How to help protect your business against carding attacks

Carding attacks on the rise

A recent report from Juniper Research projects that global losses from online payment fraud will surpass $362 billion over the next five years, with annual losses expected to climb from $38 billion in 2023 to $91 billion by 2028—a 140% increase.¹ An attack vector that continues to present challenges for merchants is “carding,” which rose 134% in 2022 over the prior year.²

Carding or card cracking attacks serve as the initial stage in the chain of events that lead to card-not-present (CNP) fraud and are a significant threat to the security and financial well-being of e-commerce organizations. As cybercriminals refine their methods, businesses face an urgent need to implement robust protections to safeguard both their operations and customer data.

No merchant is immune to carding attacks. Merchants of all kinds can be targeted, including financial services, food delivery platforms, rideshare apps, streaming and gaming services, and major online retailers. Read on to learn about the latest strategies and tools that businesses can use to combat carding attacks effectively.

What is a carding attack?

Carding is a form of credit card fraud. Thieves (known as carders) acquire stolen credit card details and leverage bots to perform multiple parallel attempts to authorize the stolen card credentials through legitimate websites to see if the credentials are still valid.

How is it carried out?

Attackers obtain stolen card data by purchasing it from the dark web or directly from consumers through phishing scams and other social engineering techniques. However, because credit cards are often cancelled quickly after being lost or stolen, a significant part of carding involves testing the stolen card information to see if it still works.

What is the validation process?

The actual carding attack happens when the attackers attempt to validate card data. To do this, fraudsters use automated scripts to test numerous compromised credit, debit, and prepaid card credentials on a merchant’s eCommerce site through a series of low-value purchases in an effort to evade detection. The automated process enables fraudsters to efficiently test and validate large volumes of credentials within a short time and even launch carding attacks across multiple eCommerce sites at once. The validated card data is then resold at a higher price on the dark web or used to buy physical products or gift cards.

The weighty consequences that could damage your business

For most merchants, the costs of carding attacks are extensive, and may include:

• Chargebacks and Disputes: Once a customer reports fraudulent activity on their card to their bank, the bank reverses the charge, which costs the merchant in lost revenue.

• Fees: The merchant may suffer fees associated with chargebacks, refunds, and other fraud reversal costs, plus interchange fees from credit card partners on every attempted transaction. Networks also have the authority to block a transaction if excessive carding originates from a merchant’s site, which can negatively impact the legitimate transactions being processed on their site.

• Product Loss: If a fraudster was successful in purchasing product, it’s unlikely the merchant will get that product back once the fraud is detected.

• Fraud Monitoring Programs: Card networks may require a remediation plan or additional fees if a merchant’s fraud rates are above specified thresholds. Additionally, the merchant may be banned from the card network.

• Operational Costs: Depending on the size of the carding attack, merchants may need to bolster customer support and outreach, or fortify their IT team, to rebound from the attack.

• Reputational Damage: Merchants can suffer damage to their reputation as customers who have negative experiences flock to social media and review sites.

Detect and prevent carding attacks with anti-fraud fundamentals

Carding tactics are always changing, so preventing fraudulent card use requires a multi-pronged, layered strategy. Implementing strategic data management as well as checkout-based anti-carding measures are two important ways that businesses can better protect against carding.

Manage data effectively to help shield against fraud

Storing and using data effectively can help businesses better understand transaction patterns and improve fraud protection. Fraudsters often use virtual devices for bot attacks, which targeted data analysis and machine learning models can quickly detect. Other data practices that can help deter carding include:

• Creating shopper profile registration to collect customer data and open more avenues for account validation. Profiles can be used to create filters and set limits on accounts with suspicious profile attributes.

• Managing customer accounts by deleting inactive profiles, reducing card attempts for new users, and cancelling accounts with multiple failed transactions. Good data housekeeping can limit fraudsters' efforts to find loopholes in fraud filters and possible exceptions. This also includes limiting the number of account changes at the shipping and billing address level and even restricting accounts with too many changes without requiring the re-authentication of the consumer.

• Restricting suspicious accounts, such as those with multiple failed transactions or many changes to personal information in a short period.

• Collecting device data, which can help identify one-to-many payment attempts. Transaction velocity checks for device attributes can also help identify bot attacks, especially when fraudsters are employing only a handful of virtual devices.

• Using email lookup and verification services. An email lookup service at registration can validate whether an email is related to bot attacks. The result can be sent to a fraud tool and used in filters to determine the riskiness of the transaction. Third-party vendors can provide enhanced data for this purpose.

• Controlling back-end systems access with IP-based restrictions, complex passwords, rotating API keys, maintaining a minimum number of users, and multi-factor authentication to maximize security.

Catch carding at checkout

Checkout is the last line of defense against carding, so it’s critical for businesses to implement a range of checkout-based safeguards.

