The Threat of Misusing Stolen Card Data: An Introduction to Carding Attacks

March 23, 2020 0 comments

Organizations face a wide range of cyberattacks. Some, like Denial of Service (DoS) and ransomware attacks, are designed to be destructive, while others are intended to steal sensitive information for the attacker’s use or resale.

Carding attacks mix elements of both of these attacks. Cybercriminals can end up with lists of unvalidated credit card numbers for a variety of reasons. Carding attacks enable them to determine complete, verified information for a payment card, but it also consumes significant resources on legitimate merchants’ webpages. Protecting against carding attacks both ensures that cybercriminals cannot misuse stolen card data and reduces waste of merchants’ computational resources. This is why it’s vital that you protect yourself from credit card theft.


Inside the Carding Attack Lifecycle

Carding attacks are only one step in an attack’s lifecycle. Before cybercriminals can test the validity of a list of credit card numbers, they need to have a list to test. A list of validated credit card numbers is typically not the end goal of the attack, so additional stages exist after carding to make use of the new list.


  • Before Carding: Card Number Theft

Carding attacks are designed to weed out incorrect credit card information or those that have expired or been cancelled from valid ones. Before performing a carding attack, a cybercriminal needs a list of potential credit card numbers to test. A number of different ways exist for an attacker to gather this information. Many companies collect this type of payment card data in order to autofill payment information for online purchases or for automatic billing (healthcare providers, utilities, etc.).

A method for collecting credit card data that has become popular in recent years is credit card skimming. Credit card skimmers exist almost anywhere that credit cards are used. Physical devices are placed on gas pumps and ATMs, skimming malware is installed on point of sale (PoS) terminals in stores (which enabled the Target credit card leak), and skimming malicious code is embedded in payment pages of legitimate websites. For cybercriminals like the Magecart group, which performed the attack that earned British Airways the biggest General Data Protection Regulation (GDPR) fine to date, collecting a long list of credit cards to try is no problem.


  • The Carding Attack

The problem with lists of credit card numbers is that the cybercriminal may not know their provenance. A list purchased from another criminal may include all new numbers or aggregate numbers from past breaches. If the latter is true, many of these cards may have been cancelled as part of the breach remediation efforts. Additionally, the cybercriminal may not have full card information, including the PIN number needed for online purchases.

Carding attacks are designed to fix this problem. Most credit card PINs are three digits long, meaning that there are 1,000 possible values, which is an entirely guessable and testable number. Many sites may have a mechanism in place to prevent a user from trying 1,000 different payments with the same card but different PIN numbers. However, these sites probably don’t coordinate. If the threshold for mistakes is five attempts per card, then a cybercriminal only requires 200 payment portals to brute-force a card’s PIN number (and probably less on average).

Carding attacks take advantage of bots, which perform all of the heavy lifting in the attack. The bot will attempt to make a small purchase with a card, testing a certain set of card details. If the transaction goes through, they have a verified credit card. Otherwise, they move on to the next combination of payment card details on their list.


  • Impacts of Carding

Carding attacks are profitable for an attacker since they produce a list of verified and validated credit cards. These fetch a much higher price on the black market since they are guaranteed to work if used shortly after validation. Validated credit cards are extremely useful for online shopping. Once an item has been purchased and shipped by the retailer, the seller has no control over it. As a result, there is no chance of the cybercriminal losing the item even if the owner of the card notices the anomalous transaction and reverses the charge.

With credit card fraud and carding attacks, it is most likely the merchant that pays the price. Credit card companies will reverse a disputed transaction (called a chargeback), meaning that the retailer loses both their inventory and the payment for it.


Protecting Against Carding Attacks

Carding attacks can have a significant impact on a merchant’s bottom line. If they are the victim of credit card fraud, they may lose significant amounts of money in chargebacks. On the other hand, if they are one of the sites used in carding attacks, they have their resources wasted by the thousands or millions of fake transactions being performed by cybercriminals attempting to validate a list of credit card information.

The nature of carding attacks makes it relatively easy to detect on a merchant’s website. The site will experience a high number of payment attempts with many failed transactions. This will also include a high rate of cart abandonment if a purchase is designed only to validate a particular card and is abandoned once verification occurs. These attacks are also commonly performed by bots (due to their repetitive and time-consuming nature), and bots often have features that help to differentiate them from human users.

Protecting against carding attacks requires deploying defenses specifically designed to protect against bot-driven attacks. By performing device identification, behavioral analysis, and browser reputation analysis, a bot management system can identify and shut down carding attacks against a merchant’s web presence.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.