Ecommerce Payment Card Fraud: Carding

With COVID-19 pushing more and more consumers towards online shopping, cybercriminals have been quick to follow. In fact, ecommerce or online payment fraud is expected to cost online retailers over $20 billion in 2021.

What is Carding?
There are varying types of payment fraud, but in this article, we want to focus on an increasingly problematic issue for retailers called carding. Carding is a type of credit card fraud in which criminals use large volumes of stolen payment card numbers to make small purchases online in an effort to verify which numbers are still active.

The stolen card numbers in use may have been obtained through malware attacks, skimming, phishing, or they may have been purchased in bulk on the dark web. Lists of card information are available for less than a few cents per card. However, once a stolen card number is validated, it can now be re-sold on the black market for up to $45, and then used for bigger transactions or to purchase gift cards or other prepaid cards.

How can you detect Carding?
Because of the low dollar amounts on each card, Carding fraud will often go undetected by cardholders until it is too late. However, there are several red flags that can help you detect that Carding bots may be at work on your eCommerce site:

• Lower than average shopping cart/purchase amounts
• A spike in shopping cart abandonment rates
• A high volume of failed payment authorizations
• Increased chargebacks
• Multiple failed payment authorizations from the same user or IP address
• Multiple visits to the same checkout page in relation to actual site visits

How can you prevent Carding?
Organizations can protect their ecommerce sites from being used for Carding through a number of different countermeasures:

• Setting minimum transaction amounts, typically above $10.00.
• Throttling the transaction speed to slow down data transfer time and make it more difficult to run a large quantity of transactions in a short amount of time.
• Configuring a maximum number of checkout attempts and/or transactions per user to prevent large numbers of transactions.
• Requiring the CVV code/validation to help ensure the person making the purchase has the card in their possession.
• Requiring the Address Verification Service (AVS) code that will check to see if the address given online matches that of the cardholder. IP geolocation checks can also be performed to see if the user’s IP address matches the billing address entered on the checkout page. While this wouldn’t always mean a transaction is fraudulent, it can give you a heads up to take a deeper look at the transactions that are occurring.
• Adding reCAPTCHA technology to prevent bots or automated scripts from running a high volume of cards through at the same time. reCAPTCHA ensures the actions being performed are done by humans. If you force criminals to perform carding tests manually, they will be a lot less likely to select your site to test out their stolen card numbers, and will move on to easier targets.

More and more businesses are moving their services and products to online platforms as they forego in-person activities, and if online shopping carts and sites are not set up with the necessary security controls in place, criminals are quick to exploit them. While Carding is not exactly a breach of cardholder information, it can still cause your merchants lost revenue, as well as the headache of dealing with chargebacks and unnecessary hours investigating fraudulent transactions.

What should you do if you suspect Carding?
If you do suspect or determine that one of your organization’s ecommerce sites has been used for Carding, contact your merchant services bank and alert them that fraudulent activity has taken place. You should follow the recommendations from your merchant bank, but if you can identify the impacted transactions, it may be beneficial to immediately void or credit back the cards used for successful purchases to avoid chargeback fees. In some cases, your organization or your bank may have contact information for the cardholders so they can also be notified and have a new payment card issued.

Your website administrators will also want to verify the basic security of the ecommerce site, completing full malware scans against the affected site to ensure that the criminals didn’t plant any viruses on the site while they were testing out the stolen card data. Along with the above mentioned countermeasures, if you (or your service provider) can identify where the fraudulent transactions came from, you can restrict future access from those identified IP addresses.

Lastly, remember to include all of the above in your incident response plan and your communications plan. The affected cardholders will eventually see your organization’s name on their credit card statements, so you should plan for how you will respond if and when they contact you.

Additional guidance from the CampusGuard Offensive Security Services Team:

[Roell]: Reconnaissance is crucial in formulating an effective attack pattern. Validating cards beforehand can lessen the amount of traffic from an attacker, reducing the risk of detection. You can additionally consider adding empty hidden form fields as a detection method. While normal users will never see the fields, and therefore will not populate them, automated tools and bots encounter difficulty identifying the nature of these fields and will usually populate the hidden fields. Consider replicating the successful transaction flow for requests with the empty form fields populated to avoid the error handling mechanisms of automated tools. By flagging and aggregating the malicious request data you can perform your own counterintelligence, harvesting the lists from the attacker.