What is the real cost of carding attacks?

By Alex McConnell / 09th Jun 2021

Since many brick-and-mortar stores closed during the Covid-19 pandemic, online shopping has grown massively through 2020 and into 2021. Fraudsters have seized this opportunity to strike, with data breaches in 2020 exposing over 155.8 million records, which could be used fraudulently, in the US alone.

Carding is one of the most common and costly types of online fraud. Carding is the illegal use of credit card details by unauthorized people (carders) to buy products or gift cards that are then sold on for a profit.

The role of bots in carding attacks

Adversaries use credential stuffing bots to authenticate credit card details, typically using credentials bought in bulk relatively cheaply from dark web carding forums, or illegal marketplaces like Genesis Market.

Sometimes criminals obtain incomplete card records (e.g., no card security code or expiration date). In a process called card cracking, the missing information is guessed over and over in a high-volume automated brute force attack.

Bots are also commonly used to target unspent balances on gift cards, which are an easy target due to their security being much less scrutinized and regulated than credit cards.

Card fraud attacks flood merchant sites across the web. The tools and methods employed in carding attacks are easy to use with low risk and cost to the adversary.

What do carding attacks cost businesses?

The true cost of a carding attack to a business depends on its aggressiveness. However, there are many ways an organization can suffer financially in the wake of carding attacks.

Chargebacks

It is relatively simple for victims to cancel their cards as soon as they suspect card fraud on their accounts. Most criminals avoid detection by testing cards with small transactions that are less likely to raise suspicion. Once the credentials are proven to be valid, they will make larger purchases from online stores.

Once the deception is discovered, the store is responsible for chargebacks to their customer. This means they lose out not only on the cost of the items bought, but also on the items themselves.

That’s not to mention the administrative work required to process chargebacks. With operational and customer acquisition costs, chargebacks can cost two or three times the original transaction value.

We have seen chargebacks cost businesses more than $100,000 each month before implementing a bot management solution.

Reputational damage

We mentioned the cost of customer acquisition when discussing chargebacks, but this is only the short-term cost of carding. The reputational fallout of a carding attack can damage a customer’s likelihood of buying from that business again in the longer term.

Reputation could also be damaged if news of a widespread attack reaches social media or mainstream news, which is a regular occurrence.

Transactions blocked by payment processors

Whenever any payment is attempted on a webstore, whether using valid credentials or not, the transaction is passed through to the payment processor such as PayPal, WorldPay or Mastercard. If the payment processor detects an unusually high number of invalid payment attempts, they will automatically block any further transactions until the merchant addresses the issue.

This requires manual intervention and can happen at any time. If this were to happen during a big event or marketing push, the financial aftermath of lost sales could be devastating.

Increased transaction fees

If a webstore is consistently having its account blocked by its payment processer due to invalid transaction attempts, the payment processor will sometimes impose higher transaction fee rates upon the merchant. This will apply to all transactions, both legitimate and fraudulent, adding operational costs to the retailer outside of carding attacks.

More expensive multi-factor authentication

Multi-factor authentication (MFA) is considered a best practice for preventing fraud, as it only allows account access to those who know something (a password) and have something (a device) linked to the account owner.

However, there is a cost associated with sending SMS alerts to devices connected to MFA policies. A large scale carding attack can generate a very high rate of MFA requests in a short period of time, which could add further hidden costs or affect the availability of login services for legitimate customers.

Server overheads

A carding attack introduces high levels of additional traffic to a website with no benefit to the site’s owner. These requests use up server resources, which can be especially costly if the website uses autoscaling architecture to meet peaks in demand.

Cut out the carding attacks with bot management

The financial impact of carding attacks can be severe and widespread across different parts of a business. While some effects are immediate and quantifiable, others may be felt over a long period of time, especially if reputation is harmed as a result.

Netacea Bot Management monitors requests to determine the intent of each user. Using advanced machine learning alongside a sophisticated knowledgebase of previous attacks, Netacea blocks carding attacks and prevents fraud in real time, mitigating damage and saving clients millions in potential losses.

Since implementing Netacea’s bot management solution, a luxury department store has stopped card credential stuffing attacks and achieved a $697,248 reduction in card verification charges per year.

Quickly estimate how much bots could be costing your business with our bot calculator.