Blue Team's take: How banks and payment gateways identify carders (and how to bypass it)

[Good Carder]

Introduction: From blind faith in antidetect to understanding the inner workings​

You spent weeks setting up the perfect antidetect profile, purchased the most expensive residential proxies, manually warmed up your account, simulated mouse movements — and still got a fraudulent alert. The problem isn't the card. The problem is that the bank saw something you didn't.

Modern antifraud systems no longer resemble the static rule sets of decades ago. They are complex AI engines that analyze hundreds of signals in real time and connect seemingly unrelated transactions into a unified graph. Stripe Radar analyzes hundreds of signals for each transaction, using data from a network of millions of businesses. MTS's antifraud platform, Scoring, takes into account nearly 100 different factors to assess suspicious activity.

In this article, we'll look at banking protection from the inside — how scoring systems, ML models, and graph databases work, what actions instantly increase fraud signals, what evasion tactics actually work today (and which are hopelessly outdated), and we'll provide a practical checklist for minimizing risk.

Part 1. Antifraud Internals: Architecture and Components​

An antifraud system is a multi-layered platform consisting of several key components operating in real time. Most industrial solutions (SEON, Kount, ThreatMetrix, Signifyd) fall into two categories: transactional and sessional antifraud.

1.1. Rule-based checks​

The cheapest to bypass, but still crucial layer is a set of rules and blacklists: email domain verification, transaction limits, and daily purchase restrictions. Even this basic protection weeds out most unprepared attackers.

1.2. Scoring models (Rule & Score)​

In modern antifraud systems, scoring is a mathematical assessment of the likelihood of fraud for each transaction. ML scoring is typically implemented as a type of check in the rules engine, automatically analyzing transactions and assigning them a risk score in fraud prevention and detection modes. The main objective is to determine whether a transaction is fraudulent based on transaction data or user profile information.

Stripe Radar's internal endpoint (/v1/radar) continuously collects client and browser behavioral signals. Stripe Radar's AI model determines the risk score and risk level for a payment by scanning each transaction using hundreds of signals across the Stripe network. Stripe also provides "risk insights" — a window through which key factors influencing the AI model can be seen. On average, Radar reduces fraud by 38%.

The simplified decision-making logic is as follows: if the resulting score exceeds a certain threshold, the transaction is immediately blocked. If the score is in the "gray zone," it is queued for manual review, where a decision can be made by a compliance officer. The score may consist of the sum of scores for several rules integrated into the merchant's transaction profile.

1.3. Graph Databases (Link Analysis)​

The bank's most dangerous tool is a graph database (link analysis). This technology allows for linking seemingly disparate events into a unified picture.

Imagine a vast web where nodes represent individuals, bank cards, IP addresses, phone numbers, email addresses, and even device IDs. The graph's edges are the connections between them: "used this card," "logged in from this IP," "confirmed with this number." An antifraud system "sees" that two different cards were logged in from the same IP address or that one email address was used to register ten different accounts. Even if you changed your card and proxy, a shared Google account can link you to past compromised activity.

1.4 Machine Learning and AI​

Banks' ML models are trained on massive amounts of historical data, identifying hidden patterns that no human or set of static rules can detect. The ML module helps generate rules automatically based on previously identified and labeled fraudulent transactions. In 2025–2026, artificial intelligence will become the foundation of antifraud systems, and its effectiveness is measured in literally billions of prevented losses.

1.5. Evolution of rules: new laws and total monitoring​

Significant regulatory changes came into effect on January 1, 2026. The list of suspicious transaction indicators expanded from 6 to 12 criteria. Banks are required to verify the blocking of transfers if at least one of the established indicators of suspicious behavior is met.

Now, a bank can block a transfer if:

• The client recently changed his phone number.
• The client makes a transaction from an unusual location.
• The transaction is not consistent with the client's typical behavior.
• There are signs of mass similar transfers.

Additionally, the bank may limit ATM withdrawals to $1,000 per day for 48 hours (or another amount depending on the country) if the transaction appears suspicious. This means that even if the transaction goes through, the funds may remain blocked in the account.

Part 2. Red Flags: What Instantly Increases Fraud Signals​

For the antifraud system, any deviation from "normal" behavior is a reason to add additional risk points. Some actions increase your fraud score immediately.

