Carding is the illegal practice of obtaining, trafficking, or using credit card information without authorization—often to purchase gift cards or prepaid cards. Carding contributes to identity theft, financial losses for individuals and businesses, and a wide range of other cybercrimes.

Card fraud losses worldwide surpassed $33 billion in 2022. To combat carding, organizations employ security measures such as tokenization, encryption, multifactor authentication, and anti-fraud monitoring systems. This guide will cover what businesses should know about carding, including how it works and how to protect themselves.

What’s in this article?

• How carding works
  
• A brief history of carding
  
• How the dark web and other online communities enable carding
  
• How carding impacts businesses and consumers
  
• How businesses can protect themselves against carding
  

How carding works

Stealing card information

The process of carding begins with card thieves, known as “carders,” who steal credit card information through means such as phishing, skimming, conducting data breaches, or keylogging.

• Phishing: Carders use deceptive emails, websites, or messages to trick individuals into revealing their credit card information. To achieve this, carders often impersonate legitimate companies or services.

• Skimming: Carders install devices called skimmers on ATMs, gas station pumps, or point-of-sale (POS) terminals to capture credit card information from physical cards.

• Hacking: Cybercriminals use malware, ransomware, or unauthorized access to infiltrate computer systems or databases and steal credit card information.

• Keylogging: Software or hardware records keystrokes on a victim’s device to capture credit card information and other sensitive data.

• SQL injection: Malicious SQL code inserted into a website’s database extracts sensitive information including credit card details.

• Shoulder surfing: Fraudulent actors watch people entering their credit card information at ATMs or checkout counters and steal the information.

• Formjacking: Carders compromise online forms on legitimate websites to capture users’ credit card information.

• Fake apps and websites: Fraudulent actors create fake applications or websites that look legitimate, tricking users into providing their credit card information.

• Brute force attacks: Criminals use automated software to guess credit card numbers, often by trying different combinations of numbers until they find valid ones.

When carders steal credit card information, they often sell it on underground marketplaces where buyers can purchase card numbers, expiration dates, card verification value (CVV) codes, and billing addresses for the stolen cards.

Testing card validity

After buying stolen credit card information, fraudulent actors use carding bots to validate the information. These bots automate the process of making small transactions on ecommerce websites to test if the card is active and can be used without triggering fraud alerts.

Performing fraudulent transactions

After validating a card’s legitimacy, fraudulent actors use the information to make unauthorized purchases. They often target high-value items or gift cards, which can be resold for cash or used for personal purposes. Carding bots allow fraudulent actors to automate and scale this process, targeting multiple websites and making many transactions in a short period of time.

Evading detection

Carders use the following methods and tools to evade detection:

• Proxies and VPNs: These mask the carders’ location, making it difficult for ecommerce websites to detect unusual patterns.

• Randomized bots: These bots simulate human behavior to avoid triggering anti-fraud systems.

• Distributed attacks: Distributed networks of bots avoid concentrating suspicious activity in one location.

• Reselling and converting: Carders will convert illegally purchased goods into cash quickly, making it challenging to trace the activity. They might resell products on online marketplaces or through local networks.

A brief history of carding

Early days: Physical theft and skimming

Initially, carding mainly involved physical methods to obtain credit card information. Fraudulent actors would steal wallets or purses to gain access to credit cards, or place devices on ATMs or POS terminals that captured card information during swipes. The existence of skimmers was reported around 2002.

Rise of the internet: Phishing and hacking

As the internet grew, carding moved online, leading to new techniques such as phishing and hacking into company databases to steal large volumes of credit card information. While phishing has been around since the 1990s, it became more common in the early 2000s as the internet became more popular.

Dark web and underground marketplaces

The black market for stolen credit card information expanded, and fraudulent actors began to trade this information on the dark web. This made it easier for fraudulent actors to acquire and sell card data, and online carding forums became popular for sharing carding techniques, selling stolen data, and coordinating criminal activities.

Carding bots and automation

The rise of automation and advanced software led to more sophisticated carding techniques. Carding bots have automated the card testing and validation process, allowing fraudulent actors to scale their operations and commit fraud faster. Carders have also started to use distributed networks of bots to test large volumes of stolen credit card data, reducing their risk of detection by spreading activity across multiple locations and IP addresses.

Enhanced security measures and adaptations

As carding became more sophisticated, security measures evolved, too. Chip and PIN technology became standard in the 2010s to make physical card cloning more difficult, forcing carders to rely more on online methods. Ecommerce platforms began implementing machine learning and AI-based fraud detection systems to identify suspicious patterns and transactions. CAPTCHAs and multifactor authentication were introduced to prevent automated bots from exploiting online systems.

Modern techniques and challenges

Carders continue to adapt to new security measures and technologies with their own innovations. New techniques include formjacking (injecting malicious code into online forms to capture credit card information), synthetic identity fraud (creating fake identities using stolen data to open credit accounts), and account takeovers (using stolen card information to gain unauthorized access to existing accounts).

How the dark web and other online communities enable carding

The dark web and other online communities have enabled carding by providing platforms for the exchange of stolen credit card information, tools, and knowledge. Carding operations have become more resilient and adaptable because of the anonymity and security these platforms provide, presenting ongoing challenges for law enforcement and cybersecurity professionals. Here’s what you should know.

