What is Carding?
Carding, often referred to as credit card stuffing, is a sort of cybercrime in which thieves, known as "carders," obtain stolen credit card numbers, confirm their validity, and then use them to make purchases or sell them to other thieves for profit.
The name of the account holder, credit card number, expiration date, CVV code, zip code, and birthdate could all be among the stolen data.
The carder then uses a bot network to make modest purchases on numerous online payment sites using a variety of credit card numbers, expiration dates, and CVV codes in order to verify each account number. These bots can test a large number of transactions quickly to find combinations that work.
How Do Carding Attacks Work?
The steps in a carding attack typically are:
A list of credit card numbers is acquired by the carder, either through phishing scams, website hacking or by buying lists of stolen information on the dark web.
Carders then employ bots to make small-value online purchases using lists of stolen credit or debit card information to check that the account information is accurate and hasn't already been reported stolen. Since bots can complete this task considerably more quickly than humans can, the validation procedure is typically relatively swift even though it can take thousands of attempts to produce a legitimate credit card.
Once they have a list of valid card information, the thieves can use it to directly withdraw money from related accounts, buy gift cards, or buy expensive items.
What Risks and Penalties Does a Merchant Face from Carding?
Online retailers may suffer significant losses as a result of a carding attack, in addition to the victim whose card has been hacked. Chargeback and payment card-not-present (CNP) rates must be controlled by retailers. Payment networks like Visa and Mastercard hold merchants accountable with rising fines and penalties while continuing to reduce the thresholds for chargeback and CNP credit card fraud. Additionally, if carding assaults are not swiftly addressed, payment processors may deny all transactions, costing the store money. The store will not only have to deal with chargebacks and missed sales, but also the possibility of long-lasting harm to the brand's reputation and consumer loyalty.
What is Card Cracking?
Cracking is a kind of carding in which hackers employ automated bots to repeatedly test a huge number of potential gift card codes on a retailer's website in order to find working combinations. The stolen gift cards are subsequently used to buy items sold for cash on the black market.
Cybercriminals are drawn to online gift card fraud because gift cards are easier to use anonymously than credit cards because they don't have any names, addresses, or zip codes attached to them.
Additionally, many online retailers have a special homepage for checking the balance of gift cards, which is frequently not as secure as credit card pages and is vulnerable to misuse by card-breaking bots.
Carding Fraud is a Growing Threat
Online fraud is becoming more and more alluring to organized criminal groups and carders as a result of the enormous development in e-commerce. Based on information from Mercator Advisory Group, fraud-related e-gift card losses alone were projected to total $950 million in 2020. Adding this to the much more prevalent credit and debit card theft results in huge losses.
Cybercriminals are improving their tactics as the target has grown larger. More advanced bots are being found by security experts that can closely mimic human behavior, making it very challenging for conventional security tools to identify them.
Common Anti-fraud Tactics
Many online stores have not followed suit, instead sticking with outdated or inadequate security measures, as cybercriminals have gotten more adept in their attacks. By using CAPTCHAs, many websites strive to prevent bot attacks, yet CAPTCHAs frequently annoy actual visitors and cause them to leave.
The creation of blocklists of known malicious bot operators and dubious IP addresses and domains is an alternative strategy, but hackers are cunning enough to avoid detection by coming up with novel domain and hostname combinations.
Some websites make an effort to restrict the number of times a single user can perform an operation on a page, like checking a gift card's balance within a set amount of time. Rate limiting is the term for this. Unfortunately, hyper-distributed, bot-based attacks are frequently unaffected by rate limitations.
Other businesses use fraud prevention measures for each credit card or gift card transaction, which can get expensive. Credit card fraud checks also increase transaction latency, making the checkout process extremely slow and encouraging legitimate users to abandon their carts.
The majority of these strategies are not bad additions to an all-encompassing anti-fraud plan. However, depending solely on them to thwart increasingly complex threats is shown to be unsuccessful.