Bypassing the new version of 3D Secure 3.0 (EMV 3DS 2.3) in 2026

[Good Carder]

From carder to carders. Just after reading the last paragraph about API carding and shimming, you heard: 3DS 3.0 is coming. And again, panic: "that's it, carding is dead."

Calm down. 3DS will never die because merchants can't afford to give up seamless checkout. They will always seek a balance between security and conversion. This balance is our eternal loophole.

3DS 2.3 introduces biometric authentication (SPC, Secure Payment Confirmation) and new features for seamless work on IoT devices. Sound scary? In reality, EMVCo is simply trying to catch up with FIDO WebAuthn standards to keep the technology afloat. Yes, FIDO is harder to bypass, but this is just a new challenge for our craft.

In this article, I'll break down what's actually changed in 3DS 2.3, what loopholes we still have, and how to exploit them in 2026.

Part 1. 3DS 2.3: What's Really Changed​

EMV 3DS 2.3 is an evolutionary step, not a revolutionary leap. EMVCo released it in late 2021, and by 2026, it will finally reach mass adoption. All that was added:

1.1. SPC (Secure Payment Confirmation) – that same biometrics​

Secure Payment Confirmation (SPC) is a new authentication scheme that officially integrates FIDO biometrics into 3DS. The user confirms the payment with a fingerprint, Face ID, or a Passkey, bypassing the OTP code. Version 2.3 introduced SPC as an authentication method, and 3DS 2.3.1 (a further refinement) adds new fields and refines the process.

Why is this bad for us? Because FIDO biometrics are harder to fool than a one-time code sent via SMS. But there's a catch: mass implementation of SPC is a costly technology. Many banks still use old methods. So far, biometrics are being implemented only in the premium card segment of major issuers. OTP still rules the mass market, meaning our old methods are still working.

1.2. Split-SDK — 3DS enters refrigerators​

Split-SDK is a key technical innovation in 3DS 2.3: dividing the standard 3DS SDK into client and server components. This is necessary to enable 3DS implementation on devices with limited computing resources — smart speakers, cars, and IoT gadgets.

This isn't a problem for us. Single payments from refrigerators represent mere pennies in overall transactions. Significant amounts still flow through traditional web and mobile channels, where our evasion methods remain effective.

1.3. Improvements for recurring payments​

3DS 2.3 expanded support for subscriptions and recurring payments. Fields have been added for installation payments, recurring amount, recurring date, recurring frequency, and recurring expiry date.

However, recurring payments, by definition, aren't authenticated every time. Using them to "legalize" dirty cards? A promising option. Cases have become more frequent where carders create fictitious subscriptions for small amounts and withdraw funds through dummy accounts. This scheme is viable, but not suitable for mass-scale carding.

1.4. OOB (Out-of-Band) Transitions​

Version 2.3 automates transitions between the merchant app and the bank app (OOB). Challenge Data is now transmitted in CReq/CRes messages for the app-based flow.

Why is this important to us? Automating transitions simplifies life for the average user, but we can emulate the OOB flow using MITM attacks. By intercepting Challenge Data between devices (for example, through Blueborne or other Bluetooth vulnerabilities), we spoof the session and confirm the payment on behalf of the victim. It's complex, but doable, especially when combined with account hacking.

1.5. FIDO Integration​

The integration of WebAuthn and SPC has allowed banks to offer a unified authentication method for various services.

This limits our options, as banks gain more robust authentication methods that are harder to influence through social engineering. However, in practice, human error and incomplete implementation of new methods remain vulnerabilities. As long as SPC remains in labs, and the general public confirms payments with the same cheap OTPs, our chances remain.

1.6. Stripe Radar 3.0: Transparency for Us​

Stripe updated its API in March 2026, adding 3D Secure properties to the Payment Record object: cryptogram, Electronic Commerce Indicator (ECI), and Exemption Indicator. Now we can see which exemption the merchant used (for example, low-value or recurring).

Previously, the merchant simply requested an exception, and we only saw the final payment status. Now we can control it. However, Stripe Radar 3.0 uses AI to dynamically request 3D Secure based on hundreds of signals (user history, card country, behavior). We need to better emulate real user behavior to avoid triggering scoring.

Part 2. 3DS Bypass Methods: What Works in 2026​

2.1. Phishing and Social Engineering (King's Move)​

The most effective method that will never die is to fool not the technology, but the people. Social engineering in conjunction with 3DS has become a well-established industry.

Gemini Advisory researchers discovered detailed discussions of 3DS bypass methods on darknet forums. A typical scenario goes like this: a carder visits a website with stolen card details, initiates a payment, the system redirects to the 3DS verification page, and the merchant waits for the code to be entered. The carder calls the victim, posing as a bank employee, and says, "We're checking a suspicious transaction. Please provide the code from the SMS to cancel it." The victim dictates the code. 3DS is successfully processed. The payment is debited.