Dark web marketplace

The dark web is a part of the internet that isn’t indexed by traditional search engines and is accessible through specialized software such as Tor. Its anonymous nature makes it an attractive environment for illicit activities, including carding. Dark web marketplaces serve as hubs for buying and selling illegal goods and services, including the following:

• Stolen credit card data: Fraudulent actors can sell large volumes of credit card information on the dark web, often categorized by card type, country of origin, or credit limit.

• Carding tools: Carding-related software—such as carding bots, malware, and keyloggers—is available for purchase on the dark web, allowing criminals to automate and scale their activities.

• Related services: Dark web marketplaces often have vendors who offer services such as credit card validation, cashing out, and creating fake identification documents.

Forums and communities

Online forums and communities on the dark web and other platforms serve as knowledge-sharing hubs for carding and related activities. Experienced carders share tips, tricks, and step-by-step guides on how to carry out carding and avoid detection. Newcomers to carding can seek advice and mentorship from experienced carders. Carders use these forums to create networks and partnerships, pooling resources and coordinating more complex operations.

Anonymity and security

The dark web facilitates anonymous, secure transactions that make it difficult for law enforcement to monitor and remove illegal activities.

• Cryptocurrencies: Typically, transactions on the dark web use cryptocurrencies such as Bitcoin, providing a layer of anonymity for both buyers and sellers.

• Hidden services and encrypted communications: Dark web marketplaces and forums use encryption and hidden service technology to protect the identities of users and conceal their activities.

• Resilient infrastructure: Dark web marketplaces often use distributed and redundant infrastructure to resist shutdowns by authorities.

• Dynamic communities: Carding forums and communities can quickly reemerge under different names and locations, making it difficult to track and dismantle them.

How carding impacts businesses and consumers

Business effects

• Financial losses: When fraudulent transactions occur, businesses often bear the cost of chargebacks and refunds. This can impact their bottom line, especially for small- and medium-sized enterprises (SMEs). In addition to the refunded sale and any chargeback fees, businesses can face increased costs and restrictions from payment processors if they have a high chargeback rate due to fraud.

• Reputational damage: Carding incidents can damage a business’s reputation. Customers who experience fraud on a company’s platform may lose their trust in the business and leave negative reviews.

• Operational costs: To combat carding, businesses must invest in security measures, fraud detection systems, and customer support to handle fraud-related issues. These costs can be substantial.

• Increased scrutiny: High rates of fraud can lead to increased scrutiny from payment processors—potentially resulting in higher fees, more stringent requirements, or even termination of merchant accounts.

• Regulatory compliance risks: Businesses are required to comply with regulations such as the Payment Card Industry Data Security Standard (PCI DSS). Failure to maintain compliance due to carding incidents can result in fines and legal repercussions.

Consumer effects

• Compromised accounts: Consumers whose credit card information is stolen may find unauthorized charges on their accounts. They must then spend time and effort working with their banks and credit card companies to reverse fraudulent charges and restore their accounts, which can be a lengthy and frustrating process.

• Identity theft: Carding can lead to broader identity theft, in which fraudulent actors use stolen credit card information to open new accounts, apply for loans, or commit other forms of fraud.

• Emotional distress: Discovering unauthorized charges and dealing with the aftermath of carding can cause consumers emotional distress and anxiety.

• Credit score impact: In some cases, carding-related fraud can affect a consumer’s credit score, especially if fraud leads to missed payments or defaults.

How businesses can protect themselves against carding

Sophisticated fraud detection systems use machine learning and artificial intelligence to identify unusual purchasing patterns and behaviors. Here are ways that businesses can use these technologies and other practices to protect themselves.

• Behavioral analytics: Analyze user behavior on your platform to identify anomalies such as rapid transactions, repeated attempts with different card numbers, or unusual geolocation patterns.

• Dynamic risk scoring and MFA: Assign risk scores to transactions based on multiple factors, including device fingerprinting, IP address, geolocation, and historical data. Higher-risk transactions can trigger multifactor authentication (MFA).

• Tokenization: Convert sensitive credit card information into secure tokens for internal use, minimizing the exposure of raw card data and reducing the risk of theft.

• End-to-end encryption: Encrypt sensitive information from the point of capture to storage and processing, reducing the risk of interception and unauthorized access.

• Secure data storage: Store credit card information in encrypted databases with restricted access. Implement role-based access control (RBAC) and ensure only authorized personnel can access sensitive data.

• Real-time transaction monitoring: Monitor transactions in real time to identify potentially fraudulent activity. Send automated alerts to security teams for immediate investigation.

• Incident response teams: Establish dedicated incident response teams with clear protocols for handling carding incidents.

• Threat intelligence sharing: Participate in threat intelligence sharing programs to stay informed about emerging carding trends and techniques.

• Collaboration with law enforcement: Build relationships with law enforcement agencies specializing in cybercrime to aid in investigations and takedowns of carding operations.

• CAPTCHA alternatives: Use advanced CAPTCHA solutions or alternatives such as reCAPTCHA v3 that require no user interaction but can detect bot-like behavior.

• Rate limiting and throttling: Implement rate limiting to restrict the number of transactions or attempts from a single IP address or user within a specific time frame.

• Device fingerprinting: Identify unique device characteristics to detect automated bot activity. This can help prevent carding bots from testing large numbers of stolen credit card details.

• Fraud alerts and notifications: Send alerts to customers when suspicious activity is detected, allowing them to confirm or deny transactions quickly.

• Customer education: Educate customers about carding risks and best practices for protecting their credit card information. This can help reduce the likelihood of successful phishing or social engineering attacks.