Cybercriminals don’t have to look far for stolen credit card numbers. These are available in excess on the dark web, and they’re very cheap. However, unfortunately for cybercriminals, most of the stolen credit cards are invalidated quickly. According to ACI Worldwide, 46% of Americans have had their card information compromised at some point in the past 5 years, but a large portion of the card owners are notified about it and quickly cancel the card.
Enter criminal carders. The masterminds behind carding attacks, carders use bots to test small purchases with stolen card numbers on e-commerce sites. If the purchase goes through, the card is validated and can be resold for a higher price (sometimes up to $45) on the dark web. Validated cards can be used to purchase electronics or gift cards, which are also resold for profit. Carding allows cybercriminals to mass verify millions of stolen credit cards and generate a list of valid credit cards in no time.
Carding attacks have increased 134% YoY and cost businesses nearly $10 billion each year. It is estimated that fraudsters already have the information they need to make a purchase from more than 80% of the credit cards in existence. Retailers typically see spikes in the days leading up to major sales events — Black Friday/Cyber Monday, Amazon Prime Day, hot sneaker drops or NFT releases — likely because fraudsters try to validate cards in advance so they are ready for use during big shopping days.
Business Impact of Carding
Retailers and payment processors carry the risk of fraudulent credit card transaction, with retailers responsible for the majority of fraud losses.
When retailers ship products paid for with stolen cards, they owe their suppliers for said products and are required to reimburse the credit card company, which in turn reimburses the owner of the stolen card. Payment networks such as Visa and Mastercard typically charge online merchants upwards of $20 per chargeback, and can block all transactions if carding attacks are not handled quickly, which can result in lost retail revenue.
According to LexisNexis, every dollar in fraud costs merchants an estimated $3.60 due to chargebacks, processing fees and replacement of lost merchandise. Frustrated customers demand resources from customer support and fraud teams for recovery and remediation, not to mention any external transaction verification services required. And customers carry forward a negative brand association when they must cancel a stolen card that was used fraudulently on your site.
Technology has gotten a lot better at detecting fraud, but it's still a cat and mouse game against automated bots validating stolen cards, Fraud solutions can become really expensive for high-volume attacks and can also increase checkout times for legitimate transactions.
How to Protect Your E-commerce Brand
HUMAN Transaction Abuse Defense uses machine learning, behavioral profiles, and real-time sensor data to accurately identify sophisticated bot attacks on your checkout flow. The solution executes a range of mitigation actions, including hard blocks, honeypots, misdirection, and serving deceptive content.
Protecting against carding attacks is one thing, but HUMAN does it without adding unnecessary friction—an important quality for e-commerce brands. Traditional bot-blocking tools like CAPTCHAs interrupt the buyer journey, frustrate human customers, and drive abandonment. HUMAN leverages its proprietary user-friendly verification tool, called Human Challenge, to weed out bad bots without annoying customers. According to one e-commerce retailer, “[HUMAN] makes sure bots get all the friction without touching the customer experience.”
Powered by a modern defense strategy, HUMAN is purpose built to stop online fraud while disrupting the economics of cybercrime. HUMAN Transaction Abuse Defense uses computational challenges and advanced mitigation techniques to raise the cost for bad actors, deter future attacks, and reduce the cost of collective defense