Gemini Advisory describes a similar method using full card details (Fullz), number spoofing, and a fake voice. Fullz and social engineering allow you to bypass FIDO biometrics because you're attacking the person, not the technology.

A new trend in 2026 involves car dealers sitting with stolen Fullz cars, calling victims simultaneously while they're making an online purchase. This scheme requires coordination and a clear script, but it yields huge receipts.

2.2. Merchant data emulation: how to reduce fraud rates​

The second most effective method is "fitting into trust." 3DS sends dozens of transaction parameters to the bank (ACS). If the bank detects discrepancies, the likelihood of a 3DS request increases dramatically.

Your goal is to conform the merchant data to a secure template.

• Amount. Don't exceed the low-value exemption. The threshold is usually up to €30 (about $33).
• Frequency. Repeated transactions of the same amount from the same IP address are a red flag.
• Merchant Category Code (MCC). Different MCCs have different levels of risk. MCCs for gift cards or cryptocurrency exchanges require an instant 3DS challenge. MCCs for streaming services or food delivery often pass without a challenge. In 2026, MCCs for utility payments (phone, internet, gas) became one of the safest – predictable amounts and a low rate of fraud.
• Geography. A transaction originating from the same country as the card means lower risk. 3DS requests are less frequent.
• Device fingerprinting. Device data transmitted to the bank (OS, browser, time zone) must be consistent and contain no traces of virtualization.

The old trick with a "dirty" script no longer works. Stripe Radar analyzes not only static fields but also session dynamics: form completion speed, pauses between clicks, mouse trajectory. Simulate a real person, and 3DS will be requested less often.

2.3. Abuse of exceptions​

3DS 2.3 includes exemption mechanisms. If a transaction is deemed low-risk, 3DS may not be requested at all.

Which exemptions can be used to bypass this?

• Low-value exemption (amount less than €30, but no more than five transactions per day or €100 accumulated). Make small payments every three to four days in a row — they will go through without 3DS.
• Recurring transactions exemption. Create a subscription with the target merchant. The first transaction (subscription) may require a 3DS. However, subsequent automatic debits (recurring) are highly likely to occur without authentication. This is a recurring attack, not for mass-market products, but once a month you can make a large sum of money using dummy delivery accounts.
• Low-risk exemption via Merchant Category Code. A merchant with a low chargeback rate has the right to request exemption automatically. Find such a merchant and use them as a carding gateway (proxy carding).

2.4. Direct BIN attack: searching for live cards without 3DS​

The simplest method is to use cards that don't support 3DS at all (non-3DS BIN). They aren't registered in the bank's system and will never request authentication. This works where the merchant doesn't check the BIN against blacklists or block it by geographic location.

In 2026, the share of non-3DS BIN cards among US cards will rapidly decline, but they do exist.

Typical non-3DS BIN US ranges for 2026:

• 414720 (Chase Bank Visa Credit)
• 439305 (Microsoft Prepaid Mastercard)
• 536425 (Mastercard Credit)

They're actively used in carding, but you need to be careful: many issuers change their BINs every 3-6 months.

Where to get current non-3DS BINs:

• Paid databases on darknet forums (Exploit, XSS, Carder.su). Sellers publish fresh listings marked "non-3DS, tested."
• Free BIN database - binx.vip
• BIN-list Telegram bots. Automatic search by BIN, shows country, type, and (sometimes) 3DS status.
• Self-test: buy a card, hit it on a website with 3DS enabled, and see if the authentication request appears.

Part 3. Fraud Score Reduction Strategy: A Step-by-Step Checklist​

1. Gather data before the attack. Parse the target merchant's MCC and 3DS history using Burp Suite. Sometimes merchants leave their 3DS settings at default, unchanged for years, giving us a direct backdoor.
2. Use the low-value exemption. Bids up to $30 (€27). For recurring payments, use the recurring exemption.
3. Emulate real purchases. Three to four small transactions at different stores over a week simulate the experience of a real user. Long-term session warm-up can work wonders.
4. Set up proxies and anti-detection. Use residential proxies with a fraud score of <30, and synchronize your time zone, language, and localization.
5. Select a BIN. A non-3DS US BIN is your friend in the US. For Europe, you need cards from non-EEA issuers that can be used under the one-leg-out rule.
6. Stay tuned for Radar updates. Stripe Radar 3.0 uses AI to dynamically query 3DS. Review Stripe documentation for changes to exemption rules. Analyze your own attempt logs and adjust parameters accordingly.

Summary​

EMV 3DS 2.3 didn't kill carding; it simply changed the rules of the game. SPC and biometrics complicated the situation, but left plenty of loopholes. Social engineering (the main weapon), exemption abuse, merchant data emulation, and non-3DS BIN are still your reliable tools. In 2026, the key is to keep up with antifraud updates and not be greedy.

A quick one-line reminder:
"SPC and biometrics? Not for everyone. Social engineering rules. Non-3DS BIN is alive until the bank upgrades its protection. Low-value exemptions and recurring subscriptions are our "loophole" for petty theft."