Good Carder
Professional
- Messages
- 938
- Reaction score
- 533
- Points
- 93
Global payment gateways like Stripe and Braintree dominate the Anglo-Saxon world, but their power weakens where local players enter the picture. In continental Europe and Asia, the end user's connection to their bank is so strong that credit cards are becoming secondary.
Payment methods like iDEAL, Sofort, and Giropay not only reduce friction for the customer but also virtually eliminate classic card fraud schemes like card testing or BIN attacks.
This radically changes the threat landscape. While stealing CVV/CVC and card numbers opens access to traditional payments, iDEAL, Sofort, and Giropay require a completely different type of attack — usually access to the victim's online banking.
iDEAL isn't just a payment method; it's the true "payment king" of the Netherlands, processing up to 60% of all online transactions in the country. From 2025-2026, iDEAL is in the process of migrating to the pan-European payment system Wero (the old iDEAL ceased to exist in January 2026, but the bank redirect technology remains virtually unchanged).
The process looks like this: after selecting iDEAL on the payment page, the buyer is taken to a page for selecting their bank — ABN AMRO, ING, Rabobank, and others. They are then automatically redirected to their bank's portal, where they must enter their standard online banking credentials and confirm the payment with a one-time code (TAN), an app, or biometrics. Only then is the final debit of funds processed. Importantly, the entire confirmation process occurs not through the store's payment gateway, but through the customer's home bank.
An alternative for mobile devices is the ability to redirect from a banner window to the client's native app, which also enhances security. This scenario completely eliminates the possibility of injecting third-party code and reduces the possibility of man-in-the-middle (MITM) attacks.
Phishing attack detection and control by iDEAL:
The Betaalvereniging Nederland team and participating banks constantly monitor the network for phishing, using iDEAL for verification. If a phishing site is detected, they can send a warning to the provider or the police, or blacklist the site. As the system's popularity has grown, phishing attacks have emerged, disguised as emails from iDEAL or Wero. They require users to undergo "verification" to retain access to payments. Carders are always behind such emails, as official banks do not request data verification by clicking links.
Sofort ("immediately") is another classic example of European bank redirects.
The buyer selects Sofort as the payment method in the store, enters their online banking login and password directly on the Sofort page, after which the system checks the account balance and initiates an instant transfer to the merchant. Sofort immediately informs the store of the successful payment, allowing for near-instant delivery of digital goods.
The main problem with Sofort is that the user enters their sensitive banking information not in their bank's interface, but on the payment intermediary's (Klarna) website, which violates the security principles of some banks and increases the risk of phishing. However, according to Klarna itself, since the system's inception, there has not been a single incident where data stolen from users in this way has resulted in financial losses. Klarna undertakes to compensate for any problems.
As with other systems, the main threat comes from phishing emails and fake websites mimicking the Sofort or Klarna interface. Carders also try to use automated scripts to verify compromised credentials.
Giropay was created by German banks as a competitor to international cards and PayPal. It had existed since 2006, but its market share was always modest. The main reasons for Giropay's closure at the end of 2024 were the launch of the pan-European payment system Wero, which replaced iDEAL in the Netherlands, and competition from Paydirekt.
Technically, Giropay functioned the same way as iDEAL: redirection to the bank's website, authorization, and instant debiting of funds from the bank account. For merchants, this meant zero risk of chargebacks — Giropay, as a bank guarantee, provided protection against disputed transactions up to €10,000 because the payment was initiated and confirmed by the bank itself.
Payments were instantaneous, and the bank transfer was final, significantly reducing the risk of chargeback fraud.
Therefore, the main attack vector is not card data, but phishing and theft of credentials for accessing the victim's online banking.
Diagnostics here are performed using gateway logs and bank transfer status.
Although giropay is a thing of the past, its legacy lives on: German banks have adopted the experience of Wero and Paydirekt.
Bypassing these systems requires access to the victim's online banking, which requires a completely different level of skill and carries a huge risk of criminal prosecution. This is why companies implementing iDEAL and Sofort achieve significantly lower fraud rates compared to card transactions.
If you're interested in a specific system and want to delve into the details of its API, threat models, or if you have any questions about the analysis of specific cases, I'd be happy to help.
Payment methods like iDEAL, Sofort, and Giropay not only reduce friction for the customer but also virtually eliminate classic card fraud schemes like card testing or BIN attacks.
This radically changes the threat landscape. While stealing CVV/CVC and card numbers opens access to traditional payments, iDEAL, Sofort, and Giropay require a completely different type of attack — usually access to the victim's online banking.
1. iDEAL (Netherlands) – the dominant system in the Netherlands
How it works:iDEAL isn't just a payment method; it's the true "payment king" of the Netherlands, processing up to 60% of all online transactions in the country. From 2025-2026, iDEAL is in the process of migrating to the pan-European payment system Wero (the old iDEAL ceased to exist in January 2026, but the bank redirect technology remains virtually unchanged).
