As eCommerce stores revel in a thriving digital market, cyber-criminal activity is on the rise.
Unfortunately for online retailers, more and more amateur fraudsters are taking this opportunity to enlist into specific “carding” sites that sell consumers’ details. These individuals and groups are now freely able to enrol in comprehensive classes and undertake modules, learning tips on who are the easiest issuers and banks to defraud, including studying how to commit large-scale credit card fraud online.
Those affected will undoubtedly include UK consumers who have been entangled in some of the major data breaches that have befallen several major companies.
Carding fraud causes numerous problems for retailers such as chargebacks, loss of products and damage to a merchant's reputation. Notably, US retailer Target reported that a breach in 2014 resulted in “a 46% decrease in profits”.
Here we examine several carding techniques that includes the rise of automated bot attacks across eCommerce services, specifically over web and mobile applications that accept online payment transactions.
What is Carding Fraud?
Carding is the fundamental process fraudsters use to determine whether stolen card numbers are still active and yet to be reported lost or stolen. When that information is acquired, they test whether a stolen card number can be used, and once successful will frequently visit donation or eCommerce websites to quickly commence multiple transactions.
This method is used to test an infinite number of stolen cards.
Below are several potential signs that an eCommerce store has been targeted for carding attacks by Automated Bots.
- Inordinately high shopping cart abandonment rates
- Low average shopping cart size
- An unusually high proportion of failed payment authorisations
- Disproportionate use of the payment step in the shopping cart
- Increased chargebacks
- Multiple failed payment authorisations from the same user, IP address, user agent, session, device ID or fingerprint.
What is a Carding Forum?
A carding forum is an illegal website where criminals can buy and sell stolen credit card numbers. They also share methods for stealing financial details and may be able to test stolen card information on these forums.
Carding forums are often hidden on the dark web, which is a portion of the internet that can't be reached with normal web browsers and isn't indexed by search engines.
Attack Example: Carding Gift Cards
In 2017, an estimated 1000 eCommerce stores fell victim to a malicious bot named GiftGhostBot, designed by cyber-criminals in order to hack gift card balances.
Criminals used this bot to sift through possible gift card account numbers, and automatically request the balance account of each card number. When a card balance was identified, instead of the usual error or zero, this meant the gift card number had real tender associated with it. Once those gift cards numbers were flagged as validated, they were used to make purchases.
This is referred to as a card cracking or a token cracking attack. For a cyber-criminal, the allure of stealing money from gift cards is that it’s typically anonymous and untraceable once stolen.
Examples of Automated Carding Bots
Canary Bots - Exploit top eCommerce platforms, which could potentially have a significant impact on thousands of websites if they’re not promptly blocked.
Shortcut Bots - Exploit the card payment vendor APIs used by a website or mobile app and bypass the eCommerce website entirely.
How to Detect & Prevent Carding Attacks
The best approach to proactively detecting and preventing carding is to integrate a multi-part payment review process. Each layer places another obstacle in front of any potential carding activity and helps protect your online store from being targeted. The layers of this system work together to detect and prevent carding by comparing data and slowing down the fraudster's activities.
1. To CAPTCHA a Criminal
Implementing progressive challenges like a CAPTCHA puzzle is slowly becoming more commonplace. The main function of a CAPTCHA is to prevent payment attempts from being sent by an automated script, hence why human input is required to solve the CAPTCHA.
By forcing fraudsters to perform carding activity manually, you subsequently make your online store a less appealing target for carding activity.
It's important to know that implementing a Captcha validation to your checkout process will have a negative impact on conversion rates because it disrupts user checkout flow. Hence why CAPTCHA largely hasn’t been a common element of an online store checkout.
2. Address Verification System (AVS)
The Address Verification System compares the billing addresses inputted at checkout to the address the credit card company has on file for the customer. The results of this comparison are then immediately sent to you.
Common AVS responses:
- Y (full match)
- A (only address match)
- Z (ZIP/Post code match only)
- N (no match)
If correctly set-up, a payment gateway can halt transactions with a response of N if the card has been reported lost or stolen. Regarding other variations, fraud filters can be used to validate this collected data and decide to accept or reject transactions at your discretion.
Note - AVS is active in the United States, Canada, and the United Kingdom. Cards issued from countries without AVS support may return these responses:
U (AVS unsupported)
S (AVS unavailable)
G (global card)
Since AVS is not available in every country, you should reinforce security with other means of fraud detection.
