Credit cards haven’t just given customers an alternative way of paying for items without using cash or checks. They’ve also helped facilitate online payments and, in the process, launched many thousands of eCommerce ventures around the world.
But any innovation that makes a certain process easier and more frictionless also opens up new avenues for bad actors to abuse the system for their own benefit. The problem, which unfortunately continues to be an issue, is enough that major credit card companies including Visa, American Express, Discover Financial Services, JCB International, and MasterCard have banded together to create the Payment Card Industry Data Security Standard (PCI DSS), attempting to reduce online fraud.
One way that attackers try to find credit cards they can illegally use is via a method known as carding. Carding, which is also referred to as credit card stuffing or card verification scamming, is a type of online fraud in which attackers use high-speed bots to rapidly test large numbers of stolen credit card details to discover the ones that can be utilized for making online purchases.
How a carding scam works
There are many ways in which card details can be gathered. This could include the attacker themselves gathering credit card details using compromised websites or, perhaps more commonly, purchasing or otherwise getting hold of collections of stolen credentials listed on online criminal forums. These may be gleaned from previous large scale data breaches.
Most of these stolen credit card details will not work. They may have already been flagged as stolen by credit card companies and cancelled on the orders of banks or card owners. But a few of them could still be active. Hunting through the masses of cancelled, non-working cards for the few that still work is like looking for a needle in a haystack. For a human attacker, carrying out this task manually, it would be totally impractical. However, by using bots to carry out the job, suddenly this validation process becomes feasible — and, as a result, a lot more of a problem for legitimate users.
As the bots sort through the cards, testing them on improperly secured websites by either making tiny purchases or donations, they sort them into either working or declined lists. Once the process is finished, the person initiating the carding strike might either use the cards themselves to make purchases (most likely things like gift cards, which allow them to launder the money and make it harder to trace) or else sell it to others who can then use it to make their own purchases.
There are a number of victims to a carding attack, although the most notable victim may not be the one you would expect. The legitimate owner of the credit card is inconvenienced, since it is their card that is being used, and they could wind up being falsely charged for purchases, provided that their credit card remains active. But it is the eCommerce vendors who even suffer the brunt of carding.
That’s because they can often be made to pay double: both for whatever goods they ship bought by the credit card (since they will still have likely had to pay for these goods they then sell on) and a second time, when the fraud is revealed, in the form of a “chargeback” to reimburse the credit card company so it can return the money to the rightful card owner.
The end of the Joker’s Stash
The problem of stolen credit card details is only getting worse. During the COVID-19 pandemic, more people than ever have been turning to online purchasing due to their inability to use physical, brick-and-mortar stores. As a result, online buying has boomed, even while high streets have continued to falter. In February 2021, a larger underground marketplace that trafficked in stolen card data, called Joker’s Stash, shut down its operations.
At first, this might sound like a good thing — until you realize that the Russian-language forum for cybercrime announced that its team is taking a “well-deserved retirement” (their words, not ours) after generating more than $1 billion in revenue in a few short years. Its creators were fleeing with their ill-gotten gains.
While authorities such as the FBI had taken steps to crack down on the forum, the enormous amount of money it generated is testament to just what a massive problem this type of cybercrime actually is. And while Joker’s Stash is allegedly shutting up shop, it seems likely that another website (or multiple websites) will appear to plug whatever gap will now exist in the market.
Fighting back against the cybercriminals
Protecting payment card data is crucial. This is the reason the aforementioned Payment Card Industry Data Security Standard (PCI DSS) was established in 2004. This is a compliance scheme that any business which processes card transactions is required to adhere to. PCI certification includes stated best practices for businesses, such as using firewalls, encrypting data transmissions, utilizing antivirus software, and measures that restrict cardholder data access and access to network resources.
Cybersecurity experts can help businesses that want to carry out transactions online to achieve PCI DSS compliance. They also use techniques such as device fingerprinting, browser validation, and machine learning-based tools for carrying out behavioral analytics so as to spot high-speed bots carrying out carding scams.
If you do business online (and which company, circa 2021, does not?), bringing in the experts to make sure you’re properly protected is the right move. Fraud online hurts retailers and customers alike. Not only can it result in fines (when protected data isn’t properly safeguarded by businesses), but it also erodes customer trust.
Fortunately, the weapons exist to fight back against the cybercriminals. It’s time to start using them, if you’re not already.