How to Protect Your Business from Carding Attacks: A Comprehensive Guide
Jeffrey Edwards
|Cyber Risks & Threats | January 10, 2023
Carding attacks are a type of cybercrime that can have serious consequences for businesses. In the first half of 2022, there were 230,937 credit card fraud reports filed, and merchants and consumers suffered a total of $28.58 billion in losses from fraud in 2020. Your business is not bulletproof, but there are proven ways you can protect yourself from these types of attacks.
In this blog post, we will explore what carding attacks are, the impact they can have on businesses, and how to detect and prevent them.
What is a Carding Attack?
A carding attack is a method used by criminals to obtain and use stolen credit card information for criminal activity. These attacks are often carried out using bots, with multiple, parallel attempts to authorize stolen card credentials, with the objective of identifying which credit card numbers can be used to make purchases.
To perform a carding attack, the criminal will acquire a list of credit card numbers, often through phishing scams or by purchasing lists of stolen numbers on the dark web. They will then use bots to test the list of stolen credit or debit card information with small online purchases to verify the account information is valid and has not been reported stolen. This process can take thousands of attempts before it yields a valid credit card, but bots can do this much faster than a human can.
Once the card information has been authenticated, the criminal can use it to directly retrieve funds from associated accounts, purchase gift cards, purchase high-value goods, or sell the validated list to other criminals for exploitation.
The Impact of Carding Attacks on Businesses
Carding attacks can have serious consequences for businesses. Some of the ways they can be affected include:
- Chargebacks: Businesses may be hit with chargebacks when customers dispute transactions that were made with stolen credit card information.
- Blocked transactions: Payment processors may block all transactions if carding attacks are not handled quickly, leading to lost revenue for the business.
- Reputational damage: A carding attack can damage a business’s reputation and customer loyalty, which can linger for years.
- Regulatory fines: Payment networks like Visa and Mastercard may hold businesses accountable with fines and penalties if chargeback and payment card-not-present (CNP) levels are not maintained.
- Processing fees: Businesses may be hit with additional processing fees as a result of carding attacks.
Besides the monetary and reputational damages, businesses that are hit by these attacks need to spend hours mitigating, reporting, and communicating with their payment providers. It both costs money and takes them away from running their day-to-day operations.
But where do hackers get payment information in mass? On carding forums.
Carding Forums
Carding forums are online spaces where criminals share stolen credit card data and discuss techniques for obtaining and using it for criminal activity. These forums are often hidden using TOR routing, and payments are often made using cryptocurrency to make it harder for law enforcement to trace the perpetrators.
How a Carding Attack Works
Here is a step-by-step breakdown of the process of a carding attack:
- The criminal acquires a list of credit card numbers, often through phishing scams or by purchasing lists of stolen numbers on the dark web.
- The hacker uses bots to test the list of stolen credit or debit card information with small online purchases to verify the account information is valid and has not been reported stolen.
- The cybercriminal compiles a list of valid card information, which they use to directly retrieve funds from associated accounts, purchase gift cards, purchase high-value goods, or sell the validated list to other criminals for exploitation.
Why Hackers use bots in Carding Attacks
Bots play a crucial role in carding attacks because they enable criminals to increase the speed and scale of the attack significantly. Without automation, the criminal would have to manually enter the card number and each possible expiry date and security code combination in order to identify a valid card. Bots automate this process so the criminal can test a large volume of cards and keep an attack running 24 hours a day.
Bots also enable the criminal to rapidly change the IP address from which they are attacking, which makes it much more difficult for traditional anti-fraud technologies to identify and block an attack.
Types of Carding Attacks
There are several types of carding attacks, including:
Credit card stuffing
This type of carding attack involves using stolen credit card information to make purchases or sell the information to other criminals for exploitation. A massive credit card stuffing attack that targeted the famous retailer NorthFace occurred in the summer of 2022. Hackers were able to breach close to 200,000 accounts using valid credentials, potentially accessing users’ private information (like billing address, name, and purchase history). Luckily, the payment information wasn’t stored on the site, so no money was stolen.
