Premium Content

How To Do Carding – Part 4.2 | How Account Fraud Happens

How to do Carding

This is the fourth part of How to Do Carding Series. You can find about Part -1 (Introduction) and Part 2- (How does carding works here). In our previous part we talked about how does  carding works. So in this part we will talk about how account fraud happens. So, without any delay let’s start our topic. As said, in this part we will discuss about some examples and rest of the part of part 4 of How to Do Carding Series.

This is the first example, if you have the correct MMN (this is the most frequently asked token).

Agent: Thank you for calling Chase, my name is Bob, who am I speaking with?

You: James R Layton.

Agent: Thank you mister Latyon, and for security purposes, may I have the mother’s maiden name on the account?

You: Lucile.

Agent: Thank you, and what is your date of birth?

You: October 1st, 1965.

Agent: Thank you mister Layton, what can I do for you today?

This is the second example, if you do not have the MMN. Guess it, and do not hesitate. You know yourself better than the agent does, and they can only rely on the information they have on their screen to validate your answers.

Agent: Thank you for calling Chase, my name is Bob, who am I speaking with?

You: James R Layton.

Agent: Thank you mister Latyon, and for security purposes, may I have the mother’s maiden name on the account?

You: Smith.

Agent: I actually have something different here, it starts with C.

You: With C? It’s impossible! Her name was Lucy Smith, she never used any other name!

Agent: Well, you do not have any other name that might start with C? (if you have a last name starting with C on the background report)

You: My aunt’s maiden name is Charlotte, but I doubt that’s the answer you have on file. (if you have nothing like that on the report)

You: No, no one in my family uses such a name.

Agent: Oh well, let me take note of this for you, can you confirm the last 4 digits of your social security number?

You: 4456. Agent: Thank you, and what is your date of birth?

You: October 1st, 1965.

Agent: And you billing address with the zip code?

You: 123 Fake Street, Fakeville, NY, 10008.

Agent: Thank you Mr. Layton, how can I help you today?

If you hear that, it means you got in. Otherwise, you will be transferred to the security department for the multiple-choice questions, have your report in hand. If you fail, the card is dead. Make sure you spoofed the cardholder’s number, otherwise you could be asked for other questions like driver’s license number, vehicule plate number, etc. Those are questions you probably do not have the answer to.

Now, what you want to do is change the billing phone number. A sample dialog with the agent can go as follow.

You: I would like to change my phone number. This phone will be disconnected tomorrow and I want to give you my new primary number so you can reach me if there is something.

Agent: Okay I see, what is the number?

You: 234-567-8901.

Agent: Thank you, is there something else I can do for you?

You: No thanks.

Agent: Thank you for calling Chase, have a wonderful night.

Once you passed the verification part, the rest is pretty straightforward and is relaxing. Now that you changed the billing number, let the card rest for at least 5 days. Do not make any transaction. The cardholder will continue to use his card normally too. During your call, at the end, if you failed the MMN question, you might want to remind the agent to change the MMN on file to avoid problems next time you call.

Also take note, at any point, if the agent wants to put you on hold, or says he needs to verify something and will be back, wait for him to put you on hold, and hang up. It basically means they are going to ring the cardholder. If this happens, you might want to wait at least 48 hours before calling again, and you will see just by the automated prompts if the card is burnt or not. Maybe they did not call the cardholder, but in 90% of the cases, they did. It happens, especially with Citibank, who likes to replace the Verid questions by a quick ring to the cardholder.

The questions often change when you call, but they always follow a certain pattern. By experience, I will give you the tokens usually asked by the big 4 banks, but we aware that they might change, or they might ask you other questions if they believe you are bogus. They can ask for your age to throw you off, as you might not have to calculate it fast enough using the DOB. If you fail this verification, you will be transferred to Verid department.

