Card Cracking

Article Contents

    What is card cracking and how can you protect your customers?

    Brute force attacks are increasingly used to gain access to online accounts. Hackers and cybercriminals use bots to perform automated attacks on websites, mobile apps, APIs, and web applications, allowing them to steal data and/or money at scale.

    Card cracking is one of the most common brute force attacks. It puts businesses and customers at risk of fines and fraud — so what is card cracking, and how can you prevent it from affecting your business and customers?

    What is a carding attack?

    Card cracking, also known as carding, is when attackers use automated bots to verify credit or debit card details. Criminals usually steal or buy full or partial payment details from the dark web, then use brute force to find the missing fields (such as CVC code and expiry date).

    When hackers verify the correct payment details, they can use them to:

    • Transfer funds to their own accounts
    • Make unauthorized purchases and fraudulent checks
    • Take over customer bank accounts
    • File false fraud claims
    • Sell the details online.

    How does card cracking work?

    In a card cracking scheme, bots attempt to make online purchases using a series of card details until the payment is successfully processed. Depending on the information already known to attackers, carding can involve verifying full card details, or finding missing values such as security numbers, zip codes, and expiry dates.

    As bots become more sophisticated, card cracking scams are becoming more successful. Any business with a payment gateway can be targeted by a card cracking scheme, so it’s important to be vigilant about your online security, particularly bot management.

    The consequences of card cracking

    Card cracking causes serious problems for businesses and customers alike. From fraud to chargebacks, here’s why you need to be aware of carding:

    Customer fraud and reputation damage

    Compromised payment details can lead to false fraud claims, bank account takeover, and even identity theft. This causes significant anxiety and concern for your customers — and ultimately it can damage the reputation of your business. Loss of consumer trust often translates to decreased revenue, so it’s essential to minimize the risk of fraud.


    Stolen funds need to be repaid by the business liable for the loss. As a result, businesses that are the victim of card cracking are often culpable for chargebacks and fees. When a customer reports a fraudulent payment, the bank or payment processor can charge you for the transaction. Each chargeback damages your reputation with the payment processor, which can ultimately lead to them withdrawing their services.

    Data loss

    Stolen or compromised data can be a breach of data privacy law. If you allow payment details to be stolen or verified as a result of a carding attack, you can be subject to significant fines under GDPR or CCPA regulations.

    Rate limiting

    If you experience sustained or numerous carding attacks that use a lot of bandwidth, you may be forced to impose rate limiting. As a result, both bots and legitimate users may be blocked from using your site. When you block genuine customers, you’re likely to lose sales to competing websites.

    How to protect your customers from card cracking

    Protecting your customers from card cracking bots should be a priority for any online business. Here are four widely used bot mitigation techniques:

    • Device fingerprinting — using information from a device to create a profile of the user, you can determine if they are human, a good bot, or a bad bot
    • Human verification challenges — CAPTCHA and cookie challenges can help you verify your human users, though they tend to cause user experience problems
    • Blacklisting — you can manually blacklist specific IP addresses and user agents if you notice they’re sending a lot of rogue traffic to your site
    • Dedicated bot management — bot management software allows you to monitor your site traffic in real-time, so you can block malicious bots before they have a chance to verify your customers’ card details or bank account information.

    Bot mitigation software prevents all kinds of malicious bot traffic from visiting your site. This reduces the risk of card cracking attacks, but can also help you avoid:

    All these attacks are typically performed by sophisticated bots. To make sure your website has optimal security, you need a solution that can cope with highly targeted volumetric attacks on your payment gateway.

    Why all site owners should be aware of card cracking

    Some business owners or site administrators don’t think they’re at risk of bot attacks or card cracking scams. However, even the smallest e-commerce businesses can be targeted by carding attacks. Small companies typically don’t invest in stringent security measures, and may neglect to monitor their site traffic. This allows fraudulent bots to exploit their weak security and verify card details with ease.

    Carding attacks often happen during events like Black Friday, Cyber Monday, and January sales — when site traffic and purchases are highest. This can make it difficult to spot carding attacks as they’re happening, increasing the chances of successful card verification.

    The real cost of carding attacks

    Carding attacks and card cracking cost businesses billions of dollars every year in chargebacks, fines, and lost revenue. Take a look at the real results of card cracking for businesses and find out why you need to invest in the right bot protection.

    Block Bots Effortlessly with Netacea

    Book a demo and see how Netacea autonomously prevents sophisticated automated attacks.



    Web Scraping

    Web scraping (or web harvesting or screen scraping) is the process of automatically extracting data from an online service website.

    Two-Factor Authentication

    Two-factor authentication (2FA) is an extra layer of security to help protect your accounts from hackers and cybercriminals.

    Non-Human Traffic

    Non-human traffic is the generation of online page views and clicks by automated bots, rather than human activity.

    Block Bots Effortlessly with Netacea

    Demo Netacea and see how our bot protection software autonomously prevents the most sophisticated and dynamic automated attacks across websites, apps and APIs.
    • Agentless, self managing spots up to 33x more threats
    • Automated, trusted defensive AI. Real-time detection and response
    • Invisible to attackers. Operates at the edge, deters persistent threats
    Book a Demo