Good Carder
Professional
- Messages
- 759
- Reaction score
- 493
- Points
- 63
From carder to carders. While you're hit your CVV and spoofing your IP address, warming up profiles and simulating a mouse, some have already concluded that all of this is child's play. Because the real boss isn't sitting on the seller's end. He's sitting in your own browser, analyzing how you move your cursor, how fast you type, and even the angle at which you hold your phone.
BioCatch, Forter, and similar systems aren't just about "checking your card and IP address." They're about continuously verifying the interaction process itself. They don't ask "who you are," they observe "how you do it." And if your movements lack natural tremors, uneven pauses, and unpredictable trajectories, if your cursor moves in a perfectly straight line, you're already dead to the system.
In this article, I'll examine how modern behavioral biometric systems work, what parameters they analyze, which bypass methods actually work, and which merely create the illusion of security.
BioCatch, a major player in this niche, collects over 2,000 behavioral parameters — from mouse movements to device holding — processing 5 billion transactions per month.
Passwords can be stolen. Session cookies can be intercepted. Even your fingerprint can be forged. Your behavioral patterns, formed over years, are virtually impossible to counterfeit. This is the core principle of continuous verification. Unlike traditional authentication, which verifies you once — at login — BioCatch, Forter, and other systems monitor you throughout your entire session, analyzing every action in real time without the need for additional user requests.
For us as attackers, this means: it's not enough to simply log in successfully. You need to maintain the illusion of legitimacy from the first click to the last. One movement that doesn't match the victim's profile can trigger additional verification, block the transaction, and destroy not only the card but your entire infrastructure.
The BioCatch system comprehensively analyzes the user throughout the entire digital session. This analysis is divided into three key areas:
It also analyzes touchscreen interactions: swipe patterns, pressure, and touch speed. Even the way you hold the device is analyzed: the angle of the device and the position of your hands can reveal a lot about the user.
And finally, the physical parameters of the keyboard: typing speed, rhythm, pressure, key-hold intervals, and typical delays.
For a carder, this means that if your bot moves the mouse strictly in straight lines or presses keys with mechanical uniformity, you'll be noticed. Humans always make micro-errors: they falter at the end of a movement, sometimes miss, and hesitate before an important action. These "imperfections" are your only insurance.
The system records doubts and pauses when you hover over a particular menu item before making a selection. It tracks the frequency of errors and their subsequent correction: when and how often you make errors while entering data is part of your unique profile. Even your reaction to errors is analyzed: how you correct typos, delete unnecessary entries, and return to previous fields.
For carders, this means that if your scripts fill fields perfectly the first time and do not make any unnecessary movements, this is a powerful signal for the system. Perfection and predictability are the enemy of a true carder striving for invisibility.
For carders, this means that hit cards immediately after logging in, without viewing products or adding them to your cart, looks unusual and suspicious to anti-fraud systems. Profile warming up, simulating "shopping," is no longer just a recommendation, but a mandatory requirement for bypassing.
BioCatch collects this data using a JavaScript script embedded in the bank's web page or mobile SDK.
In practice, it works like this: you visit the website, and invisible code begins recording your every action. All this telemetry is sent to BioCatch servers, where specialized AI models (including LSTM and other neural networks) process it in real time and compare it with the legitimate user profile. If a deviation is detected, the system springs into action.
Any significant deviation from the historical pattern triggers an alarm. The logic is simple: the system compares the current session's behavior with the victim's long-term profile. If discrepancies are detected, BioCatch dynamically calculates a risk score (which can change during the session) and, depending on the risk score, either requires additional verification (MFA) or blocks the transaction.
Forter builds the same system around the concept of identity, analyzing not only behavioral signals but also the broadest context: the user's history of actions on the site, the devices used, network anomalies, return patterns, and even social connections, identifying entire fraudulent networks in their graph databases.
If you're trying to create a bot indistinguishable from a human, forget about straight lines and perfect precision. Your script should be imperfect.
