- Joined
- Jun 13, 2020
- Messages
- 7,487
- Reaction score
- 915
- Points
- 212
- Awards
- 2
The Japanese websites and banking systems are distinct. As a carder, it is imperative to be cognisant of this.
The majority of banks worldwide employ OTP for 3DS authentication. However, the Japanese have opted for an alternative approach. They have implemented a system wherein cardholders can establish a static password for their card. This is not merely a slight variation - it is a significant vulnerability in their system that we can manipulate.
The password-based system utilised by Japanese banks for 3DS diverges entirely from the dynamic OTP systems employed elsewhere. It is a fixed password that remains constant for each transaction. This static nature presents us with an advantage in evading 3DS checks.
In essence: if we obtain a card's password, we profit. With that password, we can bypass 3DS checks consistently, provided the card remains valid.
What implications does this hold for us?
It signifies that we have access to high-value transactions that were previously inaccessible. Any merchant or service that uses 3DS is now cardable.
This functions for two reasons:
1. Continuous Usage: Once you obtain the password, you can utilise the card for 3DS validated transactions as long as the card remains active/live. This implies uninterrupted use of the card for multiple transactions, thereby maximising its value.
2. Legitimate Verification: Unlike non-VBV BINs that do not support 3DS, transactions with Japanese cards are verified through 3DS. This is a significant difference that minimises the likelihood of transaction cancellation.
You are not merely bypassing security; you are utilising a system that marks your transactions as authenticated. This combination of sustained access and legitimate verification renders Japanese cards a formidable tool in carding. It is not a singular occurrence; it is a method that functions consistently, with each transaction appearing as legitimate as the last.
Which Cards?
A plethora of Japanese cards and banking institutions possess the 3DS password capability. This feature is rather prevalent in the Land of the Rising Sun. Nevertheless, there exists a caveat: locating cardholders who employ this password functionality is proving to be somewhat more arduous.
Why?
As cognizance of security escalates, a greater number of users are transitioning towards more dynamic authentication methodologies. Consequently, our task is rendered more challenging, albeit not insurmountable.
Several banks that warrant mention include:
Your optimal strategy is that of trial and error. Admittedly, it may not be the most streamlined approach, yet it remains the sole option at our disposal. One must endeavour to test a multitude of cards in order to unearth those choice few that persist in utilising the password system. It is, in essence, a game of numbers - the greater the quantity of cards you attempt, the higher the likelihood of striking gold.
Tutorial:
1. Establish Your Phishing Framework:
2. Examine Cards for Password Requests:
3. Target Cards Protected by Passwords:
4. Initiate Phishing (For email phishing):
5. Obtain Passwords:
6. Validate and Utilise:
7. Expand:
Establishing this framework requires considerable effort; however, the potential to acquire multiple cards with 3DS bypass is substantial. Each compromised card represents a valuable resource for numerous future transactions.
The majority of banks worldwide employ OTP for 3DS authentication. However, the Japanese have opted for an alternative approach. They have implemented a system wherein cardholders can establish a static password for their card. This is not merely a slight variation - it is a significant vulnerability in their system that we can manipulate.
The password-based system utilised by Japanese banks for 3DS diverges entirely from the dynamic OTP systems employed elsewhere. It is a fixed password that remains constant for each transaction. This static nature presents us with an advantage in evading 3DS checks.
In essence: if we obtain a card's password, we profit. With that password, we can bypass 3DS checks consistently, provided the card remains valid.
What implications does this hold for us?
It signifies that we have access to high-value transactions that were previously inaccessible. Any merchant or service that uses 3DS is now cardable.
- Hotel reservations: Heavily safeguarded by 3DS prompts will now be attainable.
- Cryptocurrency acquisitions: The majority, if not all, crypto merchants necessitate 3DS.
- High-end electronics: Substantial value items that trigger additional security measures.
- Luxury merchandise: Expensive items that raise red flags.
This functions for two reasons:
1. Continuous Usage: Once you obtain the password, you can utilise the card for 3DS validated transactions as long as the card remains active/live. This implies uninterrupted use of the card for multiple transactions, thereby maximising its value.
2. Legitimate Verification: Unlike non-VBV BINs that do not support 3DS, transactions with Japanese cards are verified through 3DS. This is a significant difference that minimises the likelihood of transaction cancellation.
You are not merely bypassing security; you are utilising a system that marks your transactions as authenticated. This combination of sustained access and legitimate verification renders Japanese cards a formidable tool in carding. It is not a singular occurrence; it is a method that functions consistently, with each transaction appearing as legitimate as the last.
Which Cards?
A plethora of Japanese cards and banking institutions possess the 3DS password capability. This feature is rather prevalent in the Land of the Rising Sun. Nevertheless, there exists a caveat: locating cardholders who employ this password functionality is proving to be somewhat more arduous.
Why?
As cognizance of security escalates, a greater number of users are transitioning towards more dynamic authentication methodologies. Consequently, our task is rendered more challenging, albeit not insurmountable.
Several banks that warrant mention include:
- TOKYO-MITSUBISHI UFJ BANK
- SBI CARD CO., LTD
- SHINHAN CARD
- Mizuho Bank
- SMBC TRUST BANK LTD
- SUMITOMO MITSUI.
Your optimal strategy is that of trial and error. Admittedly, it may not be the most streamlined approach, yet it remains the sole option at our disposal. One must endeavour to test a multitude of cards in order to unearth those choice few that persist in utilising the password system. It is, in essence, a game of numbers - the greater the quantity of cards you attempt, the higher the likelihood of striking gold.
Tutorial:
1. Establish Your Phishing Framework:
- Obtain a phishing website that bears a striking resemblance to the legitimate banking website. Numerous complimentary fraudulent pages are accessible for various financial institutions. Alternatively, one may opt for a generic 'verification' page designed to deceive the cardholder into inputting their sensitive information.
- Ensure that your website is capable of capturing and securely storing the submitted credentials.
- Procure a domain that appears authentic (e.g., secure-verify-jp.com).
2. Examine Cards for Password Requests:
- Acquire a collection of Japanese card numbers accompanied by their corresponding email addresses.
- Utilise a merchant account with a low transaction value or your proprietary payment gateway that necessitates 3DS.
- Attempt minor transactions (£1-£5) with each card.
- Document the cards that necessitate a static password rather than an OTP.
3. Target Cards Protected by Passwords:
- For each card that necessitates a password, prepare either a phishing email or an OTP bot.
- If employing email, ensure that it resembles a security alert originating from the bank.
- Incorporate your phishing URL, disguised as a link to verify account security.
4. Initiate Phishing (For email phishing):
- Dispatch emails to the email addresses associated with password-protected cards.
- Employ a robust email spamming server to achieve elevated deliver-ability rates.
- Schedule your emails to coincide with Japanese business hours to enhance open rates.
5. Obtain Passwords:
- Monitor your phishing website for incoming data.
- Securely store the captured passwords alongside their corresponding card numbers.
6. Validate and Utilise:
- Test each password with a minor transaction.
- At this juncture, you possess a card capable of circumventing 3DS.
7. Expand:
- Automate as many processes as feasible.
- Commence with 30-100 cards per day and gradually escalate.
- Adjust your phishing strategy based on your success rates.
Establishing this framework requires considerable effort; however, the potential to acquire multiple cards with 3DS bypass is substantial. Each compromised card represents a valuable resource for numerous future transactions.
