Top Writers Den

Make Money and Become Successful

3 Ways to Bypass OTP in Carding

You want to know how to Bypass OTP in carding if you’re into it. Usually, websites enable OTP verification to harden security. And since you do not have access to the email address or phone number registered/linked to the card, you want to get around it online.

Without OTP, there’ll be so many hacked accounts out there, including bank accounts, Facebook accounts, Gmail accounts, and other valuable accounts.

Since you’re a predator – going after people’s accounts, you need to know the trick. This trick is also useful if you forgot or no longer have access to your registered email account for a website you want to use to card.

how to Bypass OTP in carding

OTP and carding

OTP (one-time password) is usually a 4-6 digit code, it could be numerical or alphanumeric. Card providers such as MasterCard and Visa require it to authenticate a user’s credentials before approving a transaction.

Some time ago, you’d just enter the correct email and PIN to confirm a carding transaction. But now, you also have to provide OTP, which works as 2FA on the website.

OTP is deemed relevant to stop or at least minimize hacking or cracking resulting from activities like carding and sometimes bank logging. Even if you choose to hack the registered email address or the card to see the OTP, you may still have to confirm certain information the user set up as additional security options.

Since OTP is designed to frustrate or stop you from carding, you want to know how to beat it and card successfully.

How to bypass OTP in carding

The easiest way to bypass OTP is usually to have access to the target’s OTP source, such as email address and phone number. Sometimes, it’s even tougher to tell their correct email address or phone number.

Follow the steps below to bypass OTP in carding:

1. SS7 attack

An SS7 vulnerability will allow you to read texts, listen to calls and even track the mobile phone or the card holder whose card you’re using for carding.

SS7 (Signaling System No. 7) tunneling or attack is similar to MITM (Man-in-the-middle) attack. However, SS7 runs on telephonic communication and not data/Wi-Fi communication.

how to Bypass OTP while carding
Man in the Middle

SS7 is the better method here to bypass OTP while carding because global telephonic communication operates on it.

Read also: PayPal chargeback: stop it now

The tools needed for an SS7 attack include Linux OS and SS7 SDK. You can download these online.

The idea of SS7 is to access the email app or SMS app of the account holder of the card details. These are the apps he/she uses to receive the OTP generated in real-time while carding.

So, proceed with the payment. The card service will generate and send an OTP needed to confirm the transaction.

The unique phone address of the account holder is stored in HLR (Home Location Register) and is also a medium for data transmission. So, the phone sends data to HLR and checks the unique mobile device address. From there, the HLR sends the request to the VLR (Virtual Location Register), which stores the mobile information of the target temporarily until the connection time is out. The connection time can be 2 minutes or more, depending on the card provider.

Read also: ways you might be able to tell your credit card number

The work of SS7 here is to fake the VLR Address and put your machine address in it to trick the system to send you the OTP. HLR will transmit the details to the fake VLR and hacker, giving all details entering the victim’s phone to you while carding.

2. Response manipulation attack

Response manipulation can also work when trying to bypass OTP in carding. This attack technique involves trying to analyze requests with a proxy tool attacker that will change the value of the response without entering the correct OTP.

a. You need a vulnerable app

This technique involves making changes in the response before it reaches the browser. A vulnerable application will let you bypass the OTP schema, which contains a broken authentication schema.

When you log in or sign up and are ready to authenticate a card, an OTP is sent to the registered user’s email address.

b. Enter a random OTP

To check for a vulnerable application for OTP bypass, you enter a random value such as 0000, depending on the number of digits required for the OTP.

Before you click “verify OTP” on the payment page, launch a proxy tool to intercept the request. For this tutorial, we use Burp. You can find and download it online to use for intercepting requests and change response.

c. Click “verify OTP”

You can now click “verify OTP” on the payment page with the random value you entered to intercept the request with Burp.

On Burp, go to Mouse » Do intercept » Response to this Host.

Read also: fake PayPal that won’t get suspended again

If you enter the wrong OTP value, you get a 400 bad request. To bypass the 400 bad request, you need the response manipulation to make changes to the response section.

You’d have to change the value 400 bad request to 200 OK and “err”:no more attempts allowed”,”ECODE”:”usr_069”} as response value. Change value as {}. Note that the response is different depending on what the card provider uses. Forward this response and the OTP is bypassed.

3. Brute force attack with Burp Suite

Here, you turn on the intercept mode of Burp Suite to capture the packet being sent over as a request packet to the server.

Since you already know that the OTP is a 4 or 6-digit number, you pass over the packet to the intruder tab to perform a brute force attack. This will check if the website you’re using allows multiple OTP attempts.

Now, make a long list of OTPs, like 200 numbers in 4 digits or 6 digits. If you don’t know the required digits, try signing up with your details, and then follow the same information while carding.

Read also: credit card verification bypassed!

You could be lucky that the first few attempts become successful, so your brute force attack works. Burp Suite will detect the correct OTP.

The downside here is that if the card service uses disallow for multiple attempts such as over 4 times, brute force won’t work. And if the OTP validity is set to a short time, the brute force won’t work after the set time elapses.

Exclusive: here are the recently leaked CCs with balance

Leave a Comment

Your email address will not be published.

five − 2 =

This div height required for enabling the sticky sidebar
Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views :