Bot Threats
October 6, 2023

Understanding Card Cracking and Carding Attacks

One of the most insidious threats facing ecom businesses today is card cracking, also known as "card testing," and carding attacks. These sophisticated cybercrimes are on the rise, and if not adequately addressed, they can lead to significant financial losses and damage your brand's reputation. In this blog article, we will delve into the world of card cracking and carding, explore their impact on e-commerce, and provide valuable insights on how to detect and prevent these threats effectively.

What is Card Cracking?

Card cracking is a type of brute force attack that targets the payment interface of e-commerce websites to obtain the missing values, for example the expiration date, or three digit code from the credit card. Typically the cybercriminals will purchase incomplete credit card data, and will hijack your payment gateway to authenticate and verify these additional details using a brute force attack. Card cracking is used by the cybercriminals to obtain Fullz,  the slang used by cybercriminals for the “full” set of credit card details. Effectively, the cybercriminals are just using the payment gateway to authenticate the card details. 

While it may be comforting to know the cybercriminals are not actually trying to attempt to steal your customer’s credit card information per se, in reality, it’s cold comfort, as these attacks can be truly massive. Fullz credit card details are sold by the thousand and often by hundreds of thousands or millions. Cracking by brute force a thousand cards will take many thousands of attempts. One can readily see how the sheer volume of the attacks can cause your downstream payment gateway to simply block your entire site, effectively removing your ability to transact online. If you are lucky the attacks can be low and slow to avoid detection, but they can be very quick, or sustained for hours until the cybercriminal gets the desired number of credit card validations. Once they successfully identify valid cards, fraudsters have two main options: they can either sell the compromised payment account details on the dark web as Fullz, or use them themselves now they have verified card details they know are valid. 

OWASP Threat 

Card cracking has been identified by OWASP, and given the Automated Threat (OAT) Identity Number reference OAT-010. Cybercriminals employ this method to guess missing values for stolen credit or debit card data. These missing values typically include the expiration date, card security code (CSC), and card identification number (CID)..

Card Cracking OWASP Threat Diagram

What is Carding?

Carding attacks  involve the use of bots by cybercriminals to test the validity of stolen card data. These tests often consist of small transactions designed to avoid drawing attention, but also can be extremely large brute force attacks, which can flood the downstream payment gateway.  Carding attacks not only target payment cards but also extend to gift cards, shopping points programmes, and vouchers.

OWASP Carding Summary Diagream

The Impact of Carding and Card Cracking Attacks

The consequences of carding and card cracking attacks on e-commerce businesses can be profound and far-reaching:

Reputational Damage and Admin Overhead

Dealing with the fallout from carding and card cracking attacks can divert significant resources toward mending relationships with customers as well as the associated downstream payment processors, and hosting services. Failure to promptly identify and address these attacks can result in substantial reputational damage to the business. Moreover, after experiencing card fraud, nearly half of the affected customers vow never to return to the retailer. Often mitigating and managing these attacks requires significant management time, and may involve legal, compliance and senior accounting and IT resources.

Financial Losses

Consumers in the UK lost £1.2bn to fraud in 2022, the equivalent of £2,300 every minute, according to bank industry group UK Finance.It said around three million scams took place, with frauds involving payment cards being the most common. 

Increased Costs

Card cracking and carding attacks can lead to higher payment authorization requests, causing you to incur additional authentication fees. If your payment processor categorizes you as "high risk," transaction fees can escalate, or they might even halt payment processing until the issue is resolved. If the business decides to move to multi-factor authentication, these costs can rise dramatically, and will inevitably lead to some customer churn. 

Customer Complaints / Social Media

Customers understandably become distressed when their stolen card details are used for unauthorized purchases. Complaints from affected customers can tarnish your business's reputation and deter potential buyers, and are frequently posted on social media for public consumption.

Server Load and Bandwidth Costs, Performance Issues

The anonymity of gift cards and other vouchers makes them a prime target for carding and card cracking. Bots can test vast quantities of serial numbers, resulting in increased server loads and bandwidth costs. This can also lead to poor customer experiences due to performance issues.

