Carding is a term describing the trafficking of credit card, bank account and other personal information online as well as related fraud services. Activities also encompass procurement of details, and money laundering techniques. Modern carding sites have been described as full-service commercial entities.
There are a great many of methods to acquire credit card and associated financial and personal data. The earliest known carding methods have also included 'trashing' for financial data, raiding mail boxes and working with insiders. Some bank card numbers can be semi-automatically generated based on known sequences via a 'BIN attack'. Carders might attempt a 'distributed guessing attack' to discover valid numbers by submitting numbers across a high number of ecommence sites simultaneously.
Today, various methodologies include skimmers at ATMs, hacking an ecommerce or payment processing site or even intercepting card data within a point of sale network. Randomly calling hotel room phones asking guests to 'confirm' credit card details is example of a social engineering attack vector.
Stolen data may be bundled as a 'Base' or 'First-hand base' if the seller participated in the theft themselves. Resellers may buy 'packs' of dumps from multiple sources. Ultimately, the data may be sold on darknet markets and other carding sites and forum 'dump shops' specialising in these types of illegal goods.
On the more sophisticated of such sites, individual 'dumps' may be purchased by zip code and country so as to avoid alerting banks about their misuse. Automatic checker services perform validation en masse in order to quickly check if a card has yet to be blocked. Sellers will advertise their dump's 'valid rate', based on estimates or checker data. Cards with a greater than 90% valid rate command higher prices. 'Cobs' or changes of billing are highly valued, where sufficient information is captured to allow redirection of the registered card's billing and shipping addresses to one under the carder's control.