Card cracking (aka “card testing” and related to “carding”) is a type of brute force attack that involves using bots to guess missing values for stolen credit or debit card data on the payment interface of an e-commerce platform. If all card data is present, bots can test whether stolen payment details are valid by attempting small transactions. As a result, a lack of brute force attack prevention can lead to disaster.

Fraud is a prevalent issue in e-commerce. And today’s fraudsters rarely work alone: the majority of threats to your checkout endpoint are now coming from powerful networks of automated attackers—aka bots.

Both carding and card cracking are common examples of bot-driven card fraud. Cybercriminals leverage the firepower of credit card bots to test stolen card data against your payment processes to identify valid card details or missing values of stolen payment card information in order to commit carding fraud.

In this article, we explore how cybercriminals carry out automated credit card cracking and carding attacks, how carding and card cracking attacks unfold, what the most common defense strategies are, and how you can prevent carding and card cracking attacks with a real-time bot protection solution.

Contents

• What is card cracking?
• What is carding?
• The Impact of Carding and Card Cracking Attacks
• How Carding & Card Cracking Affect E-Commerce
• How do card cracking attacks work?
• How to Detect & Prevent Carding & Card Cracking Attacks

What is card cracking?

Card cracking (OAT-010), also known as “card testing”, is a type of brute force attack against the payment interface of e-commerce websites. Hackers use this method to guess missing values for stolen credit or debit card data, such as the expiration date, the card security code (CSC), and the card identification number (CID).

Once they have identified valid cards, fraudsters either sell the compromised payment account details through carding sites on the dark web, or cash out themselves.

What is carding?

In carding attacks (OAT-001), cybercriminals use bots to test the validity of stolen card data, often with small transactions to avoid drawing attention. A card testing attack enables a credit card bot to test large numbers of cards within a short time span. The method is used to test not only payment cards, but also gift cards and vouchers.

The impact of carding & card cracking attacks:

• $24.26 billion was lost globally due to payment card fraud in 2023
• In 2019, credit card fraud was the most reported form of identity theft, with over 270,000 reports. 
• After a customer experiences card fraud at a retailer, 49% say they won’t return.

Typically, card cracking and carding attacks increase around main shopping holidays like Black Friday, in the hope that businesses and their systems will be too overwhelmed to identify unusual traffic and transaction activity.

They’ve grown in popularity since the early 2000s, enabled by the spread of online carding forums and markets. The current scene is dominated by Russian and Chinese carding websites and forums, which are usually invitation-only, and run by organizers skilled in sniffing out intelligence agents or security researchers.

Technology has evolved to make these criminals’ lives easier, too; the emergence of bots as a service (BaaS) provides on-demand bot armies that can be deployed easily to execute carding attacks at scale. Proxy services, too, allow them to launch attacks from customized IP ranges, giving them the appearance of legitimacy.

These services are becoming more widespread and easily available each year.

How Card Cracking & Carding Affects E-Commerce:

Card cracking and carding have a number of undesirable consequences for e-commerce retailers.

Payment Authentication Fees

They can increase payment authorization requests, meaning you’ll incur your payment processor’s authentication fee even when tested card numbers are invalid. Transaction fees can also be raised if your processor considers you “high risk”, and they might even stop processing payments completely until the situation is resolved. If you are using two-factor SMS authentication, it will drive up the cost even further.

One online fashion retailer we worked with observed 8,400 carding attempts in just two days.

Customer Complaints

Customers suffer when their stolen card details are used for purchases, and complaints make their way to other customers and your business. 

High Server Resource & Bandwidth Consumption

As well as using credit and debit cards, the anonymity of gift cards make them the perfect target for carding and card cracking. Bots can test huge amounts of serial numbers through your systems—increasing server loads and bandwidth costs, as well as causing a poor customer experience if these lead to performance issues.

Reputational Damage

The many consequences of carding and card cracking can cause chaos for your company; your resources will be spent mending fences with payment processors, hosting services, and customers. If attacks are not identified and dealt with promptly, your business could face significant reputational damage, pulling your focus away from the creative business opportunities you’d rather be tackling.

“Every single holiday, there’s now a spike for carding attacks—including July 4th in the US, which is not a big gifting holiday, and yet there’s a spike for carding attacks, where they’re going to try every single sequence they possibly can. And all that does is put load on your website, preventing your real users from having a good experience.”

