
*** Rejtett szöveg: nem idézhető. ***


Ne feledje, ez nem bolondbiztos. De ez egy egyszerű és hatékony módja annak, hogy csökkentse a 3DS 2.0 kockázati pontszámát, és növelje annak esélyét, hogy esetleg megkerülje ezeket a bosszantó 3DS utasításokat. Nem szeretné elérni ezt a képernyőt:

View attachment 46387



Követelmények és áramlás
Követelmények:
  • Nem VBV kártya VAGY használja a fenti trükkünket.
  • Tisztítsa meg a lakossági proxykat, amelyek megfelelnek az országnak megfelelő kártyáknak
  • Szilárd antidetect böngészőbeállítás
  • Dobd el a címet

Folyik:
  • Használja a fenti trükkünket, ha VBV-kártyákat használ
  • Tedd a kosárba tételeket .
  • Menj a pénztárhoz . Lehetőség szerint használja a vendégpénztárat.
  • Gondosan töltse ki a szállítási adatokat . Nincs másolás beillesztés.
  • Adja fel a rendelést és tartsa vissza a lélegzetét .
  • Ha sikeres, azonnal ne nyomja meg újra a CarID-t . Helyezze el a próbálkozásait.

Tapasztalataim szerint a CarID soha nem törölt egy tranzakciót, vagy kért egy tétel visszaküldését. De összesen ötnél többet nem találtam el (mindegyik kiszállításra került), így az eredmények változhatnak. Mindig készüljön fel lemondásokra vagy visszaküldésekre.



Következtetés
View attachment 46388


Megvannak a CarID titkai, és most azt tervezi, hogy a készletüket saját alkatrészbolttá alakítja. A 3DS 2.0s gyengeségeitől az egyszerű trükkökig megvannak az eszközök, amelyekkel nagy pénzt kereshet.

Most építsd meg azt az álomautót – egyenként egy-egy kártyás alkatrészt.

Csak ne feledd, ha elkapnak és bebasznak, ezt nem tőlem tanultad. d0ctrine ki.
Tk you
 

oxbygod

Active Carder
Joined
30.12.23
Messages
27
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
still working?
 

Heryti6589

Active Carder
Joined
22.05.22
Messages
57
Reaction score
8
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Thanks
 

scofield22

Carding Novice
Joined
03.03.22
Messages
24
Reaction score
2
Points
3

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
nice
 

dnaog

Active Carder
Joined
28.01.25
Messages
41
Reaction score
4
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Thank you
 

kjasnckjancjkn

Carding Novice
Joined
20.12.24
Messages
20
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
niceee
 

tegasdasd2

Carding Novice
Joined
08.02.25
Messages
2
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
tyyyyyyyyyyyyyyyyyy
 

Hline

Active Carder
Joined
03.02.25
Messages
37
Reaction score
1
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
Thank you!
 

yakiris11

Carding Novice
Joined
07.02.25
Messages
21
Reaction score
2
Points
3

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Incluso las tarjetas que normalmente activan la 3DS pueden evitarla si reducimos lo suficiente nuestra puntuación de riesgo. Todo depende de cómo Cardinal Commerce , el procesador de la 3DS , vea nuestra transacción (siempre que no haya un sistema de fraude de IA de por medio).

Tenemos dos opciones:
  • Tarjetas que no son VBV : siguen siendo las más fáciles si están disponibles.
  • Manipulación del puntaje de riesgo : al modificar la huella digital del dispositivo, potencialmente podemos omitir la 3DS en las tarjetas que lo requieren.
El intento de la 3DS 2.0 de equilibrar la seguridad y la experiencia del usuario nos ha dado una oportunidad. Vamos a aprovecharla.



Cómo minimizar el riesgo de su 3DS 2.0

Vayamos a lo bueno. A diferencia de esos sofisticados sistemas de fraude con inteligencia artificial, 3DS 2.0 está sujeto a políticas de privacidad y leyes de manejo de datos. Esto significa que funciona con un conjunto de datos limitado: solo su dirección IP y la huella digital de su navegador.

