“Carding” is a specific type of payment fraud that we have seen impacting an increasing number of sites. It is a systematic approach used by attackers to determine which stolen credit card details are still active and valid.
What is Carding and how does it work?
The process begins when an attacker purchases a large set of stolen credit card details, typically from a site hack and often for a very low price, from a dark web marketplace.
Since a significant portion of these cards will already have been cancelled or blocked, the attacker needs a fast, automated way to validate them so they can be sold to other fraudsters at a higher value.
This validation process, known as carding, has 4 primary stages:
- Selection: The attacker identifies legitimate e-commerce websites or online services with a low minimum transaction. These are often sites that sell digital goods, or allow the user to set a low value, such as a donation.
- Automation: Using bots, the attacker attempts to place numerous low-value transactions (e.g. £1) in rapid succession using the block of stolen card numbers.
- Validation: The core of the attack is simple:
- Successful transaction: If the transaction processes, the card is confirmed as “live” and ready to be sold.
- Failed transaction: If the transaction is declined, the card is likely dead, blocked, or has insufficient funds and is abandoned.
- Monetization: Once the attacker has identified valid cards, they sell these “live” cards to other fraudsters on the dark web at a significantly higher price, making a substantial profit. The original victim’s card information can then be used for larger, more expensive fraudulent purchases
With the level of automation that these fraudsters have created, this whole process can be completed in a matter of hours or days.
The impact of Carding for the Merchant
Having thousands of failed transactions can impact your standing with your banking provider leading to them requiring additional technical controls, guarantees, costs or in extreme cases closure of your merchant account. Equally, accepting payments from cards that are used fraudulently and thus have the cardholder make a claim against those transactions can incur significant penalty costs from your bank.
On top of those risks, the administrative burden of receiving thousands of order confirmation or failure emails and then resolving the disputed transactions and influx of related support queries can quickly overwhelm your internal operations.
How to protect your website against Carding
E-commerce businesses can implement several layers of defence to protect themselves from being used as a validation point for carding operations:
1. Blocking Bot Traffic
Since Carding relies heavily on automated scripts and bots, controlling this traffic on your payment pages is a primary defense:
- CAPTCHA: Implementing solutions such as Google’s reCAPTCHA or similar challenges on the payment and checkout pages can effectively block automated scripts while being less intrusive for human users.
- Rate Limiting: By tracking how many attempted transactions originate from a single IP address within a given timeframe (e.g., more than 5 attempts in 10 minutes), the site can temporarily block or challenge that IP as humans rarely make multiple transactions on the same site in quick succession.
2. Utilising Interception or Shield Services
Online security services can provide an effective first line of defense before the traffic even reaches the website’s server:
- Web Application Firewalls: Services like Cloudflare or Bunny Shield, which offer bot management and Web Application Firewalls (WAF), can be configured to help identify and block known bot patterns and suspicious traffic at the network level.
- Dedicated security: Dedicated e-commerce security platforms, often specialising in analysing traffic patterns and using advanced machine learning (AI) and pattern matching to distinguish between genuine users and sophisticated bots, providing a protective layer.
3. Payment Gateway Strategies
Working directly with the payment processor to tune fraud detection is critical:
- Card verification: Ensure Address Verification Service (AVS) and Card Verification Value (CVV) checks are mandatory. While carding attackers may have the card number, they frequently lack the full AVS and CVV data. Additional validation services like Verified By Visa (VBV) or MasterCard Secure requiring additional verification, such as a texted code, would prevent a successful transaction. However, this can add friction for genuine customers.
- Micro-Transaction Monitoring: Implement specific flags or rules that monitor for higher than normal volumes of low-value transactions. For example, if your site receives more than 10 orders under £1 in an hour then implement a £10 minimum transaction value which will typically cause the attacker to move on to their next victim merchant.
- Geographic Blocking: If a significant portion of suspicious traffic originates from a high-risk geographical region where your business does not operate, consider implementing blanket blocks or stronger verification for those areas.
- Replay Prevention: A payment gateway may include features that populate fields on the origin website preventing a transaction or browser submitting multiple times which can help to slow down this form of attack
As a web agency, we understand that maintaining a secure checkout is just as important as maintaining a beautiful one. Preventing carding is not just about stopping fraud; it’s about protecting your merchant reputation and ensuring your site remains a trusted place to shop. If you are concerned about suspicious transaction patterns or want to audit your current security before this becomes an issue, then please get in touch.
