What do BIN, Fullz & Dumps mean? Read our complete Carding Terminology Glossary to understand cybersecurity slang and protect your data from online fraud.
The Underground Dictionary: Complete Carding Terminology Glossary (BIN, Fullz, Dumps & More) 
Posted by: Daniel
Hey everyone!
I remember the first time I opened a security log file years ago. It looked like alien code. I saw terms like "Track 2," "Non-VBV," and "Dead Drop" and I had absolutely no idea what I was looking at.
If you are new to the world of cybersecurity or e-commerce protection, the slang used in the underground economy can be incredibly confusing. It is a mix of banking protocols, hacker slang, and technical jargon.
But here is the truth: You cannot protect yourself if you don't speak the language.
If you want to understand how data breaches happen, or if you are just curious about what these terms actually mean, you are in the right place. This is the ultimate glossary for the carding forum community. We are going to break down every single term, from the basic data types to the complex tools used to bypass security.
Additionally, for the researchers here, please ensure you have read our carding forum defense guide to understand the ethical boundaries of studying this data.
Let’s open the dictionary.
These are the terms used to describe the actual credit card information found in database leaks or skimming attacks.
The most basic term. It usually refers to the 16-digit Personal Account Number (PAN), the expiration date, and the CVV. In the underground, a "CC" usually refers to just the digital text data, not the physical card.
This is a term you will see everywhere. A credit card number by itself is often useless because merchants require address verification.
Fullz means the attacker has the complete package on the victim:
This section explains how physical card fraud works (ATM withdrawals and in-store shopping).
A "Dump" is the raw data extracted from the magnetic stripe of a credit card. It looks like a string of chaotic code.
This is a blank, white plastic card with a magnetic stripe. Criminals use an MSR (Magnetic Stripe Reader/Writer) to "write" the stolen Dump data onto the white card. They can then take this generic-looking card to an ATM or a store to use it.
You cannot engage in cyber-fraud using your home internet. These are the tools used to mask identity and bypass "Anti-Fraud" systems.
A tool that allows you to control another computer remotely.
These are the terms related to the defensive measures banks use.
An automated check performed during checkout. The merchant sends the street number and zip code to the bank.
The physical location where goods are shipped.
The underground is full of scammers scamming scammers.
A scammer. Someone who sells fake data, fake tools, or takes money for a service and blocks you. "Ripping" is the act of scamming.
A fake forum or marketplace set up by law enforcement (FBI/Europol) to monitor criminal activity and collect IP addresses of users.
The terminology of the carding world is vast and constantly changing. As banks develop new security technologies (like Behavioral Biometrics), new slang emerges to describe the bypass methods.
Understanding these terms removes the mystery. It helps you realize that this isn't magic; it's a technical process involving data manipulation and social engineering.
If you are a merchant, look at your logs. Do you see AVS Mismatches? Do you see User-Agents that don't match the IP location? Those are the signs of the terms we discussed above.
Let’s Discuss:
Are there any terms I missed that you see often and don't understand? Post them below, and I (or another expert) will define them for you. Let's build the biggest glossary on the net!
The Underground Dictionary: Complete Carding Terminology Glossary (BIN, Fullz, Dumps & More) Posted by: Daniel
Hey everyone!
I remember the first time I opened a security log file years ago. It looked like alien code. I saw terms like "Track 2," "Non-VBV," and "Dead Drop" and I had absolutely no idea what I was looking at.
If you are new to the world of cybersecurity or e-commerce protection, the slang used in the underground economy can be incredibly confusing. It is a mix of banking protocols, hacker slang, and technical jargon.
But here is the truth: You cannot protect yourself if you don't speak the language.
If you want to understand how data breaches happen, or if you are just curious about what these terms actually mean, you are in the right place. This is the ultimate glossary for the carding forum community. We are going to break down every single term, from the basic data types to the complex tools used to bypass security.
Additionally, for the researchers here, please ensure you have read our carding forum defense guide to understand the ethical boundaries of studying this data.
Let’s open the dictionary.
These are the terms used to describe the actual credit card information found in database leaks or skimming attacks.
The most basic term. It usually refers to the 16-digit Personal Account Number (PAN), the expiration date, and the CVV. In the underground, a "CC" usually refers to just the digital text data, not the physical card.
This is a term you will see everywhere. A credit card number by itself is often useless because merchants require address verification.
Fullz means the attacker has the complete package on the victim:
- Card Details: Number, Exp, CVV.
- Personal Details: First Name, Last Name.
- Location: Billing Address, City, State, Zip, Country.
- Identity: Social Security Number (SSN), Date of Birth (DOB), Phone Number, Email.