Chase Bank,

level: hard

  • • Full name
  • • MMN (if failed, last transaction)
  • • Last 4 of SSN


level: medium

  • • Full name
  • • Password (pet name, MMN, favorite hobby, or best friend, if failed, last 4 of SSN and CVV)
  • • Mailing address
  • • Phone number

Bank of America,

level: easy

  • • Full name
  • • (sometimes) Verbal password, which is MMN (if failed, DOB)
  • • Last 4 of SSN

Capital One,

level: medium

  • • Full name
  • • Last 4 of SSN
  • • MMN (if failed, DOB and mailing address)

Since you have to wait 5 days, it’s a good idea to create an account on your target website, browse the items, put some in your cart, go to checkout, go back, remove items, read descriptions. Just try to appear like a legitimate shopper. Remember that $1000 is a lot of money for the average American and if you show you don’t care about your money and just throw items in your cart, you raise flags. Look like you care about how much it costs.

There is also a technique that works well with Citibank: when you are asked for the MMN by the automated system, if you fail, you will hear “the agent might need to ask you verification questions”, and if you succeed, you will be connected and everything will be a breeze. When the automated system asks you for the password, say “Jope” while putting a high tone on the O sound, then slightly lower your pitch. Say the word at normal speed, like when you are talking to someone. This will trick the automated system into beleiving that you got it right. You might have to retry 2-3 times for it to work, but I got it with almost all my accounts. This will save you a lot of hassle with the agent and will make the call extremely easy.

Once you got rid of this verification process, it will be easier next time you call the bank for this account. So let’s suppose you followed me and let it sit for 5 days. Call again, and this time, we will add a temporary shipping address to the account. A transcript can go as follow:

(pass verification questions)

You: I want to make a purchase from but they ask me to add a temporary shipping address on file. I’m not sure how that works, do I just tell you where I want them to send my order?

Agent: Let me help you with that, we can add an alternate address on the account, what would be the address?

You: 123 Fraud Street, Cardingville, CA, 98765.

Agent: No problem mister Layton, I have notated the account for you, is there something else I can assist you with today?

You: No thank you

Agent: Have a good afternoon.

Almost all banks allow that, except Bank of America, who can only change the mailing address. That’s why their cards are not the best when it comes to level 3 carding, but some stores will do a conference call with the bank to bypass this restriction. Chase works the best for temporary shipping addresses, but is hard to ATO. It all depends on your skills and what you’re comfortable with. All US banks accept a Canadian address, and some banks may accept an international address.

Once you have added the alternate address in the account, it’s time to make the hit. Take your account on the website you want to card, shop a little bit again, then proceed to checkout. Try not to go over $2000 per order. Enter the correct billing address, double-check the information. Enter the billing phone number (the one you added on the file at the bank), then your shipping address. Triple-check all the information for accuracy.

Then, send the order. You might be greeted by a VBV or MCSC form, but if you have the required information, it should not be a problem. Enter the information they want to get, and submit the order. Also, some websites like TigerDirect will ask you for your DOB and will give you 3 verification questions to answer. Those are public records and can easily be found in your background report, so don’t be scared. If you fail 1 question, you will be asked an additional question. If you fail 2 or more, the order will be put “on hold” and things will get harder, so try not to fail.

At this point, 2 things can happen when you submit the order. It depends on the spending habits of the cardholder, and will make things easier or harder for you.

  1. The order goes through without any problem, and becomes “pending” status.
  2. The transaction get declined and the website says to call the issuing bank. If this happens, call the bank, the system will act like the card is burnt (transfer without any additional questions), and a fraud agent will answer. Remember, the card is yours, tell them you authorized the transaction, but you don’t know why it’s declined. It’s usually easy if you have the correct information, but if you ATO’d the account before, chances are that you have everything it takes. When the agent tells you you are all set, resend the order on the website. Call as soon as you get the decline, don’t wait, otherwise the real cardholder will get a call you don’t want him to get.

All right, the order is now sent and the status is “pending”.

The next section will tell you why some orders get canceled (newbie mistakes), and why in your case everything should be all right. Take a deep breath and hop to the next section.

the authorABHIYAN
Abhiyan Chhetri is a cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Abhiyan is also into gaming, reading and investigative journalism.

Leave a Reply