Uncovering Bots in eCommerce: Carding

Alex McConnell
Alex McConnell
3 Minute read
Uncovering Bots in eCommerce: Carding

Article Contents

    What do eCommerce businesses need to know about carding?

    No one wants to be a victim of payment carding fraud, yet more of us are falling foul to the myriad of techniques used by hackers to steal payment card information and use it for their own gain. To mitigate this malicious activity, it is vital that eCommerce sites apply security measures that protect consumers and sellers alike from carding and other major bot threats.

    Without the necessary security in place, eCommerce businesses are vulnerable to automated bot attacks, such as “carding” techniques to acquire and validate consumer payment card details. 

    What is carding?

    Carding or card stuffing is the illegal use of credit or debit cards by unauthorized people (carders) to buy a product.

    To successfully carry out this fraudulent activity, multiple payment authorization attempts are used to validate stolen payment card information in bulk and gain access to an account to test the legitimacy of thousands of stolen credit card numbers.

    When limited cardholder data is available, and the expiry date and security code are unknown, the process is instead known as card cracking.

    How are bots used to carry out carding?

    Bots come in pretty handy when carrying out any carding activity, enabling the attacker to try multiple values quickly, and identify the missing start and expiry dates and security codes for payment card data.

    Carding in eCommerce

    Carding typically starts with a hacker gaining access to a store or website’s credit card processing system. The attacker then has a useful list of credit or debit cards that were recently used to make a purchase, at their disposal. Fraudsters typically use this information to purchase gift cards to buy goods that can be sold on for a profit.

    For online retailers, carding is a huge problem that must be addressed to prevent loss of revenue due to credit card charge-backs, loss of goods and frustrated customers with empty gift cards.

    Detecting carding in eCommerce

    In some cases, quickly and accurately identifying instances of carding can be a challenge, because they look like typical consumer transactions. These attacks are even more difficult to detect when the fraud is committed by multiple individuals

    Bots mimic human behavior to carry out activity that is innate to the business’ functionality, such as customer complaints about unauthorized purchases. However, some of this activity is more recognizably bot-like behavior. For instance:

    – Sudden spikes in unsuccessful payment attempts

    – Payment attempts with an empty cart

    – Elevated basket abandonment

    – Inconsistent use of the payment step

    Proactive steps should be taken to ensure that these hallmarks of bad bot behavior are quickly identified and the attack stopped in its tracks.

    How to Mitigate carding in eCommerce

    Carding is among the top 20 automated global security threats. To mitigate the risk to consumers and businesses alike, retailers can consider removing guest checkout to strengthen the multi-factor authentication that is required by the 2019 PSD2 legislation.

    To quickly and accurately prevent carding, it is vital to implement a real-time bot protection solution to monitor activity. If your business is affected, it’s good practice to let all your customers know about that. Asking them to change their passwords and other login information.

    Netacea’s Intent Analytics™ engine allows you to shut down automated carding attacks and protect your business with incredible speed and accuracy. Our dedicated bot mitigation solution takes a different approach and effectively eliminates carding attacks by analyzing user behavior and intent, enabling the automatic blocking of malicious bots before consumer accounts are compromised.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.

    Related Blogs

    Knight chess piece
    Alex McConnell

    What is a Sophisticated Bot Attack?

    Learn about the growing sophistication of bot attacks. Find out how to improve defenses and detect these attacks effectively.
    Alex McConnell

    Offensive AI Lowers the Barrier of Entry for Bot Attackers

    Explore the impact of offensive AI and automated attacks. Discover how AI is changing the landscape of cybersecurity.
    Worker helmet
    Alex McConnell

    What is Defensive AI and Why is it Essential in Bot Protection?

    Discover the potential of defensive AI in bot protection. Explore how machine learning can protect against automated attacks.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo