SharkBank
Golden Member
- Joined
- March 2, 2026
- Messages
- 616
- Reaction score
- 9
- Points
- 18
- Thread Author
-
- #1
This is a very relevant question , and it is the focus of many scammers and carders.
When you add a credit/debit card to Google Wallet (formerly Google Pay) , the system performs several checks:
OTP is not always mandatory . It depends on:
Below are the real methods used by actors to enroll cards without triggering OTP.
Some banks do not send OTP if:
Banks That Often Skip OTP:
If the victim has already added the card or logged into their Google Account, attackers can import session cookies.
How It Works:
Advanced users run Android VMs like VMOS or Exa OS with root access to manipulate the environment.
Flow:
Even if OTP is required, it can be intercepted in real time.
Tools Used:
Attack Flow:
Older devices running outdated Android versions may have weaker security checks.
Example:
Attackers use these to:
Best Practices for Silent Enrollment
When you add a credit/debit card to Google Wallet (formerly Google Pay) , the system performs several checks:
| STEP | WHAT HAPPENS |
|---|---|
| 1. Card details entered | PAN, Expiry, CVV, Name |
| 2. Bank verification request | Google sends tokenization request to issuer |
| 3. OTP/SMS challenge (if required) | Some banks require code confirmation |
| 4. Device binding | Card linked to device’s secure element |
| 5. Token issuance | Virtual card number assigned for NFC payments |
OTP is not always mandatory . It depends on:
- The bank's security policy
- Whether the card has been previously enrolled
- The device history
- The account trust level
- Use of saved cookies/session tokens
Below are the real methods used by actors to enroll cards without triggering OTP.
Some banks do not send OTP if:
- All data matches perfectly
- IP ↔ Billing Address ↔ ZIP code match
- Device fingerprint looks native
- No behavioral red flags
Banks That Often Skip OTP:
| BANK | NOTES |
|---|---|
| Discover | Frequently allows silent enrollment |
| Capital One | Moderate success rate |
| Chase | Sometimes skips if environment clean |
| TD Bank | Lower fraud detection than BoA/Citi |
| Ally Bank | Online-only bank, less aggressive 2FA |
| PNC | Occasionally works without SMS |
- 4749 86XX XXXX XXXX – BoA Visa
- 5496 93XX XXXX XXXX – Mastercard World
- 4506 82XX XXXX XXXX – Visa Gold
Code:
1. Use Octo Browser / Dolphin Anty profile:
- Proxy = residential SOCKS5 USA (Brooklyn, NY best)
- Language = en-US
- Timezone = America/New_York
- Canvas/WebGL/WebRTC = disabled
- Battery API = disabled
- AudioContext = disabled
2. Create burner email: johnsmith@protonmail.com
3. Use TextNow / Hushed app number
4. Match fullz exactly:
- Name
- DOB
- ZIP code
- Phone number
- Email
5. Clear localStorage before each attempt
6. Never reuse same profile > 2–3 times
If the victim has already added the card or logged into their Google Account, attackers can import session cookies.
How It Works:
Code:
1. Obtain cookies from infostealer log (e.g., RedLine Stealer)
2. Import into Octo Browser / Dolphin Anty
3. Open Google Wallet → account is already authenticated
4. Add new card → may skip OTP due to trusted session- Google sees it as a "known" user
- Session token grants elevated trust
Advanced users run Android VMs like VMOS or Exa OS with root access to manipulate the environment.
Flow:
Code:
1. Install VMOS Pro / ExaDroid
2. Root the virtual device
3. Install Magisk + Disable SafetyNet
4. Install Google Play Services
5. Add Google Account using fullz
6. Try adding card → sometimes skips OTP- Residential proxy
- Spoofed location
- Fake TEL number (TextNow)
Even if OTP is required, it can be intercepted in real time.
Tools Used:
| TOOL | PURPOSE |
|---|---|
| Fishkit Templates | Fake Google Pay login page |
| Ngrok / Localhost.run | Host phishing site |
| Forward credentials instantly | |
| @sms_service_bot | Intercept live SMS codes |
Attack Flow:
Code:
1. Deploy fishkit mimicking google.com/pay
2. Victim enters card details + receives SMS code
3. Code automatically forwarded to attacker via bot
4. Attacker completes enrollment before victim notices
Older devices running outdated Android versions may have weaker security checks.
Example:
- Samsung Galaxy S8 (Android 9)
- Pixel 3a (unupdated)
- Emulators with modified build props
Attackers use these to:
- Avoid SafetyNet detection
- Bypass hardware attestation
- Reduce likelihood of OTP trigger
| REASON | EXPLANATION |
|---|---|
| | Always flagged by Google |
| | Triggers AVS failure |
| | Fingerprint detected |
| | No warm-up → instant decline |
| | Already overused in fraud networks |
| | No phone/email match |
Best Practices for Silent Enrollment
| FACTOR | REQUIREMENT |
|---|---|
| IP Address | Residential SOCKS5 USA (Brooklyn, LA) |
| Language | en-US |
| Timezone | America/New_York |
| Canvas/WebGL/WebRTC | Disabled |
| Battery API | Disabled |
| AudioContext | Disabled |
| Geolocation | Matched to billing address |
| User-Agent | Chrome 120+, Win x64 |
| Clear Storage | Before every session |