Published: 08/06/2022

Card Cracking

What is card cracking and how can you protect your customers?

Brute force attacks are increasingly used to gain access to online accounts. Hackers and cybercriminals use bots to perform automated attacks on websites, mobile apps, APIs, and web applications, allowing them to steal data and/or money at scale.

Card cracking is one of the most common brute force attacks. It puts businesses and customers at risk of fines and fraud — so what is card cracking, and how can you prevent it from affecting your business and customers?

What is a carding attack?

Card cracking, also known as carding, is when attackers use automated bots to verify credit or debit card details. Criminals usually steal or buy full or partial payment details from the dark web, then use brute force to find the missing fields (such as CVC code and expiry date).

When hackers verify the correct payment details, they can use them to:

  • Transfer funds to their own accounts
  • Make unauthorized purchases and fraudulent checks
  • Take over customer bank accounts
  • File false fraud claims
  • Sell the details online.

How does card cracking work?

In a card cracking scheme, bots attempt to make online purchases using a series of card details until the payment is successfully processed. Depending on the information already known to attackers, carding can involve verifying full card details, or finding missing values such as security numbers, zip codes, and expiry dates.

As bots become more sophisticated, card cracking scams are becoming more successful. Any business with a payment gateway can be targeted by a card cracking scheme, so it’s important to be vigilant about your online security, particularly bot management.

The consequences of card cracking

Card cracking causes serious problems for businesses and customers alike. From fraud to chargebacks, here’s why you need to be aware of carding:

Customer fraud and reputation damage

Compromised payment details can lead to false fraud claims, bank account takeover, and even identity theft. This causes significant anxiety and concern for your customers — and ultimately it can damage the reputation of your business. Loss of consumer trust often translates to decreased revenue, so it’s essential to minimize the risk of fraud.


Stolen funds need to be repaid by the business liable for the loss. As a result, businesses that are the victim of card cracking are often culpable for chargebacks and fees. When a customer reports a fraudulent payment, the bank or payment processor can charge you for the transaction. Each chargeback damages your reputation with the payment processor, which can ultimately lead to them withdrawing their services.

Data loss

Stolen or compromised data can be a breach of data privacy law. If you allow payment details to be stolen or verified as a result of a carding attack, you can be subject to significant fines under GDPR or CCPA regulations.

Rate limiting

If you experience sustained or numerous carding attacks that use a lot of bandwidth, you may be forced to impose rate limiting. As a result, both bots and legitimate users may be blocked from using your site. When you block genuine customers, you’re likely to lose sales to competing websites.

How to protect your customers from card cracking

Protecting your customers from card cracking bots should be a priority for any online business. Here are four widely used bot mitigation techniques:

  • Device fingerprinting — using information from a device to create a profile of the user, you can determine if they are human, a good bot, or a bad bot
  • Human verification challenges — CAPTCHA and cookie challenges can help you verify your human users, though they tend to cause user experience problems
  • Blacklisting — you can manually blacklist specific IP addresses and user agents if you notice they’re sending a lot of rogue traffic to your site
  • Dedicated bot management — bot management software allows you to monitor your site traffic in real-time, so you can block malicious bots before they have a chance to verify your customers’ card details or bank account information.

Bot mitigation software prevents all kinds of malicious bot traffic from visiting your site. This reduces the risk of card cracking attacks, but can also help you avoid:

All these attacks are typically performed by sophisticated bots. To make sure your website has optimal security, you need a solution that can cope with highly targeted volumetric attacks on your payment gateway.

Why all site owners should be aware of card cracking

Some business owners or site administrators don’t think they’re at risk of bot attacks or card cracking scams. However, even the smallest e-commerce businesses can be targeted by carding attacks. Small companies typically don’t invest in stringent security measures, and may neglect to monitor their site traffic. This allows fraudulent bots to exploit their weak security and verify card details with ease.

Carding attacks often happen during events like Black Friday, Cyber Monday, and January sales — when site traffic and purchases are highest. This can make it difficult to spot carding attacks as they’re happening, increasing the chances of successful card verification.

The real cost of carding attacks

Carding attacks and card cracking cost businesses billions of dollars every year in chargebacks, fines, and lost revenue. Take a look at the real results of card cracking for businesses and find out why you need to invest in the right bot protection.

Schedule Your Demo

Tired of your website being exploited by malicious malware and bots?

We can help

Subscribe and stay updated

Insightful articles, data-driven research, and more cyber security focussed content to your inbox every week.


By registering, you confirm that you agree to Netacea's privacy policy.