Carding: Why retailers, big and small, should care about this attack?
Consumers and retailers prefer credit cards as a convenient way to complete transactions on web and mobile applications. Cybercriminals also target credit cards for exactly the same reason - convenience. Retailers and payment processors carry the risk of fraudulent credit card transactions, with the retailers responsible for the majority of the losses. With the meteoric rise in data breaches, there is a plethora of stolen credit card numbers available on the dark web. The problem, however, is that most of the stolen credit cards are invalidated quickly. According to ACI Worldwide, 46% of Americans have had their card information compromised at some point in the past 5 years, but a large portion of the card owners are notified about it and cancel the card at some point. This is why the attackers validate the stolen card details. Carding allows cybercriminals to mass verify millions of stolen credit cards and generate a list of valid credit cards.
What is Carding?
Carding is a brute force attack on a retailer's website using stolen credit cards or gift cards. A single breach of CapitalOne in August 2019 exposed 100M credit card numbers. With 4.1 billion records breached in the first six months of 2019, a 52% increase from the same period in 2018, it is clear that the supply of stolen credit cards is only increasing. The list of stolen cards is available in bulk for less than a few cents per card. Attackers use malicious bots to test stolen credit cards with small-dollar value purchases on a retailer's website. These validated credit cards, now worth up to $45 each, are typically sold on the black market and exchanged for untraceable gift cards to maintain attacker anonymity. To verify the cards, the attackers usually make a low-cost purchase. But, the validated stolen cards are used for bigger transactions leading to bigger losses.
The Carding Threat to Online Retailers
For online retailers, carding represents a massive problem that must be addressed to prevent lost revenue due to credit card chargebacks and frustrated customers due to empty gift cards. When retailers ship products paid for with stolen cards, they owe their suppliers for said product and are required to reimburse the credit card company which in turn reimburses the owner of the stolen card.
Retailers have to deal with the chargebacks, lost revenue and still owed wholesale costs. They also have to deal with the human hours involved with customer support and for investigating the fraudulent transactions and sometimes a significant additional cost for external transaction verification services. On top of this, a high fraud rate could cause a credit card company to fine the retailer or, even worse, stop working with them. All of these issues distract from the retailer providing products to legitimate customers and driving revenue. For online retailers, technology has gotten a lot better at detecting fraud, but it's still a cat and mouse game against automated bots validating stolen cards. Fraud solutions can become really expensive for high-volume attacks, and can also increase the checkout time for legitimate transactions.
Unlike other attacks like account takeover (ATO), where the attackers prefer high-value brands, carding attacks target large and small websites, preferring smaller less secure sites that allow them to easily verify credit cards.
Restoring Confidence in E-commerce
Not only does carding account for lost revenue, but it will damage consumers' overall confidence in online shopping. As online shopping continues to grow, it's clear that consumers love the convenience that online shopping brings to their lives. Retailers need to implement technology to stop bots from abusing their web and mobile storefronts to validate and use stolen credit cards.