Carding: A Growing Concern for E-commerce platforms
E-commerce platforms are susceptible to cyber criminal activities to a huge extent. One such activity which can impact the payment-receiving channels of an online retailer is carding.
Through the employment of a large number of bots, it has become fairly simple for fraudsters these days to confirm the authenticity of stolen credit card numbers and use the same for reselling purposes. Carding not only damages the customer relationship with the business but also severely impacts the daily operations of the platform.
Let’s understand carding in detail.
What is carding?
Carding is an e-commerce fraud through which the fraudsters or bad players also known as the ‘carders’ acquire stolen credit card numbers, verify which are valid and use the validated ones to further carry out multiple transactions on the platform.
The fraudsters use a combination of card-related information like CVV code, birth date, card number or the name of the account holder and then initiate a bot network which attempts to verify this information. Post verification, the card which has successfully been not reported as stolen shall be used for future course of actions like purchasing high-value goods, purchasing gift cards or reselling the information to other criminals at a premium price.
A typical carding process is as follows:
Signs that you are a victim of a carding attack
Now that you know how carding takes place, it is equally important to beware of such frauds and early signs that detect a potential carding attack on your online business. These signs are as follows:
1. Increase in Failed Payment Authorizations
It is no rocket science to understand that a genuine user would never undertake failed attempts at payment processing more than 2-3 times on average. Given the fact that bots are programmed to test thousands of combinations of information like the CVV number, an exorbitant increase in failed payment authorizations in your platform can be a warning signal of a carding attack.
2. Uniformity in failed payment authorizations
Sometimes, the number of failed payment authorizations may not be surprising. In such cases, the next step to increase vigilante is checking the IP address, device ID, session and the user agent from which such failed attempts have been reported. If this information is reported from the same source, it is a bot attack.
3. Cart abandonment rates
While verifying the stolen card information, the bots may abandon the carts and never return if such cards are not verified. In the case of unverified cards, the chances of executing a fraudulent transaction are less. Thus, the bots may avoid such accounts and the increase in the rate of this metric can prove harmful to the business.
4. Low average shopping cart size
AI has made it possible to keep a track of the average shopping cart size of different users across e-commerce platforms. An account purchasing premium products when shifts to purchasing an average cart of $4-$5 indicate that something is fishy.
Impact of carding on e-tailers
An online merchant becomes answerable in terms of safety in a suspected carding fraud situation. In case of a fraudulent transaction, the card owner claims a refund from the merchant which can increase chargebacks.
Moreover, online merchants are often expected to keep the chargeback and the card not present (CNP) levels within the given threshold. Once these levels are crossed, the merchants are levied heavy penalties by credit card companies like Visa and Mastercard. The higher the penalties, the higher the number of transactions blocked by the payment processor. This can severely damage the merchant’s online reputation. To make things worse, payment blocking may divert consumers to competitive platforms which results in a loss of revenue for the merchants.
Carding Case 101
Around 100 e-commerce stores fell prey to a gift carding attack in 2017 by a malicious bot which used to hack gift card balances.
This bot used to verify the gift card account number by requesting the balance account of each card number. On identifying the balance, the gift card account was confirmed of having been associated with a real user. Thus, this validation was further used to make purchases from the flagged gift card account.