Puede que me equivoque en algunos detalles, pero esto es lo que me ha funcionado:
***Texto oculto: no se puede citar.***


Recuerda que esto no es infalible, pero es una forma sencilla y eficaz de reducir tu puntuación de riesgo de 3DS 2.0 y aumentar tus posibilidades de evitar esos molestos mensajes de 3DS . No querrás que aparezca esta pantalla:

View attachment 46387



Requisitos y flujo
Requisitos:
  • Tarjeta que no sea VBV O use nuestro truco anterior.
  • Proxies residenciales limpios que coinciden con tarjetas de país
  • Configuración sólida de navegador antidetección
  • Dirección de entrega

Fluir:
  • Utilice nuestro truco anterior si está utilizando tarjetas VBV
  • Añadir artículos al carrito .
  • Vaya a la caja . Utilice la opción de pago como invitado si es posible.
  • Complete los datos de envío con cuidado . No copie ni pegue.
  • Envíe el pedido y contenga la respiración .
  • Si tiene éxito, no vuelva a pulsar CarID inmediatamente. Espacie sus intentos.

En mi experiencia, nunca me ha ocurrido que CarID cancelara una transacción ni solicitara la devolución de un artículo. Sin embargo, no los he contactado más de cinco veces en total (todas enviadas), por lo que los resultados pueden variar. Esté siempre preparado para cancelaciones o devoluciones.



Conclusión
View attachment 46388


Conseguimos los secretos de CarID y ahora tienes un plan para convertir su inventario en tu propia tienda de repuestos. Desde las debilidades de 3DS 2.0 hasta el truco más simple, tienes las herramientas para ganar mucho dinero.

Ahora ve y construye ese auto de tus sueños, una pieza a la vez.

Sólo recuerda que si te atrapan y cometes un error, no aprendiste nada de esto de mí. Doctrina fuera.
thank you
 

111222

Carding Novice
Joined
10.02.25
Messages
21
Reaction score
0
Points
1

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


我们掌握了 CarID 的秘密,现在您有一个计划,将他们的库存变成您自己的零件商店。从 3DS 2.0 的弱点到简单的技巧,您拥有赚大钱的工具。

现在去建造那辆梦想中的汽车 - 一次一个卡零件。

请记住,如果你被抓住并搞砸了,你没有从我那里学到任何这些。d0ctrine 出来。
11
 

johneybravo

Active Carder
Joined
04.02.25
Messages
42
Reaction score
1
Points
8

🚗 Carding Guide: CARiD 🚗



Get ready. If youve been jacking off to overpriced mufflers and fancy rims without actually owning them, its time to put your carding skills where your mouth is and hit CarID.

View attachment 46383

CarID.com has a mountain of auto parts and their security is weak as water. From cheap air fresheners to custom body kits, they have it all - and were about to help ourselves.

This isnt just about getting a free muffler. Were going to turn CarID into our own parts supplier. Their inventory is huge, their prices are high and their protection is crap. Perfect for us.
Dont get too cocky though. This still takes some skill. Well need to navigate their system, exploit their weaknesses and get away with the goods without tripping any alarms.

So get your cards ready and fire up your proxies. Were about to show CarID what happens when you leave your warehouse door open. Lets get in and see how we can turn their stock into our profit.


Why CarID?

CarID is the shit when it comes to high value auto parts with security as weak as piss. Their inventory is huge, from cheap air fresheners to custom body kits worth thousands. This variety lets us mix our hits and keep it legit.


The real money is in their high ticket items. Performance parts, custom wheels, high end stereo systems - one good score can set you up for weeks. And this stuff sells fast. Car enthusiasts are always looking for deals, meaning quick flips and less chance of chargebacks.

CarID works with hundreds of brands, so we can spread our activity and avoid patterns. Their global shipping opens up international card and drop possibilities. And theyre used to gift orders, so different billing and shipping addresses wont raise any flags.

In short, CarID is the perfect target - high value goods, diverse inventory and weak security. While others are fighting over electronics and fashion, were raiding an auto parts factory.



Recon

Opening up the Burp Suite we can see that CarIDs security is as basic as a cavemans club. No third party fraud system in sight, just some useless analytics crap that wont do jack to stop us.

View attachment 46385

Now heres where it gets interesting. CarID uses CyberSource for payments which implements 3DS 2.0. You might think this is bad news, but hold your horses - its actually a gift if you know how to play it right.

