Carding is an automated web security threat in which multiple payment authorization attempts are used to verify the validity of bulk stolen payment card data. Also known as carding fraud, card stuffing, credit card stuffing, and card verification, carding occurs when cyber criminals run thousands of small purchases by using stolen credit card numbers, then later resell the “successful” cards to organized crime rings. This type of attack can lead to poor merchant history, chargeback penalties, and other problems for businesses.

According to the Automated Threat Handbook for Web Applications published by the Open Web Application Security Project (OWASP), a worldwide not-for-profit charitable organization focused on improving the security of software, these attacks result in the misuse of various types of data. That includes authentication credentials, payment cardholder data and other financial data; medical and other personal data; intellectual property and other business data; and public information. 

In a typical carding event, lists of full credit and/or debit card data are tested against a merchant’s payment processes to identify valid card details, OWASP says. The quality of stolen data is often unknown, and carding gives cyber criminals a way to identify good data that is of higher value. The payment cardholder data might have been stolen from another application or from a different payment channel, or acquired from a criminal marketplace. Carding fraud often goes undetected by the cardholder until it is too late, when their funds are spent, transferred, or otherwise disappeared.

Possible symptoms of carding include elevated basket abandonment, reduced average basket price, a higher proportion of failed payment authorizations, a disproportionate use of the payment step, increased chargebacks, and multiple failed payment authorizations from the same user, IP address, user agent, session, and/or device ID/fingerprint.

OWASP suggests a number of countermeasures to help address the carding threat. These include fully outsourcing all payment aspects to an appropriate payment services provider (PSP) that has its own countermeasures in place for carding; increasing the minimum checkout value; and removing payment by card completely if alternatives are available and suitable. But these security checks are only the start of a larger, more formidable protective umbrella against fraudsters hunting down valid credit card numbers.

Companies should also consider randomizing the content and URLs of payment form and payment submission pages, tying these changes to the individual user’s session, verifying the changes at each payment step, and restricting any identified automated usage, according to OWASP. Also, organizations can consider monitoring and limiting the rate of card authorization attempts per session, user, IP address, device, and fingerprint. This way, malicious users and automation attempts are blocked as soon as they have reached a set number of failed attempts while testing different card numbers.

Another recommended practice is to identify and restrict automated usage by reputation methods. In particular, businesses can use geolocation and/or IP address block lists to prevent access to payment parts of the application. They can use address and card reputation services as well, and add delays in the checkout steps for new and/or infrequent customers. An even stricter approach to blocking unknown or infrequent customers is removing guest checkout options, which forces new users or customers to create a verified account. OWASP also recommends participating in e-commerce threat intelligence exchanges and contributing any relevant attack data to sector-wide sharing systems. Doing so helps build a greater defense against carding thieves targeting credit card numbers around the world. 

These security checks are only the tip of the carding iceberg, though. Dedicated fraudsters will go to great lengths to strengthen their carding campaign, often operating through privacy browsers, virtual private networks (VPN), proxy servers, and other types obfuscation to blur their online identity. Some exposed carding attempts even reveal evidence of document forging to verify stolen card numbers. All of these protective measures fight back against malicious users, without causing much of any noticeable speed bumps, headaches, or hassles for good, human users using an organization’s site.