Human mouse movement is always a slightly curved line, with a natural acceleration at the beginning and deceleration at the end. If your bot moves the cursor strictly from point A to point B in a straight line, it will be calculated instantly.
A more advanced approach is to use generative models trained on real human movements, such as GANs (Generative Adversarial Networks). Researchers have developed projects in which GANs are trained on thousands of real mouse trajectories and then generate new ones that are statistically indistinguishable from human ones. This approach allows for incredibly realistic movements that mimic the unique "handwriting" of a particular person.
Mouse emulation checklist:
However, the simplest and most effective method is recording and replaying real sessions. You can record real human behavior (via rrweb or similar) and then use these real tracks as templates for your scripts. This completely eliminates the need to manually adjust randomization parameters.
Important details: when entering a card number, a person most often enters groups of digits with pauses. They can also make a mistake and press Backspace (simulating a typo). And even an employee reading a script can unintentionally give away their identity with false pauses or unnatural speech patterns.
Checklist for keyboard emulation:
Humans never scroll at a perfectly uniform speed from the top to the bottom of a page. They pause, sometimes going back up a bit to reread a paragraph.
Use libraries like @@extra /humanize, which automate these complex patterns, freeing you from having to write complex randomization logic manually.
Understanding how defense systems work is key to building a successful attack.
Banks using systems like BioCatch are moving to continuous adaptive authentication, which assesses risk levels in real time and adapts verification requirements. The higher the risk, the more stringent the checks. Implementing these systems has proven to yield tangible results for banks. For example, a major bank reported a 94% reduction in account takeover fraud after integrating BioCatch.
For attackers, this is important for several reasons:
Collecting a behavioral profile is an extremely complex task, but it's already being discussed in the research community. It would require access to the victim's device or their long-term sessions. However, if this bypass technology becomes a reality, banks will likely have to reconsider the very paradigm of continuous authentication.
Continuous verification systems like BioCatch and Forter are the quintessence of modern anti-fraud. They analyze everything from mouse movements to user hesitations. In the era of Agentic AI, when carders use autonomous AI agents capable of multi-step actions without human supervision, the task becomes even more difficult.
You must force your bot to make natural errors, hesitate, and move as inefficiently as a normal person. Perfect efficiency is suspect. Only fake imperfection can make a bot truly invisible.
A quick one-line reminder:
"BioCatch looks not at what you do, but how you do it. A straight cursor line is your death sentence. Ghost Cursor imitates a curve, GAN learns from your handwriting, and entering card digits error-free in under a second is grounds for blocking a transaction. In 2027, to fool AI, you must teach your code to be unpredictably random." Your doom lies in the perfection of the algorithm."
BioCatch, Forter, and similar systems aren't just about "checking your card and IP address." They're about continuously verifying the interaction process itself. They don't ask "who you are," they observe "how you do it." And if your movements lack natural tremors, uneven pauses, and unpredictable trajectories, if your cursor moves in a perfectly straight line, you're already dead to the system.
In this article, I'll examine how modern behavioral biometric systems work, what parameters they analyze, which bypass methods actually work, and which merely create the illusion of security.
Part 1. Continuous Verification Architecture. Why Passwords Are No Longer Needed
BioCatch, a major player in this niche, collects over 2,000 behavioral parameters — from mouse movements to device holding — processing 5 billion transactions per month.Passwords can be stolen. Session cookies can be intercepted. Even your fingerprint can be forged. Your behavioral patterns, formed over years, are virtually impossible to counterfeit. This is the core principle of continuous verification. Unlike traditional authentication, which verifies you once — at login — BioCatch, Forter, and other systems monitor you throughout your entire session, analyzing every action in real time without the need for additional user requests.
For us as attackers, this means: it's not enough to simply log in successfully. You need to maintain the illusion of legitimacy from the first click to the last. One movement that doesn't match the victim's profile can trigger additional verification, block the transaction, and destroy not only the card but your entire infrastructure.
