How Fraudsters Defeat 3D Secure With Residential Proxies

For years, the e-commerce industry has heralded 3D Secure 2.0 (3DS2) as the silver bullet for online fraud. By replacing the clunky static passwords of version 1.0 with advanced Risk-Based Authentication (RBA), 3DS2 promised to block fraudsters while letting legitimate customers checkout with a "frictionless" experience.

However, cybercriminals have adapted. By weaponizing residential proxies and anti-detect browsers, sophisticated fraud syndicates are now manipulating the very data points 3DS2 uses to trust a transaction. Here is how they are cracking the checkout.

How 3DS 2.0 Decides Risk

To understand the attack, you must understand the shield. Unlike its predecessor, which only looked at roughly 10 data points, 3DS2 analyzes over 100 data elements during a transaction. This includes the device ID, spending history, shipping address, and crucially, the IP address and geolocation.

Frictionless Flow — if the data suggests the user is low-risk (logging in from their usual home city on a known device), the bank approves the transaction immediately without asking for a One-Time Password (OTP)
Challenge Flow — if the data is suspicious (a foreign IP or new device), the user is challenged with an OTP or biometric scan

Fraudsters know that to cash out stolen cards, they must achieve the frictionless flow. If they trigger an OTP, the attack fails because they rarely possess the victim's mobile phone.

The "Frictionless" Trap

The decision path below shows how a professional fraudster manipulates the bank's risk engine to avoid challenges:

Legitimate User

Correct password + known device + home IP = approved with no OTP.

Amateur Fraudster

Stolen card + datacenter proxy (AWS/GCP) = challenge triggered, OTP required — attack fails.

Professional Fraudster

Stolen card + geo-matched residential proxy + spoofed device fingerprint = approved with no OTP — attack succeeds.

The Bypass: Geo-Matching and Device Spoofing

The weakness in 3DS2 lies in its reliance on "trust signals" that can be spoofed.

Geo-Location Matching. When a criminal buys a stolen credit card on the dark web, they receive the victim's billing address. They then use a residential proxy service to rent an IP address located in the exact same city or zip code as the victim. To the bank's risk engine, the connection looks like it is coming from the customer's living room. Monitoring for breached credentials helps detect these stolen card details before they are used.

Digital Fingerprint Spoofing. Using "anti-detect" browsers, fraudsters manipulate the 100+ data elements 3DS2 analyzes. They spoof the screen resolution, operating system, and browser version to match a standard consumer profile, effectively cloning a legitimate digital identity. Robust device intelligence can detect the subtle inconsistencies these tools leave behind.

By combining a geo-matched residential IP with a spoofed device fingerprint, the fraudster creates a "perfect" digital mask. The 3DS2 protocol sees a local user on a trusted device and grants frictionless approval — bypassing the OTP requirement entirely.

Industrialized Card Testing

Once a bypass method is established, criminals don't just buy one item — they launch automated attacks known as card testing. Because stolen card databases are often outdated, criminals use bots to test thousands of card numbers against merchant checkouts to see which ones are still active.

Residential proxies are essential here. If 1,000 transaction attempts came from a single IP, the merchant's firewall would block it instantly. By rotating through a pool of residential IPs for every attempt, the botnet appears as 1,000 distinct customers, evading velocity checks.

~$35

Per Chargeback

Dispute fee per reversed transaction

1000s

Cards Tested

Per automated campaign

High

Auth Fee Load

Gateways charge for every attempt

The True Cost of Card Testing

Authorization Fees— Payment gateways charge for every transaction attempt, even declines — high volume means high fees

Chargeback Fees— If a fraudulent transaction succeeds, the bank reverses it and fines the merchant ~$35 per dispute

Reputation Damage— High decline rates can cause acquiring banks to flag the merchant as "high risk" or terminate the account

Infrastructure Strain— Bot traffic slows down site performance for real shoppers, resulting in lost sales

Closing the Loophole

Merchants can no longer rely solely on the "liability shift" promised by 3DS. While 3DS transfers fraud liability to the issuer, it does not protect against the operational costs of card testing or the loss of inventory.

To stop this, businesses must look beyond the IP address. Advanced detection tools analyze behavioral biometrics (mouse movements, typing speed) and network fingerprinting (JA4+ signatures) to identify proxy connections — even when the IP itself is clean. Read our deep dive on hunting residential proxy traffic for the technical details.

A layered defense combining a risk analytics dashboard for real-time visibility with a comprehensive fraud program gives merchants the tools to detect and respond to 3DS bypass attempts before losses compound.

Key Takeaways

3DS2 relies on IP geolocation and device data to grant frictionless approvals — both can be spoofed with residential proxies and anti-detect browsers
Professional fraudsters geo-match their proxy IP to the victim's billing zip code to avoid triggering OTP challenges
Card testing campaigns rotate through thousands of residential IPs to evade velocity-based blocking
The true cost extends beyond chargebacks to include authorization fees, reputation damage, and infrastructure strain
Defeating 3DS bypass requires layered detection: device fingerprinting, behavioral biometrics, and network-level analysis

3D Secure bypass

card testing

residential proxies

e-commerce fraud

payment fraud