• AVS/CVV verification. This is considered one of the primary defenses against unauthorized card use. Accepting only verified card information provides the best coverage. The Card Verification Value (CVV) system checks the card’s 3 or 4 digit number and verifies it during authorization. There are many configuration options to consider (see PayPal/Braintree developer documentation), some of which can reduce the effectiveness of these features, so ideally, accepting only verified values is the best approach. For merchants with customers in the US, Canada and the UK, the Address Verification System (AVS) checks buyers' billing address at checkout against the address the credit card company has on file. The credit card company will immediately respond to inform you if the billing address matches. Similar to CVV, accepting only verified addresses provides higher protection.

• ReCAPTCHA for bot detection. CAPTCHA (text-based challenges) and reCAPTCHA (photo challenges) technology enables web hosts to distinguish between human and automated access to websites. While technology exists to overcome rudimentary CAPTCHA, most threat actors and fraudsters prefer targets with the least resistance and will abandon attempts on sites with this technology, making it a key layer in carding prevention.

• Velocity checks and limits on your shopping cart. Velocity is the number or speed of payments made within a certain period, for example, 10 payments sent from the same customer within seconds or minutes of each other. Monitoring this activity on your site is essential. Even on donation sites, making low-dollar donations in rapid succession may be unusual for a user. Payment velocity can be monitored by dollar amount, user IP, billing address, BIN, or device. By limiting the attempts in one checkout session, you have visibility into the number of shopping cart declines, which may assist in identifying a possible carding situation.

• Honeypot fields. These are additional checkout fields that are invisible to genuine customers and trick bots into revealing themselves by filling in values. Businesses can block malicious script or automated attacks when they detect values in these hidden fields.

• Address verification. Using an address look up service at checkout can verify legitimate addresses and help catch cybercriminals using pre-generated billing or shipping addresses.

• Restrictions on high-risk items. Fraudsters favor gift and prepaid cards, for example, and implementing limitations on these items is a strong protective measure. Other high-risk restrictions could include rules like “only 1 newly launched product per customer.”

Advanced anti-fraud measures

While it is best practice to configure Basic Fraud Tools to protect your account from more standard forms of payment fraud, complex fraud schemes require more advanced capabilities. PayPal Braintree offers a few features within its Fraud Protection Advanced (FPA) solution that specifically address carding attacks.

• Anti-carding filters can be configured to help businesses spot sophisticated attacks by identifying specific transaction velocities as well as pinpoint certain timeframes, origin by card country, IP, BIN, and device. Additionally, FPA detects patterns of quickly created new entities, such as emails, which fraudsters often use to bypass standard velocity rules. Alongside the carding prevention capabilities built into the payment processing platforms, these filters provide an additional layer of protection for merchants.

• Transaction risk scoring references past transaction information to determine whether a particular transaction is high risk. FPA is powered by machine learning that can help make filters smarter and reduce misidentification of valid transactions. To assess risk, it scans through your transaction processing data and compares hundreds of attributes from similar transactions in real-time, leveraging data from our massive merchant and consumer network to assign a risk score.

• Combining Fraud Protection Advanced filters with Braintree Risk thresholds for advanced use cases. This helps ensure that bad transactions are stopped, while good transactions continue to be processed. Combining carding filters and risk thresholds can help increase fraud-targeting accuracy. These checks happen before the transaction is sent to the issuer, a mechanism designed to help prevent a high number of chargebacks and issuer penalties.

• Custom fields allow merchants to vet an address or email age for example with third-party services, which can provide more information to make risk assessments and catch cybercriminals. They can also be leveraged to capture attributes unique to a business or industry, for example, “high risk product” or “transactions coming from call center”.

How PayPal Braintree is helping businesses combat carding

PayPal Braintree is a single-integration payment processing platform that helps businesses fight fraud while simplifying transactions. With customizable rules to fit any business and optional advanced protection for additional security, Braintree fraud tools help businesses keep themselves and their shoppers safe.

Weee! — one of the largest online Asian supermarkets in the United States — implemented PayPal Braintree’s fraud solutions and was able to significantly reduce the potential risk of attacks by:

• Reducing the number of invalid calls to the Braintree gateway by lowering the card-binding (linking a card to an account) attempt limit within a 24-hour period from 10 to 3.

• Automatically abandoning requests from canceled accounts during card binding to better prevent unnecessary processing and potential security risks.

• Canceling accounts with more than 5 attack error codes in a 24-hour period.

• Adjusting its reCAPTCHA scheme to increase protection against attacks from automated tools and scripts.

• Deactivating accounts with repeated failed transactions.

Explore how PayPal is helping businesses fight fraud and improve risk decisions with advanced solutions and smart technology. PayPal’s Fraud Protection Advanced uses machine learning and analytics to help protect businesses from fraud and adapt to an ever-evolving payments landscape.

Learn more about how PayPal is helping merchants address changing fraud.