What is carding?
Carding, also known as credit card stuffing, fraud or verification, happens when cybercriminals attempt to make small purchases with large volumes of stolen credit card numbers on one eCommerce platform.
Businesses that have fallen victim to a carding attack often see:
- a drastic uptick in chargebacks
- a significant increase of multiple failed payment authorizations from the same user or location
- elevated shopping cart abandonment
- reduced shopping cart totals
How does carding work?
Today, carding usually includes phishing or malware attacks and cybercriminals trading the stolen credit card information on illegal websites. They either hack the store or the site and gain access to a list of credit or debit cards that were recently used for transactions or, after buying the sensitive information on the dark web, start testing the cards to check their activity and if they happened to be reported stolen already. This is what appears as a series of suspicious, small transactions.
A common step for cybercriminals involved in carding is buying gift cards and other prepaid cards with the stolen credit card numbers, which are then used to buy more expensive items. These high-value goods, electronics such as laptops or smartphones, can be resold later for cash.
The stolen sensitive information in a carding activity often includes the following data:
- Cardholder name
- Credit card number
- Expiration date
- CVV (card verification value) number
- ZIP codes
What are the consequences of carding?
Usually, the validity of the stolen information is unknown to cybercriminals until the attack takes place. Afterwards all of the credit card numbers that successfully completed the requested transactions are sold along with any known personal information on the black market. Unfortunately, this type of attack typically happens at night, goes unnoticed by the consumers and results in poor credit or penalties. It can also cause significant financial losses for the affected business which may be responsible for covering the cost of the illegally processed transactions on behalf of their customers.
How can eCommerce businesses prevent carding?
There are a variety of countermeasures that can be used to prevent a carding event. Broken down simply, businesses will want to protect customer accounts as well as their eCommerce site.
- CVV Validation. To defend customer accounts, you should require CVV validation. This is the code on the back of most major credit cards.
- AVS. You’ll also want to require an AVS or Address Verification Service code. It’ll tell you whether or not the address given online actually matches that of the cardholder.
- Transaction Minimums. You should also set a transaction amount minimum above $10, if possible (most carding events charge between $1 and $6). Also, it is helpful if you require a valid login to allow users to access your payment page.
- Throttle Transactions. Transaction throttling can also prevent fraud. It works by giving businesses a simple way to deliberately slow down data transfer speeds so transactions can be accepted at a rate that wouldn’t be conducive to a carding event.
- Add reCAPTCHA. Integrating reCAPTCHA technology onto eCommerce sites can also defend payments. It validates that all actions performed on a site are done so by humans and not bots or script automation.
As you can see, a little preparation by eCommerce businesses can go a long way when it comes to preventing fraudulent attacks like carding. If you have questions on this topic, fill out the brief form below. We are always happy to continue the conversation.