Amy DeMartine, VP, Research Director, Forrester Research

How do card cracking attacks work?

Card cracking attacks follow roughly this process:

1. Stolen partial cardholder data & brute forcing: Once fraudsters have obtained partial payment card numbers, they attempt to find the missing values, such as the expiration date, through the use of automated brute-force card cracking tools that test different variables for the missing values to obtain the complete data set.
2. Card payment process: Threat actors target merchant payment processes to continuously brute force test potential solutions for unknown payment card values.
3. Complete cardholder data: If successful, the cybercriminals identify full sets of valid cardholder data to use for malicious activity or sell online.

How do carding attacks work?

Carding attacks follow this process:

1. Stolen payment cardholder data: Threat actors obtain complete sets of stolen payment card details from other applications, payment channels, or the dark web.
2. Card payment process: The lists of complete payment account details are used to make test purchases against e-commerce sites to validate the card details. The test purchases can start small and grow more substantial to determine the available balance.
3. Validated cardholder data: If successful, fraudsters can verify both the card details and the quality of the stolen account information to determine the value.

How to Detect & Prevent Carding & Card Cracking Attacks

Monitor High Volumes of Small Orders

A frequent sign of a carding attack is high volumes of small order amounts. Fraudsters use their credit card bots to try and buy services or goods that aren’t expensive with different credit card details. If an order succeeds, the fraudster will only be charged a small amount of money. So always keep an eye on unusual spikes in attempted low-priced purchases. 

Monitor Orders Where the Shipping Costs Are High

Similarly, keep an eye on small orders from foreign places where the shipping costs are higher than the price of the product itself. It’s rarely the case that someone with good intentions wants to pay more for shipping than for the actual product. Even in small volumes, such orders are worth investigating.

Ensure the IP Matches

Use IP geolocation checks to ensure a user’s IP matches their billing address on the checkout page. If not, the user could be shopping from somewhere other than the address on their credit card. While not immediately an indicator of fraud, as many users browse through a VPN for more privacy, it can be used in combination with the other tips in this article to determine if it is a carding attack.

Build a Customer Block List

Any individual who is a known fraud offender should be put on a block list and no longer be able to shop at your online stores. A zero-tolerance policy will remove the people who tried to attack your store and serve as a warning for anyone else thinking of launching a card cracking attack.

Authorize Cards

Authorization and capture is a mechanism that allows you to first authorize a user’s credit card, check if the card’s details are valid, and if the card has enough funds before you take payment. This allows you to review any suspicious transactions that could have been made during a carding attack before payment goes through.

Check for Speed

Always keep an eye on how fast a user is trying to buy your goods or services. Genuine users don’t usually make several transactions a minute, but a credit card bot can make several transactions per second. So monitor the velocity of your transactions, in whatever way works best for you: By dollar amount, IP address, billing address, used device, etc.

Use AVS and CVV

Address Verification System (AVS) and Card Verification Value (CVV) are two simple features to confirm that the address on a card and the three-digit CVV at the bank of the card are consistent with what the issuing bank has on record. Use these features in your payment gateway to make it much harder for fraudsters to execute carding attacks.

Use Automated Fraud Prevention and Bot Protection Tools

Traditional security solutions tend to rely heavily on IP reputation, based on the assumption that any malicious activity from an IP address means that all activity from that IP is likely to be hostile. Today, threat actors distribute bots via residential IPs, which benefit from excellent reputations. The requests they send are often indistinguishable from those generated by ordinary users. IP-based approaches are, therefore, no longer efficient.

To prevent card cracking and carding, plus other automated bot attacks, a bot protection solution with real-time behavioral detection capabilities is crucial.

A good bot detection solution will be able to swiftly pinpoint unusual visitor behavior that shows signs of card cracking and carding attempts. It will also automatically block malicious bots before they are able to make any fraudulent transactions. While all of these prevention and defense actions occur, the user experience for genuine human visitors is upheld.

Conclusion

Card cracking and carding attacks are primarily bot-driven attacks that test the validity of stolen card or voucher data. They cost retailers billions in revenue every year and can inflict severe reputational damage to your brand. The best way to prevent card cracking attacks (and all other forms of bot threats) is with an advanced bot protection solution that blocks the most sophisticated bots from accessing your websites, apps, and APIs.