What Are Carding and Gift Card Cracking?
In carding attacks (also known as carding fraud), cybercriminals (also referred to as carders or fraudsters) use bots to test lists of recently stolen credit card and debit card details on merchant sites. They obtain the stolen credit card data from other cybercriminals on the dark web and usually test it with small-value purchases to avoid detection. The carders then use the proven credit card details to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers. These goods are then resold – often via ecommerce sites offering a degree of anonymity – for a profit. While carding attacks are similar to account takeover (ATO) attacks, the big difference is that ATO attacks focus on the login page using stolen usernames and passwords while carding attacks focus on the checkout page using stolen credit card information.
Gift card cracking is a variation of carding attacks where cybercriminals use brute force to enumerate gift card numbers to figure out valid combinations. The stolen gift card numbers are then resold on the dark web or used to purchase goods. Gift cards don’t have the same level of protection as credit cards--they don’t have any cardholder names, bank account numbers, social security numbers, billing addresses or zip codes associated with them--which makes them easier targets. Additionally, many merchants provide a separate page for gift card balance checking, a feature that is widely abused by card cracking bots.
How Do Carding Attacks Work?
1. Understanding the carding attack lifecycle
A carding attack is a compound sequence of events that includes several steps. The steps can include acquiring a list of stolen credit card numbers with associated security data such as CVV values, initiating bot attacks to test the acquired cards, and then finally a disposition for the tested card data.
2. Carding attacks leverage malicious bots to complete their tasks
Carding attacks are normally categorized as a specific use case of malicious bot attacks. This is because bots perform all of the automated tasks to complete the attack. Bots can test card numbers and still fly under the radar without detection by initiating small transactions. Once they have a verified card, they add that to the list of valid cards to be deployed in nefarious transactions.
3. Retailers can be left holding an empty bag
Verified cards can be quickly utilized to complete e-commerce transactions. Once a retailer ships an item, it is unlikely the product is going to be recovered. The charge from the fraudulent transaction however can get reversed leaving the retailer exposed and open to losses. Signs of this type of attack are a high number of failed transactions or several payment attempts. Other sites may experience a high number of abandoned carts when bots are used to validate a card from a list.
Carding Is a Growing Threat
In the United States, the socio-economic impact created by Covid-19 has accelerated the use of digital or e-gift cards. According to ResearchAndMarkets.com, starting with 2020 the e-Gift card market is expected to reach a record $102 billion by 2024. This translates to an 18% CAGR (compounded annual growth rate) over this period.
This huge growth in e-gift cards has caught the attention of organized hacker groups and cybercriminals making them a hot target for fraudsters. E-gift card fraud is pegged at an average of 2 percent of revenue. Estimates for e-gift card losses from fraud are estimated at just under $2 billion in 2020 based on intelligence from Mercator Advisory Group, in a report titled Digital Gift Cards: U.S. Market, 2019.
If you are an online retailer, you can end up paying a heavy price when you are hit with a carding attack. For example, payment processors can block all transactions if the carding attacks are not handled quickly, which can result in lost revenue. As a retailer, you are responsible for keeping the chargeback and payment card-not-present (CNP) levels under control. Payment networks like Visa and Mastercard keep lowering the thresholds for chargeback and CNP credit card fraud and hold merchants accountable with increasing fines. Chargebacks can easily cost $20 to $100 per transaction depending on the payment provider. Not only will you have to contend with chargebacks and lost revenue, but also the damage done to your brand reputation and customer loyalty which can shadow you for years.
Cybercriminals are stepping up their game by adopting advanced bots that are capable of mirroring human behavior. These sophisticated bots are invisible to traditional protection measures. Website owners use gift card services from third-parties and integrate using APIs, which are a ripe target for attackers with gift card fraud going on completely undetected. The chargebacks from API-based carding attacks are a big negative surprise for e-commerce site owners.
How Are Companies Fighting Carding and Gift Card Cracking?
While cybercriminals have become increasingly sophisticated with their attacks, most retailers have not followed suit. Ecommerce sites are attempting to keep up with bot attacks by adopting CAPTCHA methods, but CAPTCHAs often frustrate real users. Another approach involves creating deny lists of known malicious bot operators and suspicious IP addresses and domains, but cybercriminals are savvy enough to elude detection by creating new domains and hostname combinations. Rate limiting requests on the check-gift-card-balance page cannot stop hyper-distributed attacks, and the approach of invoking a fraud solution for every credit card or gift card transaction can become cost-prohibitive. Credit card fraud checks also add latency to the transaction, severely slowing the checkout experience and leading to cart abandonment from legitimate users.