Carding: What is it and how can you avoid it?
March 5, 2020
Carding is a type of fraud in which a thief steals credit card numbers, makes sure they work, and then uses them to buy prepaid gift cards. The fraudster may sell the prepaid cards or use them to purchase other goods which, in turn, can be resold for cash.
How does carding work?
Once carders have that information, they test the card numbers to see if they're active and haven't been reported stolen. They often do this by making multiple small transactions at e-commerce sites, sometimes with the help of automation.
Carders cover their tracks by using the stolen credit card numbers to purchase prepaid cards, usually store gift cards. The gift cards are then used to purchase goods such as laptops and television sets that can be resold later for cash.
How do e-commerce sites prevent carding fraud?
No one wants to be a victim of credit card fraud, but cardholders are typically only on the hook for up to $50 in unauthorized charges, thanks to the Fair Credit Billing Act. But by the time the card is canceled, the fraudster has often made several purchases — hurting the retailer in the process.
"Card-not-present" fraud, also known as remote fraud, which encompasses debit cards, credit cards, and other types of payment cards, increased 29% in the United States between 2015 to 2016. And in 2018, this type of fraud cost $27.85 billion in worldwide losses, according to The Nilson Report. That figure is projected to rise to $40.63 billion in 2023.
In an effort to help lock out carders, online merchants have implemented security measures that can help protect consumers and sellers. Here are several of them.
- Multifactor authentication (MFA): This method adds steps to the login process beyond entering a username and password. For instance, the merchant might send you a text message with a code that you type in before using your card. Carders would need to steal your credit card number and your phone to break into your account, which is unlikely.
- CAPTCHA: A CAPTCHA is a type of challenge-response test that helps an online merchant verify you're a human shopper. For instance, you might have to read and type out a block of distorted text. Carders who test hundreds of cards using automated bots will be forced to manually log in, so websites that use CAPTCHA are less-appealing targets.
- Address Verification System: Merchants use this fraud-prevention measure on card-not-present transactions, such as online purchases and phone orders. The cardholder will provide their credit card's billing address at checkout, and the AVS compares the address you enter with the one in the card issuer's system to verify it matches. The transaction will be declined if the shopper fails this test.
- Card verification value (CVV): Cardholders may have to enter their card's CVV at checkout. This is a three- or four-digit code usually listed on the back of the card. This is supposed to prove the online shopper has possession of the physical card, not just a card number they've purchased on the dark web.
- Velocity checks: In this context, velocity is the number or speed at which transactions are made in a given time. Merchants use this metric to identify irregular patterns in the checkout process that might indicate fraud. For example, it's unusual for someone to make several purchases within seconds or minutes of each other. Merchants can decline transactions if they believe a robot is testing a stolen card number.
- Authorization/capture: Using this method, a merchant verifies that your card can be charged but holds off on collecting the funds from the card issuer. Gas stations, for example, typically authorize a small amount and wait a few days before charging the rest to the card. If there are signs of fraud during the transaction review, the merchant won't request funds from the card issuer. Instead, they'll issue a refund to the cardholder.
- Payer authentication systems: Have you ever received a call or text from your card issuer to check on a transaction you've made? That can happen when the merchant uses a payer authentication system, such as 3-D Secure or Verified by Visa. These systems verify your identity at checkout by transferring data between the online merchant and your credit card provider. The provider can compare your transaction with information such as your shopping history, the device you're using, and your spending patterns.
How do criminals get credit card information?
There are various ways criminals can steal your credit card information and use it for carding purposes. Here are some of those methods.
Malware, short for malicious software, is a program that helps cyberthieves gain access to someone's account or device — usually without the user's knowledge. Once the malware is installed, it runs in the background and can record keystrokes, monitor the programs you use, and collect personal information such as credit card numbers and account passwords.
Phishing occurs when a scammer tries to trick you into sharing personal information, such as a Social Security number or credit card account password. Thieves can use just about any medium in a phishing attack: emails, phone calls, text messages, social media direct messages, and postal mail. The fraudster usually pretends to represent a trusted source, such as your bank, and claims there's something wrong with your account. Once you've provided your personal information, the scammer may be able to use it for carding purposes.
A carding forum is an illegal website where criminals can buy and sell stolen credit card numbers. They also share methods for stealing financial details and may be able to test stolen card information on these forums. Carding forums are often hidden on the dark web, which is a portion of the internet that can't be reached with normal web browsers and isn't indexed by search engines.
Credit card skimming
A credit card skimmer is a small, hard-to-spot device that thieves can install on top of a legitimate credit card reader, such as at a gas station pump. As you slide your credit card or debit card into a compromised machine, the card skimmer reads and stores your card's information. A thief may be able to use your credit card details for carding.
How can you avoid carding?
Here are some tips on how you can avoid this type of cybercrime.
- Use anti-spyware and malware-blocker software. Fraudsters who want to steal your credit card number through malware have to trick you into downloading infected software first. For instance, they may offer free game downloads that contain spyware, viruses, and other unwanted programs. Using anti-spyware and malware-blocker programs help keep your devices safe by identifying infected software programs and removing them.
- Promptly run software updates. Software updates generally improve the performance and security of your device. You can either set automatic security updates on your devices or accept your operating system's software updates as they come up. It's also a good idea to download software only from well-known, trusted sources.
- Know the signs of a phishing attempt. When you get a message from an unknown source, don't click on links, download attachments, or respond to those messages. If it's a scammer, they're trying to get you to download malware or get you to share personal information, such as your credit card details. If you're worried about an account, contact the company through its official website or by phone.
- Sign up for credit card notifications. Most credit card issuers offer customized alerts that can help you flag fraudulent charges. For instance, you may be able to get a text message each time your card has been used, a foreign transaction is made, or your balance has crossed a certain threshold. You may be able to catch a fraudulent charge as soon as the carder tries to test your credit card number. After reporting the fraud to your card issuer, it will cancel the transaction and give you a new card with a new account number.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.