06 Aug 2020 • 10 min read
06 Aug 2020 • 10 min read
Carding attacks are one of the most dangerous forms of bot attacks since they directly deal with personal finance. If your website was involved in a successful carding attack loss of your reputation and revenue is inevitable.
So, what is carding? How does it hurt your business and not only cardholders? How do you prevent it on your website or application?
Carding is a type of bot attack that involves multiple simultaneous requests to grant access to a stolen credit card and make transactions through it.
Carding attack operation is very sophisticated by nature and requires a lot of resources and efforts.
1. Obtaining a large number of partially incomplete credit card credentials;
2. Deploying bots to make small purchases across multiple websites to determine the remaining credentials and validate credit cards;
3. Bots handle millions of attempts to validate cards;
4. Successfully validated card credentials are put into a database for further criminal use.
There are countless ways to get your card information and start a fraud scheme. Fraudsters are extremely creative when it comes to that, but here are the most popular ones that you should be aware of.
Skimming is an operation when fraudsters place a small and very hard to notice device on a legitimate card reader, for example, ATM. This device is called a skimmer. As soon as the cardholder starts using ATM, the skimmer reads the card information and passes it to fraudsters.
Web scripts can also be used as skimmers. They were one of Magecart's popular weapons. Malicious code is injected into e-commerce platforms, so when you make a purchase, the script reads card credentials and sends them to fraudsters.
Phone calls are a very notorious way of accessing card information. Recently it has become very popular among criminals to call and introduce themselves as bank staff. They claim that an emergency such as an unauthorized transaction is happening with your card and requires your information to take action.
Phishing is very similar to phone calls, aside from the fact that fraudsters try to get card information through emails, text messages, and social media direct messages.
Malicious software installed from spam links in email or messages and comments on social media.
When the installation is finished, it runs in the background while users make purchases on the net. Malware reads card information and stores it in a database for fraudulent use.
Carding forums are the cradle of knowledge for criminals. They share various tips, tricks, and tools to collect card information.
Banks can leak their client’s info or even sell it sometimes. Not on purpose, of course, the reason for it is usually the poor access management system or employees with ill intentions who want to make a profit from the personal data of bank clients.
1. The damage inflicted on card owners causes a severe reputation loss and public relations crisis;
2. Online platforms are subjected to chargebacks. This influences the reputation among credit card processors by creating a poor history and penalties for using a stolen card;
3. Decrease in revenue and risk for the long-term sustainability of business due to everything mentioned above;
To prevent losing the card credentials of your clients to fraudsters, 2FA will be a strong solution since it authorizes access to credit cards based on three general pieces of evidence that only a particular cardholder possesses.
AVS is used to verify the address of a cardholder. The system checks the user's billing address and compares it with an address provided in the credit card company's file. If the addresses are similar, AVS authorizes the access.
CVV code confirms that the user has physical possession of the card since CVV is only present on the physical card. However, it is important to know that CVV could be stolen as well.
Velocity check analyzes numerous data, such as IP address, device ID, card number, or payment system. It also checks how many purchases were made using this card for the past 24 hours.
If the purchases are too frequent, say minutes away from each other, they are regarded as suspicious.
Payer Authentication is a phone call from a card issuer to confirm the translation. Banks are doing it if the transactions seem suspicious.
Device fingerprinting is one of the forms of multi-factor authorization that helps identify device parameters that do not alter between purchases.
Fingerprinting creates a unique presence identifier, and if it shows up on multiple log-ins, it arouses suspicions.
Fraudsters possess millions of credit card credentials and have to test these on multiple sites across the web. An impossible task without the help of automation.
If the automation can be stopped, then the carding attacks can’t be initiated.
Traditional picture and text-based CAPTCHAs have been the go-to choice for preventing automation.
At present, however, traditional captchas are obsolete against sophisticated carding bots. Because they use machine learning to crack these challenges or utilizes sweatshops (a.k.a captcha farms) to bypass them.
Advanced systems with behavioral and environmental analysis can reduce malicious automation to manageable degrees.
However, the major differentiating factor here is “at what cost?”. The cost of customer experience is just as important as the ability to keep malicious automation at manageable levels.
Preventing carding fraud is essential for the long-term success and competitiveness of your business. Reputation and revenue are the main pillars that businesses grow on; therefore, you must protect them at all costs.
Why? If you don’t use the necessary safety precautions, there is a risk that your business will not survive. The stigma of a “fraudsters-friendly website” will destroy it quickly.
Choosing security measures is not an easy but a necessary move. Of course, you could make a combo of several solutions mentioned above.
However, do not forget about the user experience. Users don’t like endless challenges. They will increase your bounce rate and reduce the competitiveness of your business.
The best option for you is the solution with the least user friction and maximum security, and we just happened to have one for you.
Subscribe to our newsletter