Understanding Carding: A Comprehensive Guide for Online Store Owners

Carding is a type of credit card fraud that happens when a carder (or credit card thief) uses a stolen card to purchase branded gift cards, buy high-value goods, or charge a prepaid card. It is also called credit card stuffing. Unlike traditional credit card theft, carding doesn’t always require stealing the physical card—just the digital details. In many cases, attackers only need stolen card information obtained through data breaches or sold on the dark web.

Sadly, the US is a major target for carding since it doesn’t employ chip and PIN technology similar to what other countries use to safeguard debit and credit cardholders. In fact, between 2020 and 2021, card fraud increased by over 10% worldwide, with US merchants and card owners alone losing $12 billion. It is expected to cause losses of over $362 billion to global merchants between 2023 and 2028.

In this article, you’ll learn about how carding fraud attacks work, the top carding attack techniques used today, and the measures to take to combat it.

Let’s get started.

How a carding attack works

To understand how carding works, let’s look at how attackers execute a typical carding operation. A carding attack is a major e-commerce security threat usually executed online through a merchant’s payment processor. A cybercriminal will hack into the merchant’s online credit card processor and get a list of all debit and credit cards most recently used. Some carders also take advantage of data breaches at major retailers or payment processors to obtain large volumes of stolen card information. Others simply purchase stolen data from a carding shop, where thousands of compromised cards are traded daily.

That’s not to say that’s the only way they can gain access to stolen credit card information (we’ll discuss these other strategies in the next section). Suffice it to say that however they retrieve the credit card data, they use a bot—software made for performing automated tasks over the internet—to determine if the credit card details are valid, often through brute force attacks that test large volumes of stolen card data. 

Once a card is proven to be valid, it is used for even more illegal activities. For example, it can be used to buy store-branded gift cards or prepaid cards, which are then used for reselling or cash withdrawal. These unscrupulous individuals can even choose to sell these prepaid gift cards themselves or use them to make fraudulent purchases that are harder to trace. This carding guide will also explain how criminals obtain stolen credit or a debit card information and use it for profit.

Some carders go as far as selling all the verified card details to criminal rings on carding forums and other criminal markets. In fact, in 2022, credit card data on the dark web skyrocketed by a whopping 135%. Besides credit card information, these forums often feature a wide range of other valuable digital assets for sale, many of which can be used for identity theft. Fraudsters may also trade compromised accounts from various services such as PayPal, Uber, and Netflix. Additionally, they frequently deal in stolen loyalty card points, which can be redeemed for goods or services, further broadening the scope of illicit activities in these darknet markets.

Unfortunately, the original card owner mostly remains unaware of the fraudulent charges until all their stolen funds have been used or transferred to another account. At this point, it’s usually too late to recover the money. 

The thing is, carding is not only disadvantageous to the cardholder. It’s also detrimental to the merchant. Any time there’s a disputed purchase, the merchant may be forced to give chargebacks. This means they have to reverse the online purchases or transactions and refund the money to the credit or debit card holder’s account.

The merchant may also face additional financial burden in the form of carding reversal charges as part of their service agreements. They may also lose money from legitimate online purchases if payment processors decide to block transactions until the issue is resolved. Recovering the products carders purchase is also hard. Then, of course, there’s the reputational damage that’s even harder to repair.

What are the top carding attack techniques?

There are several carding methods used to steal and validate credit card details online. We’ve briefly touched on how hackers can gain access to payment card data for their carding attacks. In this section, let’s look in detail at other techniques:

Credit Card Skimming

Credit card skimming occurs when criminals alter an ATM machine, gas pump, or POS system with a similar-looking piece of equipment. This equipment then records the magnetic strip code, card number, expiration date, and PIN. 

The criminals will then use Bluetooth to transfer card information to their own devices, hardly ever coming into contact with the original machine. These attacks often happen at the point of sale, where unsuspecting customers swipe or insert their cards without noticing the skimmer.

In the first half of 2023 alone, 120,000 cards and 3,000 unique financial institutions were affected by card skimming attacks. This was a staggering 77% increase in skimming incidents from the previous year.

Social Engineering

Social engineering refers to the practice of manipulating a person to divulge confidential information–including credit card details—to be used for criminal purposes. The stolen information can also be used to gain access to the victim’s computer system and steal other sensitive data like social security numbers, potentially leading to identity theft. 

Phishing, vishing, smishing and pharming are types of social engineering attacks.

A phishing scam happens when cyber criminals send emails to unsuspecting people while purporting to be from known companies. These emails attempt to induce the victim to divulge sensitive information such as bank account info, credit card details, usernames, or passwords.

Vishing and smishing are similar to phishing. Only, vishing involves the use of phone calls to gain access to a person’s sensitive information. Smishing, meanwhile, involves the use of SMS. A malicious link is typically included in the SMS. When the unsuspecting victim clicks on the link, they are directed to a website, which may prompt them to download malicious software. We’ll talk about malware later.

The last one, pharming, involves redirecting website traffic to another fake site, which then prompts the victim to disclose critical information. 

Social engineering accounts for a whopping 98% of cyber-attacks. According to the FBI’s Internet Crimes Unit, in 2021, phishing, vishing, smishing and pharming victims amounted to 323972, the most number of cybersecurity victims.

Attackers may also use shoulder surfing—visually observing someone entering their PIN or card details in public—to steal sensitive information without digital tools.

