Protection from Carding: Inside Russian Carding Fraud Part 4

Welcome to the fourth and final part in our series on credit card fraud originating in Russia. After covering the basics of what carding is, why so much of it is perpetrated by Russian speakers, then digging deeper into how carders operate, in this part we’ll explore ways to protect yourself and your business from this pervasive financial threat.

Click here to download the full report: "Inside Russian Carding" (PDF)

Recapping Russian carding fraud

In part one we covered the basics of what carding is – the fraudulent acquisition of credit card details, which are exploited by criminals for profit in various ways known as “cashing out”. We also introduced the Carder’s Dictionary to demystify some of the insider terms and jargon used by Russian carders not only to both obscure their actions from law enforcement, but also to restrict access to their communities and sort the pretenders from the hardened cybercriminals.

Part two focused on the carders themselves and sought to answer why so much carding activity is carried out by Russian speakers. We looked at the political and legal reasons Russian cybercriminals most commonly target the West, and the penalties they often face when victimizing Russia and other former soviet states.

In part three we took a more detailed look at the tactics and tools used by carding fraudsters to steal card details and cash out whilst avoiding detection, arrest or prosecution. These included obtaining membership to carding marketplaces, laundering money through SIM cards, and proxying through residential internet connections to match the geolocation of the victim cardholder.

Preventing the impact of carding attacks

The damage caused by card fraud is wide ranging, affecting individuals, businesses and even entire economies. Worldwide credit card fraud losses exceeded $32 billion in 2021, with this figure expected to reach over $40 billion by 2027.

As such, preventative measures are constantly evolving to keep up with carders and stop these attacks from succeeding.

What is PCI DSS and how does it tackle card fraud?

The Payment Card Industry Data Security Standard (PCI DSS) was formed in 2004 to merge the previous disparate security programs of the major card providers into one standard to tackle credit card fraud in unison. Any card issuer must adhere to the twelve compliance requirements; this is enforced via quarterly or annual assessments by the PCI Security Standards Council.

The goal of PCI DSS is to ensure entities that store, process or transmit cardholder data protect such data from theft, cutting off carders at the source. As of v4.0, the twelve requirements for compliance with PCI DSS are:

1. Install and maintain network security controls.
2. Apply secure configurations to all system components.
3. Protect stored account data.
4. Protect cardholder data with strong cryptography during transmission over open, public networks.
5. Protect all systems and networks from malicious software.
6. Develop and maintain secure systems and software.
7. Restrict access to system components and cardholder data by business need to know.
8. Identify users and authenticate access to system components.
9. Restrict physical access to cardholder data.
10. Log and monitor all access to system components and cardholder data.
11. Test security of systems and networks regularly.
12. Support information security with organisational policies and programs.

Preventing card validation and use

While PCI DSS compliance reduces the risk of cardholder data getting into the hands of criminals, stolen card information is already abundant on dark web forums and marketplaces. With the genie already out of the bottle, it falls upon merchants and payment portals to cut off the cashing-out phase of carding attacks – where carders turn stolen cards into profits by the means we discussed in part three of this series.

Here are some ways of preventing cashing out of stolen credit cards:

Location checks

As we discussed in part two of this series, Russian carders typically attack international targets, most commonly in the West. Together, Address Verification Systems (AVS) and IP geolocation checks can confirm that the person attempting to verify or use a card is doing so from the location associated with that card.

However, these detection methods can be highly sensitive to location forgery in isolation. As mentioned in part three of this series, carders regularly employ advanced tactics like residential proxy networks and SOCK5 solutions to change their apparent location.

Velocity checks

Sudden changes in how often transactions occur or are attempted are a dead giveaway of card fraud. Carders tend to work quickly so they can cash out before they’re detected or get away with the goods before there’s time for merchants or banks to react.

In some cases, more detailed data analysis can uncover attacks made by one group of carders using a batch of card details rather than just one card. Therefore, merchants and payment gateways should also monitor other factors such as IP address and device fingerprint for suspicious activity.

Fraud Detection Systems

Leading on from the last point, banks and payment gateways assess the identity of the card holder by “fingerprinting” them whenever they make a transaction, based on their device characteristics.

Beyond this, fraud detection systems also look for rogue patterns of behavior. Given the huge quantities of payments made every second, machine learning is an invaluable tool for automating the detection of anomalous payment attempts that don’t follow the regular pattern of a customer using their card. Suspicious activity can quickly be flagged for further investigation to prevent fraud and catch out criminals (or verify the identity of the card holder manually).

Bot Management

Bots are an essential tool for carders as they obtain, validate and use stolen card details at scale. For example, bots can automate the process of validating card details within a payment portal or brute force missing details like CVVs and expiry dates. Bots can also be used to perpetrate credential stuffing attacks, whereby fraudsters takeover accounts in large volumes to obtain payment information or hide a payment request within usual activity of a trusted user’s account.

Advanced bot management solutions like Netacea detect this activity automatically using machine learning to quickly identify anomalous traffic and requests to servers. They can distinguish whether traffic is coming from a real user or an automated tool in real time and mitigate the bad requests instantly.

Organizations utilizing effective bot management solutions such as Netacea severely limit the productivity and profitability of carding attacks against them, which is ultimately the best deterrent for criminals largely out of the reach of prosecution.

Get the full threat report

Although we’ve covered a lot in these four blog posts, the full breadth of our investigation is available from today as a 37-page annotated digital threat report to be freely downloaded and shared with your colleagues and network.

Click here to download “Inside Russian Carding” (PDF)

Read the full series on Russian carding

• Part one: What is Russian Carding?
• Part two: Russian Carding Landscape
• Part three: Carding Deep Dive
• Part four: Protection from Carding