2.1. Behavioral Anomalies (Browser & Device Fingerprinting)​

Session antifraud continuously collects data about your device and behavior in real time. Any discrepancy is detected as an attack:

• Filling out forms quickly. A person can't fill out 10 fields in 3 seconds with perfect accuracy. Filling out a form in less than 20 seconds is a strong fraud signal. A perfectly smooth data entry rhythm, without pauses or errors, is especially suspicious.
• Immediately proceeding to checkout. If a user visits your site for the first time and immediately adds an item to their cart without browsing the catalog or reading the description, that's an anomaly. A normal shopper spends a few minutes "browsing." Every second saved from the product page to the final payment increases your risk score.
• There are no human pauses. A person "hangs" on the page, scrolls, and sometimes returns to the top. The bot acts linearly and predictably.
• Atypical cursor rotation angles. Bots move their mouse in perfectly straight lines (angles of 45°, 90°, 135°). Real people move along curves and at variable speeds, their trajectories full of micro-corrections and chaotic turns.

2.2. Fraud signals in the digital environment​

Modern systems also analyze meta-information about your connection:

• Use public VPNs or data center proxies. Banks maintain databases of IP addresses belonging to VPN services and data centers. If a transaction goes through AWS, DigitalOcean, or a regular VPN, you instantly get a high fraud score.
• Signs of a headless browser. Stripe and other systems actively check the navigator.webdriver flag. If it's true, you're automatically considered a bot.
• An abnormally high frequency of requests from a single device. If multiple payments are made to different cards from the same IP address or device within a short period of time, the bank immediately detects this and blocks all related activity, as this indicates automated card testing or manipulation.
• Time zone mismatch with IP geolocation. If your IP is located in the US, but the system's time zone is Moscow, the antifraud software perceives this as an attempt to hide your true location through fake data.
• Attempts to hide real IP addresses and traces. Any attempt at excessive obfuscation (VPN-Tor-multi-proxy combination) is in itself a strong signal of fraud.

2.3. Instant automatic locks​

Stripe Radar and similar services automatically block payments if:

• The transaction does not match the user's historical patterns (for example, a customer in Boston suddenly orders goods to Southeast Asia).
• The card is being used on a suspicious website.
• The card has previous chargebacks associated with it or is listed in leaked databases.

Blocking can happen in a split second, even before you click "Pay".

2.4 Increased risk for mobile devices​

It's a common misconception that mobile traffic is more reliable. However, mobile devices offer just as many, if not more, available signals. Banks analyze gyroscope data (how you hold your phone), accelerometer data, and even swipe patterns, which complicates emulation on a desktop device.

Part 3. The Evolution of Bypass: Tactics for 2020 vs. 2026​

3.1. What worked 5 years ago (and is hopelessly outdated)​

Outdated tactics	Why doesn't it work anymore?
Using simple HTTP proxies with IP rotation	Modern systems analyze not only IP, but also the entire environment, linking different IPs to one device through browser fingerprinting and behavioral metrics.
User-Agent spoofing via DevTools	Modern WAFs check the consistency of all headers, not just the User-Agent. If the User-Agent says "Windows" but the headers return "macOS," it's an instant ban.
Automation via Selenium WebDriver without masking	The navigator.webdriver flag enables automation; modern websites also check that you're not in a headless environment by monitoring input emulation.
Clearing cookies between sessions	Constantly changing your session ID makes the site see you as a new visitor each time. Consistent "new visitors" from the same card are a suspicious pattern.
Using public VPNs and data center proxies	Antifraud systems have complete databases of IP addresses of data centers and public VPNs, blocking them instantly