Malware

Malware refers to intrusive or malicious software created by hackers to damage computer systems or gain unauthorized access to sensitive data, including credit card numbers and login credentials. These breaches often result in unauthorized charges made using stolen card data before victims even notice. Trojan viruses, worms, ransomware, spyware, viruses, and adware are all examples of malware. Malware is not only used for carding—it’s also commonly used in other forms of fraud, such as identity theft and account takeover schemes.

The majority of malware is spread as trojan viruses like .doc files and .exe files, and can be distributed using some form of social engineering. The number of malware attacks is increasing by the year. In fact, in 2022, there were 5.5 billion malware attacks, a 2% rise from the previous year.

As you’ve seen, cybercriminals may employ a combination of the tactics above to gain access to credit card details they’ll use for a carding attack. That’s why for the best protection, cardholders should take the time to understand these strategies and implement cybersecurity best practices to prevent or counter them. For instance, they shouldn’t click on dubious links. They should also take the time to check the authenticity credit protection services of the messages sent to them. Another option is to use credit protection services that can alert them of fraudulent activities related to their card. Additionally, staying informed about the best practices to secure your web application can help both businesses and users create safer online environments that reduce the risk of exploitation.

eCommerce businesses like you should do their part as well. They should identify all points of vulnerability in their site hackers may exploit to get a hold of sensitive information, including customers’ credit card details. They may use AI chatbots for hacking purposes to identify these. Once identified, they can make the necessary adjustments or deploy the appropriate cybersecurity solutions to ensure their customers don’t fall victim to carding attacks. Weak security can unintentionally aid cybercriminals in running carding operations that target both large platforms and small online stores. When malware is used to harvest payment data, it can quickly lead to widespread fraud and financial losses across multiple platforms.

What are the measures implemented by businesses to combat carding fraud

As criminals get better at scheming, businesses must implement stronger security measures to protect sensitive customer data and reduce fraud risks. That said, let’s look at a few other measures used by businesses to combat carding fraud, and which you can implement, too.

1. Address verification service (AVS)

The AVS system compares the billing address provided at checkout to the one in the card issuer’s records. The result can be one of these three:

• Full match
• ZIP code match
• Address match
• No match

If the details do not match, the transaction is considered criminal activity and will be declined immediately. Sometimes, the AVS system leaves it to the discretion of the merchant to choose whether or not to decline a partial match. 

Unfortunately, AVS only works in the US, Canada, Australia, New Zealand, and the UK.

2. Card verification value (CVV) checks

CVV is a three or four-digit code written on the back of a credit or debit card, close to the signature strip.

You can request this unique code upon checkout to verify that the shopper who wishes to make a purchase is in physical possession of the card. This will make it impossible for carders to use credit card numbers retrieved from criminal marketplaces or the Dark Web for fraudulent activities.

3. Geolocation tracking

Geolocation tracking leverages GPS technology to identify the user’s location or IP address and compare it to the one that’s normally used and was initially registered by the cardholder. Some advanced geolocation tracking systems can check for device type, transaction history, and even time of day to detect unusual patterns that may indicate fraud. 

Geotrackers can also identify users who are accessing a site using proxy IPs. The best free proxy providers help users show they’re accessing a site from one location when they’re actually in an entirely different one. 

While it’s possible the real cardholder could simply be traveling, a geolocation mismatch shouldn’t be overlooked. You should conduct more tests–maybe ask questions only the legitimate cardholder would know—to ensure the card details are in the right hands.

4. CAPTCHA

CAPTCHA is an online security test used to ward off bots by trying to verify that the website user is a human. CAPTCHA is short for Completely Automated Public Turing test to tell Computers and Humans Apart. It uses a challenge-response framework. 

For instance, a CAPTCHA can display several similar images and ask the user to select those with a bicycle, fire hydrant, motorcycle, or other objects. Below is an example of a CAPTCHA test.

While humans can find this easy, bots find it extremely challenging and almost impossible. It’s an effective way to prevent password decryption by AI bots and protect your e-commerce store. CAPTCHA helps block bots that criminals often use in automated financial fraud attempts, such as testing stolen credit card numbers.

To implement CAPTCHA on your site, all you need to do is register your site on the Google reCAPTCHA website.

Apart from all these measures, the business can also opt to invest in the cybersecurity education of their IT and security teams. Gaining a cybersecurity certification can help in responding effectively during any carding fraud incidents.

5. Multifactor Authentication (MFA)

Multifactor authentication adds an extra layer of security by requiring users to verify their identity using more than one method—typically a password plus a temporary code sent via SMS, email, or an authenticator app. This makes it significantly harder for carders to access customer accounts, even if login credentials have been compromised.

In closing

Web carding fraud is a growing challenge that needs to be addressed. This type of fraud happens when a carder (or credit card thief) gets a hold of a user’s credit card details or buys stolen credit card information on the dark web, uses bots to verify the details are valid, then uses the card for illegal activities.

As an eCommerce business, you need to guard against these attacks. Implement one or more of these measures—Address Verification Services (AVS), Card Verification Value checks (CVV), geolocation tracking, and CAPTCHA. You might also want to consider AVS, but that’s only available in a few countries.

With the right security measures, you won’t only protect your online store. You’ll also keep your customer data safe and, ultimately, build trust and credibility that are crucial to business growth. Since carders often purchase gift cards with stolen data, early detection and fraud prevention tools are essential for online stores.

---

Subscribe for expert knowledge

Get only the content that matters most to your business, delivered straight to your inbox. No spam—just valuable insights.

Enter your email address:

Your e-mail address is only used to send you valuable educational content on eCommerce. You can always use the unsubscribe link included in the newsletter.