- Why it matters: "Fullz" are priced much higher than standard CCs because they allow the fraudster to pass identity checks and even apply for loans in the victim's name.
- The Bank: (e.g., Chase, Wells Fargo, Barclays).
- The Type: (Credit vs. Debit).
- The Level: (Classic, Gold, Platinum, Infinite, Business).
- The Country: (USA, UK, CA, etc.).
- Security Insight: Fraudsters analyze BIN lists to target "High Tier" cards (like Platinum or Business cards) because they have higher limits.
- CVV1 (Track Data): This code is encoded on the magnetic stripe of the card. It is used for "Card Present" transactions (swiping at a store). You cannot see this number.
- CVV2 (Printed Data): This is the 3-digit code printed on the back of the card. It is used for "Card Not Present" (online) transactions.
- Note: If someone steals a database from an online store, they get the CVV2. If they skim a physical card at an ATM, they get the CVV1.
This section explains how physical card fraud works (ATM withdrawals and in-store shopping).
A "Dump" is the raw data extracted from the magnetic stripe of a credit card. It looks like a string of chaotic code.
- Example: %B1234567812345678^SMITH/JOHN^22011010000000000000?
- Fraudsters buy "Dumps" to write them onto blank cards. You cannot use a "Dump" to shop online; it is strictly for making physical clones.
- Track 1: Contains the cardholder’s name and the account number.
- Track 2: Contains the account number and the encrypted PIN data. Track 2 is the most valuable because it is what ATMs read. If you have Track 2 and the PIN, you can cash out at an ATM.
This is a blank, white plastic card with a magnetic stripe. Criminals use an MSR (Magnetic Stripe Reader/Writer) to "write" the stolen Dump data onto the white card. They can then take this generic-looking card to an ATM or a store to use it.
You cannot engage in cyber-fraud using your home internet. These are the tools used to mask identity and bypass "Anti-Fraud" systems.
A tool that allows you to control another computer remotely.
- The Strategy: If the victim lives in London, the attacker buys access to an RDP (a hacked computer) located in London. They log in and make the purchase from that computer. To the bank, the IP address matches the victim's location perfectly.
- Clean SOCKS: A proxy IP that has never been blacklisted.
- Residential SOCKS: An IP address that belongs to a home ISP (like Comcast or Verizon) rather than a data center. These are trusted much more by merchant security systems.
- Spoofing: Fraudsters use "User-Agent Switchers" to make their Linux hacking machine look like a regular iPhone or Windows laptop to blend in with normal traffic.
These are the terms related to the defensive measures banks use.
An automated check performed during checkout. The merchant sends the street number and zip code to the bank.
- AVS Match: The address provided matches the card.
- AVS Mismatch: The address is wrong (Transaction Declined).
- Educational Note: This is why "Fullz" are so important. Without the correct billing address, AVS will kill the transaction immediately.
- VBV: Verified by Visa.
- MCSC: MasterCard SecureCode.
- This is the "Two-Factor Authentication" of the carding world. It is the popup window that asks for a One-Time Password (OTP) sent to the victim's phone.
- Non-VBV: A card that does not have this feature enabled. These are highly sought after because the attacker doesn't need the victim's phone to complete the purchase.
- The Risk: If a merchant gets too many chargebacks, Visa/Mastercard will ban them from processing payments.
The physical location where goods are shipped.
- Dead Drop: An empty house or apartment where the package is left on the porch.
- Live Drop: A person (Mule) who accepts the package and hands it over.
- Money Mule: Someone who receives stolen funds into their bank account and transfers it (usually via Crypto) to the criminal, keeping a % as a fee.
- Reshipping Mule: Someone who receives packages (iPhones, Laptops) and ships them to a different country to obfuscate the trail. Warning: Mules are usually the first ones to get arrested.
The underground is full of scammers scamming scammers.
A scammer. Someone who sells fake data, fake tools, or takes money for a service and blocks you. "Ripping" is the act of scamming.
A fake forum or marketplace set up by law enforcement (FBI/Europol) to monitor criminal activity and collect IP addresses of users.
The terminology of the carding world is vast and constantly changing. As banks develop new security technologies (like Behavioral Biometrics), new slang emerges to describe the bypass methods.
Understanding these terms removes the mystery. It helps you realize that this isn't magic; it's a technical process involving data manipulation and social engineering.
If you are a merchant, look at your logs. Do you see AVS Mismatches? Do you see User-Agents that don't match the IP location? Those are the signs of the terms we discussed above.
Let’s Discuss:
Are there any terms I missed that you see often and don't understand? Post them below, and I (or another expert) will define them for you. Let's build the biggest glossary on the net!