Card Cracking

What is Card Cracking?

Carding (or card cracking/card stuffing) is a form of brute force attack against a website’s payment processing capabilities to test the validity of thousands of stolen credit card numbers. This attack comes in many variants, from verifying full card details to brute forcing missing data such as CV2 numbers.

“Carding attacks were consuming a huge amount of the team’s time, and the volume and distribution had become overwhelming. Netacea gave us the real-time visibility we needed to deal with the attacks and significantly reduce our fraud rates.” – Fashion retailer

Card Cracking Fraud

The rising threat of carding

While the owners of stolen card details are usually protected against these attacks, the businesses and websites used to validate the details are not. There are a significant number of risks that businesses face from these attacks:

Resources – These attacks are often mistaken for DDoS attacks initially, as they generate thousands of requests per second as the attackers attempt to validate card details. You end up paying to scale the resources needed to keep your website and payment gateway online for your genuine customers.

Reputation – The payment provider will often impose rate limiting, additional customer challenges or issue fines for increased levels of fraud. This may limit your ability to process legitimate payments and cause significant damage to the business. There is also a risk of reputational damage as customers associate fraudulent charges on their cards with your organisation.

Clean up – Following a successful carding attack, the business may be left with chargebacks from the payment provider for successfully cracked cards and expensive investigations. In extreme cases, organisations may lose their ability to process payments due to high levels of fraud being associated with their business.

Given the high value of stolen card data and credentials available, attacks are becoming increasingly sophisticated, either attempting to login using stolen credentials or automatically creating new user accounts to access pages with payment gateways. In some cases attackers will place random items in a cart to appear more like real users. Due to this level of sophistication, attacks will often combine website scrapping, account takeover and carding, making it impossible to identify the attack using traditional analysis.

Our Approach

How We Prevent Card Cracking

Netacea uses powerful machine learning technology with Intent Analytics to identify automated carding attacks. This approach allows Netacea to analyse millions of requests, signals and patterns and identify automated attacks in real-time. This allows you to shut down automated carding attacks and protect your business with incredible speed and accuracy.

Our unique machine learning algorithms go beyond static rules or simple behavioural checks and constantly analyse your web traffic to detect sophisticated evasion techniques. This allows you to have constant visibility and control of the attack so that you can prioritise real transactions and block the automated abuse.

Our Results

Netacea have successfully mitigated a large number of carding attacks against global e-commerce sites. Netacea identified a sophisticated botnet comprised of compromised domestic routers in Europe and North America. Despite the botnet’s attempts to rotate IPs and user agents, Netacea was able to identify the bot activity and the client was able to block the attack successfully. The client was also able to use the data provided by Netacea to identify over 100 fake customer accounts generated by the attacker.

The Netacea approach to identifying bot traffic and card cracking attacks is fast and accurate. This reduces the risk to organisations by not only stopping the bot traffic but preventing you from blocking real customers with broad block rules covering regions or geo locations. The end result is that you can confidently block bad traffic and stop fraud, without impacting on the experience of genuine customers.