Card cracking/token stuffing
This type of carding attack involves using bot-driven automation to systematically test large volumes of possible gift card codes on a merchant site in order to identify valid combinations. The stolen gift cards are then resold on the dark web or used to purchase goods that are resold for cash.
One example of a massive card cracking attack happened in 2017 when hackers created the famous GiftGhostBot, which was able to successfully attack almost 1,000 eCommerce websites. Hackers used the bot to go through thousands of possible gift card numbers and request the balance on each card. Whenever they would get a real balance, they would know that the card had money on it and would then use it to make purchases.
Detecting Carding Attacks
Your business needs to always be on high alert for carding attacks, and there are several ways in which you can detect them. Here are the main ones.
- Monitor for unnaturally high shopping cart abandonment rates, low average shopping cart size, and disproportionate use of the payment step in the checkout process. These can all be signs of a carding attack.
- Monitor for increased chargebacks and failed payment authorization rates.
- Look for multiple failed payment attempts from the same user, session, device ID, fingerprint, or IP address.
Once you detect any of these, you need to immediately mitigate the issue. But an even better strategy is to put things in place to prevent these attacks in the first place.
How to Prevent Carding Attacks
There are several ways to prevent carding attacks from impacting your business, including:
Device fingerprinting
The way hackers (or bots) carry out these attacks is by trying out different credit card numbers and combinations and they often need to switch between devices, browsers, or sessions. If you use fingerprinting, you can create a unique device, browser, and cookie identifier that allows you to detect multiple payment attempts from the same user and stop the transaction before it happens.
Browser validation
Some bots pretend to be using specific browsers and then switch users to avoid detection. Browser validation helps you confirm the browser that they are using and that they have the right JavaScript code and behave in a way that a human user would. If you notice that they don’t, then you can easily mitigate or block their access from your site.
Reputation analysis
Another way to prevent carding attacks is by having access to a database of known bots that you can compare your traffic to. Having access to predictable technical and behavioral patterns and originating IPs helps identify bot traffic and quickly block its access from your site.
Machine learning behavior analysis
Use technology to detect your user’s behavior patterns. Real users shop and use sites in a predictable way, and you can use technology to analyze user behavior across your site and detect anomalies. Data you can analyze include – site engagement metrics, mouse movements, mobile swipe behavior, URLs accessed, and products that were added to the cart.
Progressive challenges
When you suspect that a user might be a bot, you need to challenge it with a test. You know those annoying “are you human?” tests that you see on sites sometimes? Well, those are super powerful in blocking bot traffic. You can use a traditional CAPTCHA, a cookie challenge, or a JavaScript challenge.
Bot mitigation tools
Last but not least, businesses should use systems that help detect these bots and block them from causing harm or committing fraud. And you can do that with CHEQ, which is easily detects, mitigates, and blocks bots and fraudulent actors from accessing your site. Click here to learn more.
Frequently Asked Questions
What is a carding attack?
A carding attack is a method used by criminals to obtain and use stolen credit card information for criminal activity. These attacks are often carried out using bots, with multiple, parallel attempts to authorize stolen card credentials, with the objective of identifying which credit card numbers can be used to make purchases.
How do criminals acquire credit card information for carding attacks?
Criminals acquire credit card information through phishing scams or by purchasing lists of stolen numbers on the dark web.
What are the consequences of carding attacks on businesses?
Carding attacks can have serious consequences on businesses, including chargebacks, blocked transactions, reputational damage, regulatory fines, and processing fees.
What are carding forums?
Carding forums are online spaces where criminals share stolen credit card data and discuss techniques for obtaining and using it for criminal activity. These forums are often hidden using TOR routing, and payments are often made using cryptocurrency to make it harder for law enforcement to trace the perpetrators.
Why do hackers use bots in carding attacks?
Bots play a crucial role in carding attacks because they enable criminals to increase the speed and scale of the attack significantly. Without automation, the criminal would have to manually test each credit card number, which would be much slower and less efficient.
What steps can a business take to detect and prevent carding attacks?
Some steps a business can take to detect and prevent carding attacks include implementing fraud detection software, monitoring for suspicious activity, training employees on how to spot phishing attempts, and setting strict security protocols. Additionally, businesses should also stay up-to-date on the latest carding trends and methods used by hackers.