3. IP Geolocation Checks
An IP geolocation check will compare the user's IP address with the billing address they entered on the checkout page. If the locations don't match, the user is unlikely to be purchasing from the same address as the owner of the credit card then it possibly indicates a fraudulent transaction.
Although, a failed IP geolocation check doesn't always signal a fraudulent transaction. Find out if the user is accessing your website through a proxy IP address, a technique to make internet users appear from a false location. It's no secret that some fraudsters use proxies to cover their tracks, but proxies are also commonly used by people who desire additional privacy.
It's also possible that the user placed their order while traveling, therefore causing their IP address to differ from their billing information, but never assume this is the case. An IP geolocation mismatch always warrants a closer look, and it’s possible to discover other red flags.
4. Bank Identification Numbers Comparison
The BIN provides information regarding the type of credit card and the name and location of the issuing bank. It appears as the first six digits of every credit and debit card number. Since the BIN identifies the type of card (Visa, MasterCard, American Express, or Discover) and the bank that issued it, you can identify cards that all come from the same source.
This information is crucial in detecting carding attempts. Normally, you should only infrequently see card numbers with the same BIN — perhaps two a month. If you suddenly receive several transactions within a day or two all involving the same BIN, this is a sign that your online store is being targeted for a carding attempt using a large number of card numbers purchased online and/or originating from a data breach. Tracking BINs can help you spot this type of activity.
5. Velocity Checks
Velocity refers to the number or speed of transactions attempted within a certain time period, for example, several payments from the same visitor made within seconds or minutes of each other. It's highly unusual for a user to make multiple payments in quick succession, especially if the transactions are suspiciously close together that it would be difficult for a human to execute them.
Configure a maximum number of checkout attempts per user to prevent any further attempts after your designated limit is reached. This is a powerful weapon against carding as it prevents large numbers of successive transactions, a prime carding tactic.
A method of taking credit card payments in which the card is first authorised for a purchase, with the funds to be captured later. It's mainly used for situations like authorising a customer's card for payment up to a certain amount, while the exact amount of the charge has yet to be determined. Once the vendor reaches the exact payment amount, the funds are captured from the customer's card up to, but not exceeding, the authorisation amount.
If you enact this method on your online store, you can take the time to review the transactions during the authorisation period. If you believe you're being targeted by carding, don't capture the funds. If you've already captured them, it's highly recommended to quickly issue a refund instead of waiting for a chargeback from the customer which may lead to loss of the seller’s account and an imposition of trading restrictions.
...or ‘3 Domain Secure’, implements technology to shift the burden of fraud prevention away from the merchant and to the payment provider. A customer's transactions and identity are verified through a system that utilises a vast amount of information to determine whether a payment is fraudulent or valid, while keeping the customer's checkout experience as frictionless as possible.
3D-Secure operates in the background, transferring data between an online merchant and the customer's credit card provider. The transferred data covers multiple aspects of the consumer’s shopping history that can help verify their identity, such as the device they're purchasing goods with, along with their spending patterns. The more data transferred, the safer the identification, resulting in decreased fraud activity and less false-positives.
The solution is presented specifically for the card used, and it could be presented as Verified By Visa, Mastercard SecureCode or American Express SafeKey.
What is Card-not-present or 'Remote Fraud'?
In 2018, "Card-not-present" fraud (also known as remote fraud) which encompasses debit, credit and other types of payment cards, roughly cost $27.85 billion in worldwide losses, according to The Nilson Report.
That figure is projected to rise to $40.63 billion in 2023.
Additional Security Layers Against Carding Attacks
For eCommerce: Device Fingerprinting is a process that can help identify browser and device parameters that remain the same between sessions, indicating the same entity is connecting repeatedly.
The fingerprinting technologies are able to create a unique device, browser and cookie identifier, which, if shared by multiple logins, raises the suspicion that all those logins are part of a fraud attempt.
For consumers: Urge your consumers to sign up for credit card notifications. The majority of credit card suppliers offer customised alerts that can help sites flag fraudulent charges. For example, enable text message alerts each time a card has been used, a foreign transaction is made, or your balance has crossed a certain threshold.
It’s possible to catch a fraudulent charge as soon as the carder tries to test your credit card number. After reporting the fraud to your card issuer, it will cancel the transaction and give you a new card with a new account number.