Uncovering Bots in eCommerce: Carding
What do eCommerce businesses need to know about carding?
No one wants to be a victim of payment carding fraud, yet more of us are falling foul to the myriad of techniques used by hackers to steal payment card information and use it for their own gain. To mitigate this malicious activity, it is vital that eCommerce sites apply security measures that protect consumers and sellers alike from carding and other major bot threats.
Without the necessary security in place, eCommerce businesses are vulnerable to automated bot attacks, such as “carding” techniques to acquire and validate consumer payment card details.
What is carding?
Carding or card stuffing is the illegal use of credit or debit cards by unauthorized people (carders) to buy a product.
To successfully carry out this fraudulent activity, multiple payment authorization attempts are used to validate stolen payment card information in bulk and gain access to an account to test the legitimacy of thousands of stolen credit card numbers.
When limited cardholder data is available, and the expiry date and security code are unknown, the process is instead known as card cracking.
How are bots used to carry out carding?
Bots come in pretty handy when carrying out any carding activity, enabling the attacker to try multiple values quickly, and identify the missing start and expiry dates and security codes for payment card data.
Carding in eCommerce
Carding typically starts with a hacker gaining access to a store or website’s credit card processing system. The attacker then has a useful list of credit or debit cards that were recently used to make a purchase, at their disposal. Fraudsters typically use this information to purchase gift cards to buy goods that can be sold on for a profit.
For online retailers, carding is a huge problem that must be addressed to prevent loss of revenue due to credit card charge-backs, loss of goods and frustrated customers with empty gift cards.
Detecting carding in eCommerce
In some cases, quickly and accurately identifying instances of carding can be a challenge, because they look like typical consumer transactions. These attacks are even more difficult to detect when the fraud is committed by multiple individuals
Bots mimic human behavior to carry out activity that is innate to the business’ functionality, such as customer complaints about unauthorized purchases. However, some of this activity is more recognizably bot-like behavior. For instance:
– Sudden spikes in unsuccessful payment attempts
– Payment attempts with an empty cart
– Elevated basket abandonment
– Inconsistent use of the payment step
Proactive steps should be taken to ensure that these hallmarks of bad bot behavior are quickly identified and the attack stopped in its tracks.
How to Mitigate carding in eCommerce
Carding is among the top 20 automated global security threats. To mitigate the risk to consumers and businesses alike, retailers can consider removing guest checkout to strengthen the multi-factor authentication that is required by the 2019 PSD2 legislation.
To quickly and accurately prevent carding, it is vital to implement a real-time bot protection solution to monitor activity. If your business is affected, it’s good practice to let all your customers know about that. Asking them to change their passwords and other login information.
Netacea’s Intent Analytics™ engine allows you to shut down automated carding attacks and protect your business with incredible speed and accuracy. Our dedicated bot mitigation solution takes a different approach and effectively eliminates carding attacks by analyzing user behavior and intent, enabling the automatic blocking of malicious bots before consumer accounts are compromised.
