What is Carding?
Carding - also known as credit card stuffing - is a type of cybercrime in which criminals, known as “carders” acquire stolen credit card numbers, verify which are valid, and use those to purchase goods or resell them to other criminals for exploitation.
The stolen information may include some combination of the account holder’s name, credit card number, expiration date, CVV code, zip code and birthdate.
The carder then authenticates each account number by deploying a bot network to attempt small purchases on multiple online payment sites using different combinations of credit card numbers, expiration dates and CVV codes. These bots can attempt thousands of transactions in a short period of time to identify valid combinations. For example, if the carder has a card number and expiration date, but not the 3-digit CVV code, a bot can very quickly attempt transactions using all 999 possible codes until the correct one is identified.
Once the card information is authenticated, the carder can either purchase gift cards online, clone a physical card, or resell them on the dark web for a quick profit.
How Do Carding Attacks Work?
The typical steps in a carding attack are:
- The carder acquires a list of credit card numbers, often through phishing scams, site compromise or by purchasing lists of stolen numbers on the dark web.
- Carders then use bots to test lists of stolen credit or debit card information with small-value online purchases to verify the account information is valid and has not been reported stolen. This process can take thousands of attempts before it yields a valid credit card, but given that bots do this much faster than a human can, this validation process is usually pretty quick.
- The criminals then compile a list of the valid card information, which they use to directly retrieve funds from associated accounts, purchase gift cards, purchase high-value goods or sell the validated list to other criminals for exploitation.
Why Do Carders Use Bots to Conduct Carding Attacks?
Bots, which are programs designed to execute a set of instructions automatically, enable carders to significantly increase the speed and therefore the scale of a carding attack.
Without automation, the carder would have to manually enter the card number and each possible expiry date and security code combination in order to identify a valid card. Bots automate this process so the carder can test a large volume of cards and keep an attack running 24 hours a day.
Bots also enable the carder to rapidly change the IP address from which they are attacking, which makes it much more difficult for traditional anti-fraud technologies to identify and block an attack.
What Risks and Penalties Does a Merchant Face from Carding?
A carding attack not only impacts the person whose card has been compromised, online merchants can also end up paying a heavy price when they are hit with a carding attack.
Retailers are responsible for keeping the chargeback and payment card-not-present (CNP) levels under control. Payment networks like Visa and Mastercard keep lowering the thresholds for chargeback and CNP credit card fraud and hold merchants accountable with increasing fines and penalties. And payment processors can block all transactions if carding attacks are not handled quickly, which can result in lost revenue to the retailer.
Not only will the retailer have to contend with chargebacks and lost revenue, but also the potential for damage done to the brand’s reputation and customer loyalty which can linger for years.
What is Card Cracking?
Cracking is a variation of carding where attackers use bot-driven automation to systematically test large volumes of possible gift card codes on a merchant site in order to identify valid combinations. The stolen gift cards are then resold on the dark web or used to purchase goods which are resold for cash.
Online gift card fraud is particularly attractive to cybercriminals as gift cards don’t have any names, addresses or zip codes associated with them, which means they can be used anonymously more easily than credit cards.
Additionally, many online merchants provide a specific webpage for gift card balance checking, which typically doesn’t have the same level of security protection as do credit card pages, and can be easily abused by card cracking bots.
Carding Fraud is a Growing Threat
In the United States, the socio-economic impact created by Covid-19 has greatly increased online commerce and the use of e-gift cards. The Department of Commerce reported more than 30% year-over-year growth in US e-commerce from 2019 to 2020, and KPMG reported a 117% increase in the sale of gift cards and eVouchers during the same period. Based on preliminary research, this increased spending appears to be sustained in 2021. In addition, the latest projections see the worldwide gift card market reaching $440.7 billion by the end of 2027.
This huge growth in e-commerce has made online fraud increasingly attractive to organized criminal groups and carders. Fraud-related e-gift card losses alone were estimated at $950 million in 2020 based on intelligence from Mercator Advisory Group. Add this to the much larger volume of credit and debit card fraud and it amounts to substantial losses.
With the increase in the size of the target, cybercriminals are stepping up their game. Security researchers are discovering more sophisticated bots that are capable of closely mirroring human behavior, making them very difficult for traditional security technologies to detect.
Common Anti-fraud Tactics
While cybercriminals have become increasingly sophisticated with their attacks, many online retailers have not followed suit, continuing to rely on traditional or ineffective security tactics. Many sites attempt to block bot attacks simply by adopting CAPTCHA methods, but CAPTCHAs often frustrate real users and drive abandonment.
Another approach involves creating blocklists of known malicious bot operators and suspicious IP addresses and domains, but cybercriminals are savvy enough to elude detection by creating new domains and hostname combinations.
Some sites attempt to limit the number of times an individual user can repeat an action on a webpage, such as checking a gift card balance within a certain time frame. This is known as rate limiting. Unfortunately, rate limiting is often ineffective against hyper-distributed, bot-based attacks.
Other merchants invoke a fraud solution for every credit card or gift card transaction, which can become cost-prohibitive. Credit card fraud checks also add latency to the transaction, severely slowing the checkout experience and leading to cart abandonment from legitimate users.
Most of these tactics are not bad additions to a comprehensive anti-fraud strategy. But relying on them exclusively to stop increasingly sophisticated attacks is proving ineffective.