The process looks like this: after selecting iDEAL on the payment page, the buyer is taken to a page for selecting their bank — ABN AMRO, ING, Rabobank, and others. They are then automatically redirected to their bank's portal, where they must enter their standard online banking credentials and confirm the payment with a one-time code (TAN), an app, or biometrics. Only then is the final debit of funds processed. Importantly, the entire confirmation process occurs not through the store's payment gateway, but through the customer's home bank.
An alternative for mobile devices is the ability to redirect from a banner window to the client's native app, which also enhances security. This scenario completely eliminates the possibility of injecting third-party code and reduces the possibility of man-in-the-middle (MITM) attacks.
Phishing attack detection and control by iDEAL:
The Betaalvereniging Nederland team and participating banks constantly monitor the network for phishing, using iDEAL for verification. If a phishing site is detected, they can send a warning to the provider or the police, or blacklist the site. As the system's popularity has grown, phishing attacks have emerged, disguised as emails from iDEAL or Wero. They require users to undergo "verification" to retain access to payments. Carders are always behind such emails, as official banks do not request data verification by clicking links.
2. Sofort (Klarna) – a German system acquired by Klarna
Processing and risks:Sofort ("immediately") is another classic example of European bank redirects.
The buyer selects Sofort as the payment method in the store, enters their online banking login and password directly on the Sofort page, after which the system checks the account balance and initiates an instant transfer to the merchant. Sofort immediately informs the store of the successful payment, allowing for near-instant delivery of digital goods.
The main problem with Sofort is that the user enters their sensitive banking information not in their bank's interface, but on the payment intermediary's (Klarna) website, which violates the security principles of some banks and increases the risk of phishing. However, according to Klarna itself, since the system's inception, there has not been a single incident where data stolen from users in this way has resulted in financial losses. Klarna undertakes to compensate for any problems.
As with other systems, the main threat comes from phishing emails and fake websites mimicking the Sofort or Klarna interface. Carders also try to use automated scripts to verify compromised credentials.
3. GiroPay – When the banking standard becomes a thing of the past
Giropay: History and Closure:Giropay was created by German banks as a competitor to international cards and PayPal. It had existed since 2006, but its market share was always modest. The main reasons for Giropay's closure at the end of 2024 were the launch of the pan-European payment system Wero, which replaced iDEAL in the Netherlands, and competition from Paydirekt.
Technically, Giropay functioned the same way as iDEAL: redirection to the bank's website, authorization, and instant debiting of funds from the bank account. For merchants, this meant zero risk of chargebacks — Giropay, as a bank guarantee, provided protection against disputed transactions up to €10,000 because the payment was initiated and confirmed by the bank itself.
Payments were instantaneous, and the bank transfer was final, significantly reducing the risk of chargeback fraud.
4. Security architecture and why classic carding is impossible
All three systems share one key feature: they don't rely on card numbers, CVVs, or expiration dates. Instead, payments are based on a direct bank transfer and confirmation on the customer's behalf. This means:- There's no card authorization phase. No one checks the card for funds. Card data is not entered or transmitted.
- A 3D Secure code is not required. The bank verifies your identity when you log in to online banking (strong customer authentication - SCA).
- BIN attacks and card testing are pointless. A carder cannot generate valid banking credentials based on a BIN.
- There are no chargebacks. Payments made through these systems mean the funds have already reached the seller's account, making reversal virtually impossible.
Therefore, the main attack vector is not card data, but phishing and theft of credentials for accessing the victim's online banking.
5. Analysis of attack vectors using real failures as an example
5.1. Fraudulent Returns and Order Failures
If a carder gains control of an iDEAL or Sofort account, they can pay for an item and then — if it's a physical product — attempt to return it using fake payment details. However, the systems constantly monitor stores for complaints, and if fraud is detected, the seller is excluded from the system and their transactions are blocked.5.2. Assertion errors (session loss)
When redirecting between servers, a "payment not confirmed" error often occurs if the user closes the browser before returning to the store's website. In this case, the money may be debited, but the store will not receive a notification.Diagnostics here are performed using gateway logs and bank transfer status.
5.3. Merchants blocked due to chargeback spikes
One of the real-life cases described by sellers is when mass automated card testing scenarios led to a chargeback rate increase of up to 1% , after which the payment provider blocked the use of iDEAL for the store.6. Why the end user and the seller benefit
Bank redirect systems like iDEAL and Klarna are beneficial to all parties:- For the buyer: no card or CVV theft. Online banking login verification protects your account even if your device is infected with a virus.
- For the seller: instant confirmation, no disputed transactions.
- For the bank: a unified interface, reduced fraud thanks to strict control of all participants.
Although giropay is a thing of the past, its legacy lives on: German banks have adopted the experience of Wero and Paydirekt.
Conclusion: Traditional carding has no place here.
iDEAL, Sofort, and Giropay are a powerful barrier to traditional card fraud. You can hack a website, steal the database, and obtain millions of card numbers, which will be completely useless for payments in the Netherlands.Bypassing these systems requires access to the victim's online banking, which requires a completely different level of skill and carries a huge risk of criminal prosecution. This is why companies implementing iDEAL and Sofort achieve significantly lower fraud rates compared to card transactions.
If you're interested in a specific system and want to delve into the details of its API, threat models, or if you have any questions about the analysis of specific cases, I'd be happy to help.