View attachment 46386

Before you even send over the payment details your devices fingerprint gets sent to Cardinal Commerce, the 3DS processor. The code looks something like this:

JSON:
{
  "Cookies": {
    "Legacy": true,
    "LocalStorage": true,
    "SessionStorage": true
  },
  "DeviceChannel": "Mobile",
  "Extended": {
    "Browser": {
      "Adblock": true,
      "AvailableJsFonts": [
        "Comic Sans MS",
        "Georgia",
        "Papyrus",
        "Arial Black",
        "Trebuchet MS"
      ],
      "DoNotTrack": "disabled",
      "JavaEnabled": true
    },
    "Device": {
      "ColorDepth": 24,
      "Cpu": "ARM",
      "Platform": "Linux",
      "TouchSupport": {
        "MaxTouchPoints": 5,
        "OnTouchStartAvailable": true,
        "TouchEventCreationSuccessful": true
      }
    }
  },
  "Fingerprint": "d9f8a4b5c3d2e1f0a5b6c7d8e9f0a1b2",
  "FingerprintingTime": 42,
  "FingerprintDetails": {
    "Version": "2.1.0"
  },
  "Language": "en-GB",
  "Latitude": null,
  "Longitude": null,
  "OrgUnitId": "61ddefdbcac40279f9950adf",
  "Origin": "Falcon",
  "Plugins": [
    "QuickTime::Video Format::video/quicktime~mov",
    "Flash Player::Flash Content::application/x-shockwave-flash",
    "HTML5 Audio::Audio Format::audio/mpeg"
  ],
  "ReferenceId": "e1f23456-g7h8-90ij-klmn-opqrstuvwxyz",
  "Referrer": "https://carid.com",
  "Screen": {
    "FakedResolution": false,
    "Ratio": 1.777,
    "Resolution": "2560x1440",
    "UsableResolution": "2560x1300",
    "CCAScreenSize": "01"
  },
  "CallSignEnabled": null,
  "ThreatMetrixEnabled": false,
  "ThreatMetrixEventType": "LOGIN",
  "ThreatMetrixAlias": "UserAlias456",
  "TimeOffset": -300,
  "UserAgent": "Mozilla/5.0 (Linux; Android 10; Pixel 3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Mobile Safari/537.36",
  "UserAgentDetails": {
    "FakedOS": false,
    "FakedBrowser": false
  },
  "BinSessionId": "a1b2c3d4-e5f6-7890-abcd-ef1234567890"
}

So what does this mean for us? It means your antidetect setup is key. If your fingerprint looks sketchy youre screwed before you even enter your card details. But get this right and youve got a clear path to the money.

But dont get ahead of yourself just yet. Ive got a trick up my sleeve thatll make carding CarID easier. Well get to that good stuff soon enough.



Payment Processing

CarID uses CyberSource with 3DS 2.0 for payments. This might seem like a problem, but its actually good news for us.


3DS 2.0 is more flexible than the previous one. The companies behind it realized strict security was killing sales so they made it dynamic. This works in our favor.

Heres the thing: 3DS 2.0 decides in real-time whether to show a 3DS prompt. Its not a simple yes/no based on the card anymore. This gives us room.

Even cards that normally trigger 3DS can bypass it if we lower our risk score enough. It all depends on how Cardinal Commerce, the 3DS processor, sees our transaction (provided there are no AI fraud system in between).

We have two options:
  • Non-VBV cards: Still the easiest if available.
  • Risk score manipulation: By tweaking device fingerprint we can potentially bypass 3DS on cards that require it.
3DS 2.0s attempt to balance security and user experience has given us an opportunity. Were going to take advantage of it.



Minimizing your 3DS 2.0 Risk Score

Lets get into the good stuff. Unlike those fancy AI fraud systems, 3DS 2.0 is bound by privacy policies and data handling laws. This means its working with a limited dataset - just your IP and browser fingerprint.

Now I might be wrong on some of the details but heres whats been working for me:
*** Hidden text: cannot be quoted. ***


Remember, this isnt foolproof. But its a simple, effective way to lower your 3DS 2.0 risk score and increase your chances of possibly bypassing those pesky 3DS prompts. You dont want to get this screen:

View attachment 46387



Requirements and Flow
Requirements:
  • Non-VBV card OR use our trick above.
  • Clean residential proxies matching cards country
  • Solid antidetect browser setup
  • Drop address

Flow:
  • Use our trick above if youre using VBV cards
  • Add items to cart.
  • Go to checkout. Use guest checkout if possible.
  • Fill in shipping details carefully. No copy pasting.
  • Submit order and hold your breath.
  • If successful dont hit CarID again immediately. Space out your attempts.

In my experience Ive never had CarID cancel a transaction or request an item to be returned. But I havent hit them more than five times in total (all shipped) so your results may vary. Always be prepared for cancellations or returns.



Conclusion
View attachment 46388


We got CarIDs secrets and now you have a plan to turn their inventory into your own parts store. From 3DS 2.0s weaknesses to the simple trick, you have the tools to make some big money.

Now go build that dream car - one carded part at a time.

Just remember if you get caught and fuck up, you didnt learn any of this from me. d0ctrine out.
check
 
Top Bottom