What Are Carding and Gift Card Cracking?
In carding attacks, criminals use bots to test lists of recently stolen credit or debit card information on merchant sites. They obtain the stolen card data from other hackers on the dark web and usually test it with small-value purchases to avoid detection. The attackers then use the proven credit card data to directly retrieve funds from associated accounts or to purchase gift cards which can easily be converted into high-value goods, such as cell phones, televisions and computers. These goods are then resold – often via websites offering a degree of anonymity – for a profit. While carding attacks are similar to account takeover (ATO) attacks, the big difference is that ATO attacks focus on the login page using stolen usernames and passwords while carding attacks focus on the checkout page using stolen card information.
Gift card cracking is a variation of carding attacks where attackers use brute force to enumerate gift card numbers to figure out valid combinations. The stolen gift cards are then resold on the dark web or used to purchase goods. Gift cards don’t have the same level of protection as credit cards- they don’t have any names, addresses or zip codes associated with them- which makes them easier targets. Additionally, many merchants provide a separate page for gift card balance checking, a feature that is widely abused by card cracking bots.
Carding Is a Growing Threat
In the United States, e-gift card fraud accounted for $950 million in business losses in 2016. Gift cards account for $127B in sales and continue to grow every year. Estimates state that 3% of the gift card market -more than 3 billion dollars- is affected by criminals hacking into online gift card accounts.
If you are an online retailer, you can end up paying a heavy price when you are hit with a carding attack. For example, payment processors can block all transactions if the carding attacks are not handled quickly, which can result in lost revenue. As a retailer, you are responsible for keeping the chargeback and card-not-present (CNP) fraud levels under control. Payment networks keep lowering the thresholds for chargeback and CNP fraud, and hold merchants accountable with increasing fines. Chargebacks can easily cost $20 to $30 per transaction depending on the payment provider. Not only will you have to contend with chargebacks and lost revenue, but also the damage done to your brand reputation and customer loyalty which can shadow you for years.
Cybercriminals are stepping up their game by adopting advanced bots that are capable of mirroring human behavior. These sophisticated bots are invisible to traditional protection measures. Website owners use gift card services from third-parties and integrate using APIs, which are a ripe target for attackers with card cracking going on completely undetected. The chargebacks from API-based carding attacks are a big negative surprise for site owners.
How Are Companies Fighting Carding and Gift Card Cracking?
While criminals have become increasingly sophisticated with their attacks, most companies have not followed suit. Companies are attempting to keep up with bot attacks by adopting CAPTCHA methods, but CAPTCHAs often frustrate real users. Another approach involves creating blacklists of known malicious bot operators and suspicious IP addresses and domains, but criminals are savvy enough to elude detection by creating new domains and hostname combinations. Rate limiting requests on the check-gift-card-balance page cannot stop hyper-distributed attacks, and the approach of invoking a fraud solution for every credit card or gift card transaction can become cost-prohibitive. Fraud checks also add latency to the transaction, severely slowing the checkout experience and leading to cart abandonment from legitimate users.