Carding Terminology: What the Terms Mean
A research glossary of carding terminology used in cybercrime investigations and financial fraud reporting. Definitions only — no operational detail.
Security researchers, fraud investigators, and journalists who cover financial crime need to understand carding terminology — the vocabulary of stolen payment card fraud. This glossary defines the key terms found in court documents, Europol intelligence reports, and academic research on cybercrime. The goal is comprehension for research and reporting, not instruction in fraud techniques.
CC Dump
A CC dump is the data encoded on a payment card's magnetic stripe, specifically Track 1 and Track 2 data. Track 2 includes the card number, expiration date, and service code. Track 1 additionally contains the cardholder's name. Dumps are obtained through physical skimming devices attached to ATMs or point-of-sale terminals, or through network-level breaches of payment processors.
The term "dump" appears consistently in federal indictments and in sealed complaints from Secret Service and FBI financial crimes units.
CVV / CVV2
CVV (Card Verification Value) refers to a three-digit code derived from the card data itself — it is computed from the card number, expiration date, and a bank-held key. It is stored on Track 2 of the magnetic stripe.
CVV2 is the separate three or four-digit security code printed on the card's surface (four digits on American Express). This code is not stored on the magnetic stripe and is required for card-not-present transactions (online purchases).
In cybercrime contexts, a stolen CVV2 enables online fraud even when the attacker does not have the physical card or stripe data.
Fullz
Fullz (plural; singular "fullz" is used interchangeably) denotes a complete identity package. A standard fullz record includes:
- Full legal name
- Social Security Number (U.S.) or National Insurance Number (UK)
- Date of birth
- Current residential address
- Bank account details or routing/account numbers
- Sometimes: driver's license number, passport number, or biometric data
The Identity Theft Resource Center (ITRC) documented over 353 million individuals affected by data compromises in 2023. Many of these records circulate as fullz on dark web forums and markets. Fullz enable a range of downstream crimes: fraudulent tax filings, unauthorized credit applications, and medical identity theft.
BIN
BIN stands for Bank Identification Number — the first six digits of a payment card number (expanded to eight digits under ISO/IEC 7812 updates). The BIN identifies the card's issuing bank, card network (Visa, Mastercard, Amex), card tier (standard, gold, platinum), and whether it is a debit or credit card.
Cybercrime forums and market listings reference BINs because different BINs have different fraud utility — premium or corporate cards carry higher credit limits and may be subject to less aggressive fraud monitoring.
Drops
Drops are individuals who receive goods or money obtained through fraudulent means, often without knowing the full scope of the crime they are facilitating. In carding contexts, a drop might receive a package purchased with a stolen card at their real address and then forward it to the actual criminal.
Drop recruitment is a documented pattern in darknet scam patterns and in FBI prosecutions. Drops face criminal liability under federal aiding-and-abetting statutes even when they claim ignorance of the underlying crime.
Checker
A checker is an automated service or tool that tests stolen card numbers for validity by attempting small transactions or authorization requests. The output tells a fraudster whether a card is still active and what its available credit is.
Checkers represent a supporting infrastructure layer — not the primary fraud mechanism but an enabling tool. Their use is documented in affidavits supporting fraud indictments under 18 U.S.C. § 1029.
Skimmer
A skimmer is a physical device placed on or inside a card reader — typically an ATM, gas station pump, or point-of-sale terminal — to capture magnetic stripe data from cards inserted by legitimate users. Skimmers are often paired with small cameras or PIN overlay pads to capture PINs alongside card data.
Law enforcement seizures of skimmer infrastructure are documented in FBI and Secret Service press releases across dozens of jurisdictions annually. The devices range from crude external overlays to sophisticated deep-insert units invisible from the exterior of an ATM.
Identity Packages: Downstream Uses
Fullz and related identity data are the building blocks of several documented fraud types:
| Fraud Type | Primary Data Used |
|---|---|
| Fraudulent tax filing | SSN, name, DOB, address |
| Credit account fraud | Fullz + SSN |
| Medical identity theft | Name, DOB, insurance info |
| Account takeover | Email + password (from breach dumps) |
| Card-not-present fraud | Card number, expiration, CVV2 |
The FTC's Consumer Sentinel Network received 5.7 million reports in 2023, with identity theft accounting for 1.4 million of those reports — the largest single category.
Legal Framework
The primary federal statute governing payment card fraud is 18 U.S.C. § 1029 (fraud and related activity in connection with access devices). Penalties range from 10 to 20 years for aggravated cases. Investigators: Secret Service, FBI Financial Crimes, and Europol's EC3 (European Cybercrime Centre) coordinate internationally on carding prosecutions.
Fake ID fraud — using forged physical documents — falls under 18 U.S.C. § 1028, a separate statute with its own penalty structure.
The broader risks landscape on the dark web places carding within a wider ecosystem of financial fraud, identity theft, and market-level scams.
Frequently Asked Questions
What is fullz in cybercrime?
Fullz are complete identity records — typically name, Social Security Number, date of birth, address, and banking credentials — sold on dark web forums and used for fraud including unauthorized credit applications and fraudulent tax filings.
What is carding fraud?
Carding is the use of stolen payment card data to make unauthorized purchases, typically online (card-not-present fraud) or through physical point-of-sale systems. The stolen data may come from data breaches, skimmers, or dark web markets.
How do criminals obtain credit card dumps?
The primary sources are data breaches of retailers, payment processors, or financial institutions; physical skimming devices on ATMs and POS terminals; phishing operations targeting cardholders; and insider theft by employees with access to payment systems.
What does BIN mean on a stolen credit card?
BIN (Bank Identification Number) refers to the first six to eight digits of a card number, identifying the issuing bank and card type. In fraud contexts, different BINs are associated with different spending limits and fraud detection sensitivity.