Part 2. The BioCatch System. Three Layers of Behavioral Control
The BioCatch system comprehensively analyzes the user throughout the entire digital session. This analysis is divided into three key areas:2.1 Physical biometrics (how you move)
The system analyzes mouse movements — its trajectory, speed, acceleration, micro-oscillations, pauses, and overshoots.It also analyzes touchscreen interactions: swipe patterns, pressure, and touch speed. Even the way you hold the device is analyzed: the angle of the device and the position of your hands can reveal a lot about the user.
And finally, the physical parameters of the keyboard: typing speed, rhythm, pressure, key-hold intervals, and typical delays.
For a carder, this means that if your bot moves the mouse strictly in straight lines or presses keys with mechanical uniformity, you'll be noticed. Humans always make micro-errors: they falter at the end of a movement, sometimes miss, and hesitate before an important action. These "imperfections" are your only insurance.
2.2 Cognitive Biometrics (What Do You Think)
This analysis focuses on the "invisible" hesitations and hesitations that are natural when humans interact with an interface.The system records doubts and pauses when you hover over a particular menu item before making a selection. It tracks the frequency of errors and their subsequent correction: when and how often you make errors while entering data is part of your unique profile. Even your reaction to errors is analyzed: how you correct typos, delete unnecessary entries, and return to previous fields.
For carders, this means that if your scripts fill fields perfectly the first time and do not make any unnecessary movements, this is a powerful signal for the system. Perfection and predictability are the enemy of a true carder striving for invisibility.
2.3. Behavioral context (your route through the site)
The system analyzes your typical website navigation: the sequence of pages visited, scroll speed, typical time spent on a page, and the moments when you leave or return to a tab.For carders, this means that hit cards immediately after logging in, without viewing products or adding them to your cart, looks unusual and suspicious to anti-fraud systems. Profile warming up, simulating "shopping," is no longer just a recommendation, but a mandatory requirement for bypassing.
Part 3. BioCatch's Technical Methods. How They Do It
BioCatch collects this data using a JavaScript script embedded in the bank's web page or mobile SDK.In practice, it works like this: you visit the website, and invisible code begins recording your every action. All this telemetry is sent to BioCatch servers, where specialized AI models (including LSTM and other neural networks) process it in real time and compare it with the legitimate user profile. If a deviation is detected, the system springs into action.
Any significant deviation from the historical pattern triggers an alarm. The logic is simple: the system compares the current session's behavior with the victim's long-term profile. If discrepancies are detected, BioCatch dynamically calculates a risk score (which can change during the session) and, depending on the risk score, either requires additional verification (MFA) or blocks the transaction.
Forter builds the same system around the concept of identity, analyzing not only behavioral signals but also the broadest context: the user's history of actions on the site, the devices used, network anomalies, return patterns, and even social connections, identifying entire fraudulent networks in their graph databases.
Part 4. Evasion Tactics. How to Create a Bot That Shakes Like a Human
If you're trying to create a bot indistinguishable from a human, forget about straight lines and perfect precision. Your script should be imperfect.4.1. Mouse movement emulation (manual and automated levels)
Ghost Cursor is an industry standard. This Puppeteer library generates realistic mouse movement trajectories along Bézier curves, avoiding straight lines. Ghost Cursor also introduces small random offsets to prevent the cursor from perfectly centering an element, simulating human imprecision.Human mouse movement is always a slightly curved line, with a natural acceleration at the beginning and deceleration at the end. If your bot moves the cursor strictly from point A to point B in a straight line, it will be calculated instantly.
A more advanced approach is to use generative models trained on real human movements, such as GANs (Generative Adversarial Networks). Researchers have developed projects in which GANs are trained on thousands of real mouse trajectories and then generate new ones that are statistically indistinguishable from human ones. This approach allows for incredibly realistic movements that mimic the unique "handwriting" of a particular person.
Mouse emulation checklist:
- Never use instant clicks (page.click(x, y)). Always use movement from the current position.
- Simulate an "overshoot". People rarely stop exactly on target. They often "fly" over the button and return.
