Uncovering Bots in eCommerce: Carding
Published: 01/04/2020

Uncovering Bots in eCommerce: Carding

  • Netacea, Agentless Bot Management

3 minutes read

What do eCommerce businesses need to know about carding?

No one wants to be a victim of payment card fraud, yet more of us are falling foul to the myriad of techniques used by hackers to steal payment card information and use it for their own gain. To mitigate this malicious activity, it is vital that eCommerce sites apply security measures that protect consumers and sellers alike from carding and other major bot threats.

Without the necessary security in place, eCommerce businesses are vulnerable to automated bot attacks, such as “carding” techniques to acquire and validate consumer payment card details. Carding or card stuffing is the illegal use of credit or debit cards by unauthorized people (carders) to buy a product.

To successfully carry out this fraudulent activity, multiple payment authorization attempts are used to validate stolen payment card information in bulk and gain access to an account to test the legitimacy of thousands of stolen credit card numbers.

When limited cardholder data is available, and the expiry date and security code are unknown, the process is instead known as card cracking.

Bots come in pretty handy when carrying out any carding activity, enabling the attacker to try multiple values quickly, and identify the missing start and expiry dates and security codes for payment card data.

Carding in eCommerce

Carding typically starts with a hacker gaining access to a store or website’s credit card processing system. The attacker then has a useful list of credit or debit cards that were recently used to make a purchase, at their disposal. Fraudsters typically use this information to purchase gift cards to buy goods that can be sold on for a profit.

For online retailers, carding is a huge problem that must be addressed to prevent loss of revenue due to credit card charge-backs, loss of goods and frustrated customers with empty gift cards.

Detecting carding in eCommerce

In some cases, quickly and accurately identifying instances of carding can be a challenge, because they look like typical consumer transactions. These attacks are even more difficult to detect when the fraud is committed by multiple individuals

Bots mimic human behavior to carry out activity that is innate to the business’ functionality, such as customer complaints about unauthorized purchases. However, some of this activity is more recognizably bot-like behavior. For instance:

  • Sudden spikes in unsuccessful payment attempts
  • Payment attempts with an empty cart
  • Elevated basket abandonment
  • Inconsistent use of the payment step

Proactive steps should be taken to ensure that these hallmarks of bad bot behavior are quickly identified and the attack stopped in its tracks.

Mitigating carding in eCommerce

Carding is among the top 20 automated global security threats. To mitigate the risk to consumers and businesses alike, retailers can consider removing guest checkout to strengthen the multi-factor authentication that is required by the 2019 PSD2 legislation.

To quickly and accurately prevent carding, it is vital to implement a real-time bot protection solution to monitor activity. If your business is affected, it’s good practice to let all your customers know about that. Asking them to change their passwords and other login information.

Netacea’s Intent Analytics™ engine allows you to shut down automated carding attacks and protect your business with incredible speed and accuracy. Our dedicated bot mitigation solution takes a different approach and effectively eliminates carding attacks by analyzing user behavior and intent, enabling the automatic blocking of malicious bots before consumer accounts are compromised.

Uncovering Bots in eCommerce – Join us for the LIVE webinar: 4pm, Thursday 14th May Register now

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.