Carding: what it is and how to prevent it

Carding is a type of cybercrime in which criminals, known as “carders,” acquire stolen credit card numbers and use bots to verify which are valid. This type of attack, also known as credit card stuffing, falls under the larger category of automated transaction abuse. The stolen information used in carding attacks may include the cardholder’s name, credit or debit card number, expiration date, CVV code, zip code and birthday. Validated stolen cards are used to purchase goods or resold on the dark web.

The carder authenticates card numbers en masse by deploying a bot network to attempt small purchases on multiple online payment sites. The bots will plug in different combinations of credit card numbers, expiration dates, and CVV codes until a transaction goes through. Once the card information is authenticated, the carder can either purchase gift cards online, clone a physical card, or resell them on the dark web for a quick profit.

Bots can attempt thousands of transactions in a short period of time to identify valid combinations at scale. For example, if the carder has a card number and expiration date, but not the 3-digit CVV code, a bot can very quickly attempt transactions using all 999 possible codes until the correct one is identified.

The typical steps in a carding attack are:

1. The carder acquires a list of credit card numbers, often through phishing scams, site compromise, or by purchasing lists of stolen numbers on the dark web.
2. Carders then use bots to test lists of stolen credit or debit card information with small-value online purchases to verify the account information is valid and has not been reported stolen. This process can take thousands of attempts before it yields a valid credit card, but given that bots do this much faster than a human can, this validation process is usually pretty quick.
3. The criminals then compile a list of the valid card information, which they use to directly retrieve funds from associated accounts, purchase gift cards, purchase high-value goods, or sell the validated list to other criminals for exploitation.

Bots, which are programs designed to execute a set of instructions automatically, enable carders to significantly increase the speed and therefore the scale of a carding attack. Without automation, the carder would have to manually enter the card number and each possible expiry date and security code combination in order to identify a valid card. Bots automate this process so the carder can test a large volume of cards and keep an attack running 24 hours a day.

Bots also enable the carder to rapidly change the IP address from which they are attacking, which makes it much more difficult for traditional anti-fraud technologies to identify and block an attack.

A carding attack not only impacts the person whose card has been compromised. When online merchants are hit with a carding attack, they often pay a heavy price as well.

Retailers are responsible for keeping the chargeback and payment card-not-present (CNP) levels under control. Payment networks like Visa and Mastercard keep lowering the thresholds for chargeback and CNP credit card fraud and hold merchants accountable with increasing fines and penalties. And payment processors can block all transactions if carding attacks are not handled quickly, which can result in lost revenue to the retailer.

Not only will the retailer have to contend with chargebacks and lost revenue, but also the potential for damage done to the brand’s reputation and customer loyalty which can linger for years.

Gift card cracking is a variation of carding where attackers use bots to systematically test large volumes of possible gift card codes on a merchant site in order to identify valid combinations. The stolen gift cards are then resold on the dark web or used to purchase goods, which are then resold for cash.

Online gift card fraud is particularly attractive to cybercriminals because gift cards don’t have any names, addresses or zip codes associated with them, which means they can be used anonymously more easily than credit cards.

Additionally, many online merchants provide a specific webpage for gift card balance checking. These typically don’t have the same level of security protection as do credit card pages, so they can be easily abused by card cracking bots.

E-commerce and the use of e-gift cards is growing.  According to KBV Research, the global digital gift card market is expected to reach $724.3 billion by 2028. This huge growth in e-commerce has made online fraud increasingly attractive to organized criminal groups and carders. The Federal Trade Commission reported $148 million in fraud-related gift card losses in the first nine months of 2021 alone. Add this to the much larger volume of credit and debit card fraud and it amounts to substantial losses.

With the increase in the size of the target, cybercriminals are stepping up their game. Security researchers are discovering more sophisticated bots that are capable of closely mirroring human behavior, making them very difficult for traditional security technologies to detect.

While cybercriminals have become increasingly sophisticated with their attacks, many online retailers have not followed suit, continuing to rely on traditional or ineffective security tactics. Many sites attempt to block bot attacks simply by adopting CAPTCHA methods, but CAPTCHAs often frustrate real users and drive abandonment.

Another approach involves creating blocklists of known malicious bot operators and suspicious IP addresses and domains, but cybercriminals are savvy enough to elude detection by creating new domains and hostname combinations.

Some sites attempt to limit the number of times an individual user can repeat an action on a webpage, such as checking a gift card balance within a certain time frame. This is known as rate limiting. Unfortunately, rate limiting is often ineffective against hyper-distributed, bot-based attacks.

Other merchants invoke a fraud solution for every credit card or gift card transaction, which can become cost-prohibitive. Credit card fraud checks also add latency to the transaction, severely slowing the checkout experience and leading to cart abandonment from legitimate users.

Most of these tactics are not bad additions to a comprehensive anti-fraud strategy. But relying on them exclusively to stop increasingly sophisticated attacks is proving ineffective.

HUMAN Transaction Abuse Defense is a behavior-based bot management solution that protects your websites, mobile applications and APIs from automated attacks. The solution uses more than 350 advanced machine learning algorithms, behavioral analysis, and predictive methods to detect and mitigate automated carding attacks with exceptional accuracy.

Transaction Abuse Defense operates asynchronously to mitigate bad bots at the edge, ensuring low latency and optimizing infrastructure costs. If required, the solution serves Human Challenge, a user-friendly verification feature that protects against CAPTCHA-solving bots while maintaining a positive user experience. By stopping bad bots without adding friction, Transaction Abuse Defense reduces risk, protects revenue and reputation, and drives operational efficiency.

What is a brute force attack? | Definitions, types, & prevention

What is a bot? | 5 common bot attacks | Detection & management options

What does CAPTCHA mean? | How CAPTCHAs work

E-commerce security: cyber threat protection for your business and customers

What is bot mitigation? | 4 types of bots & botnets | How to stop bots