Being able to purchase items online has revolutionized shopping. Instead of a retail environment dealing in physical cash and physical stores, the online shopping environment utilizes credit cards and virtual stores instead.
Unfortunately, this change has also opened up new opportunities for cybercriminals.
In a world where users can seamlessly pay for items simply by entering credit card details on a website, fraudsters have a new way to potentially purchase goods or simply remove cash from accounts and send it elsewhere.
One of the ways this can happen is through a so-called carding attack.
Also referred to as credit card stuffing or card verification attacks, carding describes a process in which high-speed bots sort through a list of stolen credit card details to determine which ones can be used for making purchases.
Stolen Credit Card Details
These stolen details may be gleaned from a variety of sources, ranging from compromised websites to phishing attempts to large collections of compromised credentials found on criminal forums online.
Once they have their list of potential credit card details, the initiator of the carding attack uses bots to attempt to carry out small purchases or make donations on various payment sites that are not adequately protected.
While such a process would be incredibly laborious (if not impossible) for a human having to manually attempt these purchases, bots can very quickly carry out credit card validation thousands of times in order to discover validated details for a functioning credit card.
Should the bot-driven transaction not be completed, the card is added to a list of invalid cards. If it is completed, it is added to another list, and the details may then be sold on or used directly by the attacker to make purchases such as gift cards or other items.
Card details might be declined either because the information was wrong, to begin with, or, in many cases, because a card owner has been alerted about possible fraud and canceled their card.
Stolen cards may only be valid for a short amount of time, which is why this validation process must take place. The goal is to carry out the carding fraud without the rightful cardholder being aware of what is happening before it’s too late.
It’s the Retailers Who Lose Out in the End
A cardholder who has their credit card details stolen and used to make unauthorized purchases may feel justifiably angry and concerned about what has transpired.
However, the owner of the credit card used for a carding attack may not be the ultimate victim, but rather the online retailer.
A retailer who ships a physical or virtual product paid for with a stolen card must still pay their supplier for the goods or services in question.
But they must also pay back the credit card company (called a “chargeback”) so that it can return the money to the owner of the card that has been stolen. In essence, they lose out twice on a purchase.
Protecting against carding attacks is therefore incredibly important. The signs of a carding attack in the process can be obvious if you know what to look for.
They will likely include multiple failed payment authorization attempts from the same user, device, or IP address.
There will also likely be an unusually small shopping cart size during the validation step, alongside an unusually large shopping cart abandonment rate.
Protecting Against Carding
Of course, most retailers aren’t manually observing the details of every attempted payment made on their platform. As a result, you should set up proactive steps to stop such an attack from taking place, to begin with.
Requiring multi-factor authenticated user logins to access a payments page, instituting a minimum payment amount (carding events may involve sums as small as $1), requesting CVV information (the credit card security code on the back of a card), and the introduction of measures such as CAPTCHA systems will all help raise the barrier to entry for payments. This, in turn, can stop many carding bots in their tracks.
To go one step further, using expert cybersecurity tools like device fingerprinting and browser validation, or utilizing machine learning-based behavioral analytics to spot bots, can be extremely effective.
This is perhaps the best, most comprehensive means of cracking down on carding incidents.
Balancing Security With Ease
One of the big challenges for an online retailer is to balance ease of use with security and safety. The frictionless ease of payments is, after all, a big reason why online retail took off to begin with.
Measures like CAPTCHAs are a particularly disruptive form of a progressive challenge that necessarily slows down the customer journey.
Retailers in a competitive selling environment might be tempted to simplify the payment checkout process as much as they can, to make it easier for customers to spend their money.
However, you should make sure that this is balanced with an awareness of security issues around fraudulent behavior such as carding.
When it comes to safeguarding against bad actors, both your customers and the overall success of your business will thank you for taking the right precautions. That’s a win-win for all involved.