How Card Cracking Attacks Work

Card cracking attacks typically follow this sequence of events:

  • Stolen Partial Cardholder Data & Brute Forcing: Cybercriminals obtain partial payment card numbers and use automated brute-force tools to find missing values such as the card security code (CSC).
  • Card Payment Process: Threat actors target merchant payment processes, continuously testing potential solutions for unknown payment card values.
  • Complete Cardholder Data: Upon success, cybercriminals identify full sets of valid cardholder data for malicious activities or online sales.

How Carding Attacks Work

Carding attacks follow a similar pattern:

  • Stolen Payment Cardholder Data: Threat actors acquire complete sets of stolen payment card details from various sources, including the dark web.
  • Card Payment Process: The lists of complete payment account details are used to make test purchases against e-commerce sites to validate card details.
  • Validated Cardholder Data: If successful, fraudsters confirm the card details and the quality of the stolen account information.

Detecting and Preventing Carding and Card Cracking Attacks

To safeguard your e-commerce business against these threats, consider implementing the following strategies:

Cart Abandonment Rates

Spikes in card abandonment rates that can’t be explained are typically a sure sign of carding attacks. Once the cybercriminal has tested each card, or tried to use brute force to verify additional details, they just abandon the transaction. Although e-commerce sites monitor cart abandonment rates very carefully, and often make it a Key Performance Indicator (KPI) in management reporting, the abandonment rate often doesn't exclude the bot traffic, which makes tracking this indicator almost meaningless. It’s vital to use a bot mitigation platform such as VerifiedVistors to ensure the bots are removed, so you can have clean data to really measure this vital KPI. One way to sanity check your cart abandonment rate is to look at ‘industry average’ metrics, However, this data is hard to come by and tends to vary massively.

Monitor Changes in Order volumes

Be vigilant for high volumes of small order amounts, as this is a common sign of a carding attack. Fraudsters use credit card bots to make numerous attempts at purchasing low-cost items. Often these micro-transactions for a few cents won’t be scrutinized by the customer and will fail the materiality test for the bank. These tiny transactions, even if noticed,  may simply be put down to currency exchange differences or other rounding issues that don’t warrant attention.

IP Matching and Device Type

Use IP geolocation checks to ensure that a user's IP matches their billing address on the checkout page. This can help detect suspicious activity, especially in combination with other indicators.Cyberciminals often use mobile farms that hide inside the vast mobile proxy range to obfuscate detection and avoid the geolocation checking. Look for an unusually high cluster of mobile purchase attempts.

Build a Customer Block List

Identify and block known fraud offenders from shopping at your online stores. Implement a zero-tolerance policy for those attempting card cracking attacks.

Authorize Cards

Implement authorization and capture mechanisms to validate a user's credit card, check for valid card details, and ensure sufficient funds before processing payment. This allows you to review potentially fraudulent transactions before payment is finalized.

Check Transaction Speed

Monitor the speed at which users attempt to purchase goods or services. Genuine users typically do not make multiple transactions within seconds, unlike credit card bots. Cyber Criminals work on the assumption they are going to be stopped, but sometimes try and force a very high volume of attempts through the payment gateway, which is just impossible for humans to do. Tracking transaction velocity by various criteria, such as purchase amount, total transaction time, geolocation, or device type will often indicate an underlying issue. For example, carding attacks will often see a cluster of users with significantly 

Use AVS and CVV

Leverage Address Verification System (AVS) and Card Verification Value (CVV) to confirm that card addresses and CVV codes match the issuing bank's records. Incorporate these features into your payment gateway to make carding attacks more difficult.

Employ Automated Fraud Prevention and Bot Protection Tools

Bot protection solutions with real-time behavioral detection capabilities such as VerifiedVisitors are essential to swiftly identify and block carding and card cracking attempts. These types of attack are usually relatively easy to spot, as they display marked behavioral differences from normal user behavior. Solutions that use old school fingerprinting and IP reputation only are becoming increasingly obsolescent. Take action to defend your websites and APIs from bot attacks now by taking advantage of our free trial.

Zero Trust at the Edge of Network removes the bots before they can do damage and gives you clean data.

Check more blogs

Get updates on the content