- Add random tremors. Even when the mouse is stationary, the human hand creates micro-vibrations.
- Vary your trajectories. Don't use the same curve type for every move.
4.2. Emulation of keyboard input and microcorrections
@THE @extra /humanize library for Puppeteer and Playwright implements this logic by randomizing delays between keystrokes and can be a great starting point.However, the simplest and most effective method is recording and replaying real sessions. You can record real human behavior (via rrweb or similar) and then use these real tracks as templates for your scripts. This completely eliminates the need to manually adjust randomization parameters.
Important details: when entering a card number, a person most often enters groups of digits with pauses. They can also make a mistake and press Backspace (simulating a typo). And even an employee reading a script can unintentionally give away their identity with false pauses or unnatural speech patterns.
Checklist for keyboard emulation:
- Randomize delays. Never use a fixed 50ms interval.
- Pause between groups of characters, especially when entering your card number.
- Periodically introduce errors (an extra character, then delete it). This is a powerful signal of "humanity."
4.3. Simulating "human inefficiency" (scrolling, pauses, hovers)
The simplest way to make a bot more human-like is to make it navigate a website as inefficiently as a human.Humans never scroll at a perfectly uniform speed from the top to the bottom of a page. They pause, sometimes going back up a bit to reread a paragraph.
Use libraries like @@extra /humanize, which automate these complex patterns, freeing you from having to write complex randomization logic manually.
Part 5. Protection for banks and what it means for us
Understanding how defense systems work is key to building a successful attack.Banks using systems like BioCatch are moving to continuous adaptive authentication, which assesses risk levels in real time and adapts verification requirements. The higher the risk, the more stringent the checks. Implementing these systems has proven to yield tangible results for banks. For example, a major bank reported a 94% reduction in account takeover fraud after integrating BioCatch.
For attackers, this is important for several reasons:
- Initial authentication is not enough. Your behavior is analyzed throughout your entire session.
- Even a legitimate account with the correct password can be blocked. If your behavior patterns don't match the victim's profile, the transaction will be rejected.
- The complexity of the attack is increasing. Successfully bypassing BioCatch and Forter requires collecting a behavioral profile of the victim before the attack.
Collecting a behavioral profile is an extremely complex task, but it's already being discussed in the research community. It would require access to the victim's device or their long-term sessions. However, if this bypass technology becomes a reality, banks will likely have to reconsider the very paradigm of continuous authentication.
Final Checklist: How to Prepare Your Bot for BioCatch
- Don't move the mouse in straight lines. Use Bézier curves (Ghost Cursor) or LSTM/GAN-generated trajectories.
- Add natural noise and micro-jitter to cursor movements.
- Simulate overshoot and micro-adjustments on clicks.
- Use generative models to create patterns indistinguishable from human ones.
- Randomize delays between keystrokes. Simulate typos and their correction.
- Add irregular scrolling with stops and random returns.
- Simulate "hesitations" before actions by hovering the cursor over the button for 200-500 ms.
- Use @@extra /humanize for complex behavioral scenarios.
- Collect and analyze the victim's behavior before the attack, if possible.
- Test your scripts on behavioral fingerprinting services (e.g. BrowserLeaks).
Summary
Continuous verification systems like BioCatch and Forter are the quintessence of modern anti-fraud. They analyze everything from mouse movements to user hesitations. In the era of Agentic AI, when carders use autonomous AI agents capable of multi-step actions without human supervision, the task becomes even more difficult.You must force your bot to make natural errors, hesitate, and move as inefficiently as a normal person. Perfect efficiency is suspect. Only fake imperfection can make a bot truly invisible.
A quick one-line reminder:
"BioCatch looks not at what you do, but how you do it. A straight cursor line is your death sentence. Ghost Cursor imitates a curve, GAN learns from your handwriting, and entering card digits error-free in under a second is grounds for blocking a transaction. In 2027, to fool AI, you must teach your code to be unpredictably random." Your doom lies in the perfection of the algorithm."