3.2. What Really Works in 2026 (and Why)​

• High-quality residential and mobile 4G/5G proxies. In 2026, mobile proxies remain the most effective way to avoid blocking. Their high trust level, dynamic IPs, and alignment with real user behavior make them a key tool for block-free operation. The secret to their reliability is that they use IPs from major mobile operators, which have no antifraud claims.
• Properly configured antidetect with hardware-level fingerprint substitution. Simple browser extensions are no longer sufficient. Modern antidetect solutions (FraudFox, Indigo, GoLogin) emulate device hardware-level characteristics, substituting WebGL renderers, canvas fingerprints, and even kernel-level system calls, making your surroundings significantly more difficult to detect.
• Imitation of human behavior (Session Warming + Humanizer). In 2026, behavior has become the primary fraud signal. Successful bypass requires not just slow actions, but the emulation of natural micro-pauses, erratic mouse movements along Bézier curves, and even accidental typos, which can then be corrected. Scripts must emulate the behavior of a real user so that protection systems recognize them as a living person.
• Maximum environmental isolation and session warming. "One account — one IP — one fingerprint." A modern multi-account infrastructure is built on complete digital isolation through dedicated devices with individual network and operating system settings. To prevent a profile from appearing "cold," session warming is essential: multiple site visits at different times, browsing pages without making any purchases, adding and deleting items from the cart. An account should be "live" on the site for several hours to several days before the first transaction to build trust.
• Working with non-3D Secure BINs. For cards that don't support 3D Secure, this authentication layer can be bypassed. The main problem is that such BINs are published publicly and quickly end up on blacklists. The secret is to constantly update lists from closed sources.

Part 4. A Practical Checklist for Minimizing Scoring​

This checklist summarizes everything you need to do before each transaction to reduce your fraud score and remain undetected.

Profile Preparation (Environment):

• Choose the right proxy type. Residential or mobile (4G/5G) only. Forget about data centers. Make sure your IP geolocation matches your payment card details.
• Configure antidetect. Use solutions that override not only basic parameters but also hardware characteristics (WebGL, Canvas, Audio). Be sure to disable navigator.webdriver and other automation flags.
• Sync all system settings. Your system's time zone, language, and localization must strictly match your IP address.
• Check the IP address for purity. Run the address through IPQualityScore or Scamalytics. The fraud score should be less than 30.

Warm-up and behavior (Time on site):

• Warm up your profile. Don't initiate payment immediately. Visit the website at least 1-2 days before payment. Browse products, read descriptions, add items to your cart, and even remove them. Your account should become more active and build a history.
• Emulate real-world behavior. Allow natural pauses (0.5–1.5 seconds) between fields. Move your mouse along a curved path, and don't skimp on scrolling or hovering over text blocks.
• Make random edits. Occasionally make a mistake when entering data (imitate a typo) and correct it. This is one of the key signs of a real person.
• Manage your withdrawal amount. If you're checking your card, don't try to withdraw a large amount; start with $1–$10 to avoid triggering the limits.

Tech Tricks (3DS Bypass):

• Work only with non-3DS BINs. Check your card in advance against current and up-to-date lists. If the card requires 3DS, you'll need additional bypass techniques (such as BIN hidding or emulating the bank's mobile app), which significantly complicate the process.
• Manage the conversion currency. Some processors may block transactions where the card currency does not match the receipt currency.

Link Analysis:

• Create a unique digital trail. Never use the same email address, phone number, or device for multiple cards. Any common point will tie all your activities into a single graph, revealing your entire network of accounts.
• Use temporary data. When registering accounts, use disposable email addresses and virtual phone numbers that are not associated with you.

Conclusion: A race without a finish line​

Antifraud systems in 2026 will be complex AI mechanisms that learn from your every move. They no longer simply check your card and IP address; they analyze your behavior, environment, and connections.

Three key takeaways:

1. Antifraud is a continuous scoring system. Every action you take, from your mouse movement to the time you submit a request, adds points to your fraud score. Once the amount exceeds the threshold, you're blocked.
2. Identity is outdated; connections are important. Even the perfect disguise of individual accounts falls apart if they are linked by a common email address, phone number, or IP address in the bank's graph database.
3. A high-quality proxy and a well-prepared profile are the bare minimum. Stable operation today requires complex behavior emulation (humanization scripts), complete environment isolation, and meticulous attention to detail.

Bank security requirements are growing every year. Banks see not only what you do, but also how you do it. Every extra pixel, straight line of your mouse, or instant click adds points to your fraud score. Your goal is to remain as inconspicuous as possible, blending in with the noise and not giving the antifraud system any reason to single you out from the stream of millions of legitimate transactions.

A quick one-line reminder:
"The bank sees not only your card and proxy, but also your pauses, irregularities, and errors. Every extra pixel adds points to your fraud score. 2026: be slow, chaotic, and unique".