Blog, Events & News
Uncovering Bots in eCommerce Part One: Carding
By Netacea / 01st Apr 2020
What do eCommerce businesses need to know about carding?
No one wants to be a victim of payment card fraud, yet more of us are falling foul to the myriad of techniques used by hackers to steal payment card information and use it for their own gain. To mitigate this malicious activity, it is vital that eCommerce sites apply security measures that protect consumers and sellers alike from carding and other major bot threats.
Without the necessary security in place, eCommerce businesses are vulnerable to automated bot attacks, such as “carding” techniques to acquire and validate consumer payment card details. Carding or card stuffing is the illegal use of credit or debit cards by unauthorised people (carders) to buy a product.
To successfully carry out this fraudulent activity, multiple payment authorisation attempts are used to validate stolen payment card information in bulk and gain access to an account to test the legitimacy of thousands of stolen credit card numbers.
When limited cardholder data is available, and the expiry date and security code are unknown, the process is instead known as card cracking.
Bots come in pretty handy when carrying out any carding activity, enabling the attacker to try multiple values quickly, and identify the missing start and expiry dates and security codes for payment card data.
Carding in eCommerce
Carding typically starts with a hacker gaining access to a store or website’s credit card processing system. The attacker then has a useful list of credit or debit cards that were recently used to make a purchase, at their disposal. Fraudsters typically use this information to purchase gift cards to buy goods that can be sold on for a profit.
For online retailers, carding is a huge problem that must be addressed to prevent loss of revenue due to credit card charge-backs, loss of goods and frustrated customers with empty gift cards.
Detecting carding in eCommerce
In some cases, quickly and accurately identifying instances of carding can be a challenge, because they look like typical consumer transactions. These attacks are even more difficult to detect when the fraud is committed by multiple individuals.
Bots mimic human behaviour to carry out activity that is innate to the business’ functionality, such as customer complaints about unauthorised purchases. However, some of this activity is more recognisably bot-like behaviour. For instance:
- Sudden spikes in unsuccessful payment attempts
- Payment attempts with an empty cart
- Elevated basket abandonment
- Inconsistent use of the payment step
Proactive steps should be taken to ensure that these hallmarks of bad bot behaviour are quickly identified and the attack stopped in its tracks.
Mitigating carding in eCommerce
Carding is among the top 20 automated global security threats. To mitigate the risk to consumers and businesses alike, retailers can consider removing guest checkout to strengthen the multi-factor authentication that is required by the 2019 PSD2 legislation.
To quickly and accurately prevent carding, it is vital to implement a real-time bot protection solution to monitor activity. If your business is affected, it’s good practice to let all your customers know about that. Asking them to change their passwords and other login information.
Netacea’s Intent Analytics™ engine allows you to shut down automated carding attacks and protect your business with incredible speed and accuracy. Our dedicated bot mitigation solution takes a different approach and effectively eliminates carding attacks by analysing user behaviour and intent, enabling the automatic blocking of malicious bots before consumer accounts are compromised.